A layered approach to Security

By 11th March 2019Security
Layered Security

Multiple levels of protection to ensure the security of your WordPress site.

At RocketWP we take the security of your WordPress sites very seriously and so should you.  We take a layered approach to security,

Layer 1 – onsite security provided by iThemes Security Pro, backups
Layer 2 – server security provided by Plesk Oynx
Layer 3 – Vultr firewall
Layer 4 – WAF powered by Sucuri

Layer 1

Every site with a RocketWP Care Plan in place gets layer 1 security.  This consists of iThemes Security Pro plugin and, at a minimum, daily backups.  Coupled with regular updates to the themes, plugins and WordPress core this is the minimum protection that every WordPress site requires.

iThemes is configured to enforce security defaults including:

  • The use of strong passwords
  • Banning users trying to use admin to login
  • Prevent brute force attack by limiting the number of failed login attempts
  • Enforcing 2 Factor Authentication for administrator-level accounts
  • Use of reCAPTCHA on forms and login screens

All sites with a Care Plan are backed up at least once a day, if your site is hosted by RocketWP you also get the benefit of the server level backup we take once a day.

We check your site for updates every day of the week, updates are carried out on a weekly basis to ensure your site is up to date.  Updates include the theme, plugins and the WordPress core.

Layer 2

If your WordPress site is hosted by us you also get the advantage of our server security.  Our servers are loaded with the Plesk Oynx control panel, we install and configure all the recommended security services including

  • Fail2Ban – this monitors the log files of every site and blocks those sites that repeatedly try to connect with incorrect user names and passwords.
  • Mod_security – this scans the incoming HTTP(S) request for malicious content and blocks anything that is suspicious.
  • Firewall – although layer 3 provides firewall protection we also configure the Plesk firewall
  • Plesk WordPress Toolkit to ensure that all WordPress installations are secured
  • HTTPS connections enforced

All our servers are kept up to date, you will always have the advantage of the latest version of PHP and all OS patches and updates are installed on a weekly basis along with updates and upgrades to Plesk Oynx.

All administrative logins to the control panel are secured using 2FA as is access via SSH.

Layer 3

Our servers are hosted with Vultr and Digital Ocean.  We implement Firewall protection, this protects the server and blocks all connections except those we have configured.  Only the ports required by hosting are open to the public.

Layer 4

A WAF (Web Application Firewall) protects your WordPress website by filtering and monitoring the traffic before it reaches the server where the site is hosted.  We use Sucuri WAF, the service offers additional protection including:

  • Mitigates Distributed Denial of Service (DDoS) Attacks
  • Prevents Vulnerability Exploit Attempts, such as SQL injections, cross-site scripting (XSS), remote file inclusion (RFI) and local file inclusion (LFI)
  • Protects Against the OWASP Top 10 (and more)
  • Protects Against Zero-Day Exploits
  • Protects Against Access Control Attacks, such as Brute Force attempts

The Sucuri WAF is a cloud-based solution so all this protection happens away from your website meaning that your server and site are faster as all the requests are legitimate and clean.  The site can also be configured to only accept connections from the WAF, know as ByPass protection it stops hackers using the ‘real’ IP to try and attack your site.

The WAF is included in our Advanced Plus Plan but can be added to any plan for an additional charge.

Advantages of hosting with RocketWP

If you host with RocketWP you get the first 3 layers of security as default.  If we don’t host your site you get layer 1 as standard, the 2nd and 3rd are the responsibility of your hosting provider.

Layer 4, the Sucuri WAF is an additional service that comes as part of our Advanced Plus Care Plan and can be provided regardless of your hosting partner.

RocketWP is committed to helping site owners, agencies and developers manage their WordPress websites. Regardless of the number of sites you host we will help you keep them secure, backed up up to date and fast.

Monitoring

We monitor everything!  We have minute by minute uptime monitoring, daily checklists to ensure backups have run successfully, a weekly checklist to ensure servers and control panels are updated, we monitor domains for expiry, DNS records for changes and server checks for excessive disk, CPU and RAM usage.  We use Todoist to ensure the checks are completed.

All our monitoring is linked with our Slack account and alerts are sent to the relevant channel and every alert is investigated.

Our layered approach

This layered approach to security means that the chances of your site are greatly reduced.  We include backup as part of security, we know that in the unlikely event that a site or even a server is hacked we have the backups necessary to restore a site or an entire server should the need arise.

Leave a Reply