Keeping Servers and Sites Secure
You probably know that WordPress has a bad reputation for being insecure. But what you might not know is that often WordPress itself isn’t the issue. In fact, WordPress updates itself when a security update is released nowadays. It’s almost always an outdated plugin or theme that allows an attacker to exploit a WordPress site and give them greater access to the server. Less often, but still often enough, it’s outdated server software that has a vulnerability that lets an attacker in.
When SpinupWP set ups your server it is security-hardened. SSH login is locked down to prevent unauthorized access, and Fail2Ban is used to protect against SSH brute force attacks. Only incoming SSH, HTTP and, HTTPS traffic is allowed through the firewall that SpinupWP configures. All other incoming requests are dropped into the abyss.
SpinupWP will only ever install the latest software packages, which ensures that software will continue to receive security updates. And of course, SpinupWP configures your server to install software security updates automatically.
But that’s just security updates. SpinupWP doesn’t automatically install non-security updates. It’s your responsibility to SSH into your server every now and then and install non-security updates. If a software package reaches end-of-life, we’ll email you with instructions.
We plan to add a nice UI to SpinupWP in the near future where you can review the server updates available for your server and update them right from the dashboard without having to type a command.
Every site that SpinupWP deploys has sensible default configs out-of-the-box, to help protect against common vulnerabilities. WordPress is set up to update itself when security updates are available. Security isolation is also enforced, meaning that a dedicated system user owns each site. Security isolation helps to protect against cross-site contamination (in the event that one site has a security breach). We also make it super-easy to enable HTTPS with one-click SSL certificates.
It’s your responsibility to keep the themes and plugins of your sites up-to-date. Themes and plugins are not updated automatically. Outdated themes and plugins are the number one cause of a security vulnerability for WordPress sites. It can’t be stressed enough how important it is to keep themes and plugins up-to-date.
(I know what you’re thinking, “What about the SpinupWP app itself?” We’ve got you covered there too, with AES-256 encryption, off-site SSH key storage, and two-factor authentication.)