Keeping Servers and Sites Secure

You probably know that WordPress has a bad reputation for being insecure. But what you might not know is that often WordPress itself isn’t the issue. WordPress updates itself when a security update is released nowadays. It’s almost always an outdated plugin or theme that allows an attacker to exploit a WordPress site and give them greater access to the server. Less often, but often enough to be aware of, it’s outdated server software with a vulnerability that exposes a server to security risks.

Server security

When SpinupWP sets up your server, it is security-hardened. SSH login is locked down to prevent unauthorized access, and Fail2Ban is installed to protect against SSH brute force attacks. Only incoming SSH, HTTP and, HTTPS traffic is allowed through the firewall that SpinupWP configures. All other incoming requests are dropped into the abyss.

SpinupWP will only ever install the latest software packages, ensuring that software will continue to receive security updates. And, of course, SpinupWP configures your server to install software security updates automatically.

But that’s just security updates. SpinupWP doesn’t automatically install non-security updates. It’s your responsibility to SSH into your server now and then and install non-security updates. If a software package reaches end-of-life, we’ll email you with instructions.

We plan to add a feature to SpinupWP soon where you can review the server updates available for your server and update them right from the dashboard without having to type a command.

Site security

Every site that SpinupWP deploys has sensible default configs out-of-the-box to help protect against common vulnerabilities. WordPress is configured to update itself when security updates are available. Security isolation is also enforced, meaning that a dedicated system user owns each site. Security isolation helps protect against cross-site contamination (if one site has a security breach). We also make it super easy to enable HTTPS with one-click SSL certificates.

It’s your responsibility to keep the themes and plugins of your sites up-to-date. Themes and plugins are not updated automatically. Outdated themes and plugins are the number one cause of a security vulnerability for WordPress sites. It can’t be stressed enough how important it is to keep themes and plugins up-to-date.

Nginx security hardening

We have specific Nginx default configurations in place on a per-site basis to keep your sites more secure. By default, the following Nginx headers are enabled on all SpinupWP managed sites.

  • Strict-Transport-Security – so that all requests are routed through a secure (HTTPS) connection
  • X-Xss-Protection – stops pages from loading when they detect reflected cross-site scripting (XSS) attacks
  • X-Frame-Options – prevents your site from being loaded within an iframe which helps protect against click-jacking attacks
  • X-Content-Type-Options – prevents MIME type sniffing, which is a security concern, as some MIME types represent executable content.

It’s also possible to enable specific Nginx security features from the SpinupWP site dashboard.

  • “Disallow PHP execution in the uploads folder” – helps prevent your site from being hacked through third-party plugin vulnerabilities.
  • “Disable XML-RPC” – disables XML-RPC support, which was an interface for other platforms to communicate with WordPress, but is now replaced by the WP REST API and can be a security concern.

Nginx Security Settings

(I know what you’re thinking, “What about the SpinupWP app itself?” We’ve got you covered there too, with AES-256 encryption, off-site SSH key storage, and two-factor authentication.)

Start Your 7-Day Free Trial

Start your SpinupWP journey today and spin up your first server within minutes.

Start Your Free Trial

No credit card required

Subscribe to get the latest news, updates and optimizations in performance and security.

Thanks for subscribing 👍

To receive awesome stuff, you'll need to head to your inbox and click on the verification link we sent you.
Make sure to check your "spam" folder or your "promotions" tab (if you have Gmail).
If you're still having trouble, then messages us at sudo@spinupwp.com.

You are already logged in

It looks like you are already logged in to SpinupWP.

Please log out of this account to continue.

Registration Successful

Thanks for registering for a new
SpinupWP account.

Before getting started, could you verify your email address by clicking on the link we just emailed to you?

SpinupWP

Free Trial

Start Your 7-Day Free Trial

No credit card required. All features included.

By signing up to SpinupWP, you agree to our Terms and Conditions.
For privacy related information, view our Privacy Policy.