Keeping Servers and Sites Secure

You probably know that WordPress has a bad reputation for being insecure. But what you might not know is that often WordPress itself isn’t the issue. WordPress updates itself when a security update is released nowadays. It’s almost always an outdated plugin or theme that allows an attacker to exploit a WordPress site and give them greater access to the server. Less often, but often enough to be aware of, it’s outdated server software with a vulnerability that exposes a server to security risks.

Server security

When SpinupWP sets up your server, it is security-hardened. SSH login is locked down to prevent unauthorized access, and Fail2Ban is installed to protect against SSH brute force attacks. Only incoming SSH, HTTP and, HTTPS traffic is allowed through the firewall that SpinupWP configures. All other incoming requests are dropped into the abyss.

SpinupWP will only ever install the latest software packages, ensuring that software will continue to receive security updates. And, of course, SpinupWP configures your server to install software security updates automatically.

But that’s just security updates. SpinupWP doesn’t automatically install non-security updates. It’s your responsibility to SSH into your server now and then and install non-security updates. If a software package reaches end-of-life, we’ll email you with instructions.

We plan to add a feature to SpinupWP soon where you can review the server updates available for your server and update them right from the dashboard without having to type a command.

Site security

Every site that SpinupWP deploys has sensible default configs out-of-the-box to help protect against common vulnerabilities. WordPress is configured to update itself when security updates are available. Security isolation is also enforced, meaning that a dedicated system user owns each site. Security isolation helps protect against cross-site contamination (if one site has a security breach). We also make it super easy to enable HTTPS with one-click SSL certificates.

It’s your responsibility to keep the themes and plugins of your sites up-to-date. Themes and plugins are not updated automatically. Outdated themes and plugins are the number one cause of a security vulnerability for WordPress sites. It can’t be stressed enough how important it is to keep themes and plugins up-to-date.

Nginx security hardening

We have specific Nginx default configurations in place on a per-site basis to keep your sites more secure. By default, the following Nginx headers are enabled on all SpinupWP managed sites.

  • Strict-Transport-Security – so that all requests are routed through a secure (HTTPS) connection
  • X-Xss-Protection – stops pages from loading when they detect reflected cross-site scripting (XSS) attacks
  • X-Frame-Options – prevents click-jacking attacks
  • X-Content-Type-Options – prevents MIME type sniffing, which is a security concern, as some MIME types represent executable content.

It’s also possible to enable specific Nginx security features from the SpinupWP site dashboard.

  • “Disallow PHP execution in the uploads folder” – helps prevent your site from being hacked through third-party plugin vulnerabilities.
  • “Disable XML-RPC” – disables XML-RPC support, which was an interface for other platforms to communicate with WordPress, but is now replaced by the WP REST API and can be a security concern.

Nginx Security Settings

(I know what you’re thinking, “What about the SpinupWP app itself?” We’ve got you covered there too, with AES-256 encryption, off-site SSH key storage, and two-factor authentication.)