When a threat-actor attempts to login unsuccessfully too many times, their IP address will be automatically locked out temporarily. Each time they are locked out, the time they are locked out increases. After 10 lockouts, their IP address is permanently banned.
Threat-actors will often attempt to use a technique called “fuzzing” which attempts to guess common directory names and file names in an effort to identify vulnerable plugins or unprotected directories/files which contain sensitive data and do not require authentication. This technique generates a lot of 404 (not found) errors within a short period of time. IP addresses which appear to be using this type of attack will be temporarily blocked from accessing the site, and if the activity continues, they will be permanently banned.
One of the most common methods that a threat actor might try to use to compromise a hardened site is a technique called “credential stuffing”. This tries credentials which may or may not be associated with the target site which have been previously exposed in a breach. HaveIBeenPwned tracks many of these credentials and provides an API which allows us to check if passwords are known to be compromised as the user sets their password. The user’s password is never sent to HaveIBeenPwned, rather it uses a model called “K-Anonymity” to ensure that the passwords can never be reversed by HaveIBeenPwned or another threat actor, yet still allows our plugins to check if the passwords have been exposed, and block the user from using those passwords if they have. This is not a guarantee that a credential stuffing attack will be unsuccessful; but drastically cuts back on the likelihood of success of such an attack.
When the user first logs in after our plugins have been installed, they will be prompted to setup multifactor authentication. They can choose email or via a mobile app such as Google Authenticator or Authy; however, we strongly recommend a mobile app instead of email due to the delay waiting for an email may cause, as well as the increased protection that the mobile app adds.
The site will be scanned daily for signs of infection or the site’s presence in the major blacklists. If any indications are found of a compromise, our team will start an investigation to verify if there is actually a problem, and work to automatically remediate it if so.
Our web application firewall identifies and blocks suspicious requests before they are executed by the website. It can stop most SQL injection attacks, cross site scripting attacks, and much more; even if plugins on the site are vulnerable to these attacks.
Through the power of community and proprietary threat feeds, we are able to block IP addresses that have been observed attacking other websites before they even browse to your site. Coming soon is our own native integration with our proprietary threat feed! We currently operate a number of honeypots to identify threat actors of many kinds. These honeypots present as what an attacker would believe are vulnerable machines on the internet, and they monitor how attackers interact with them as they attempt to exploit them. Through our threat research we are not only able to identify new tactics that attackers are using to compromise machines, we are also able to identify common IPs that are used to attack servers and block them across all customers in mere minutes. Our integration with WordPress is not quite ready for public use yet, but it is coming soon and will compliment our existing integrations which automatically block these IPs on Windows and Linux endpoints which we have admin/root access to. We are currently able to integrate our threat feed with Cloudflare, so it is already integrated with any customers currently on our managed hosting (our native integration will only be necessary for clients who only utilize our managed services and not our hosting platform).
Our live backup system backs up changes as they are made to the site in near real-time. This means that if your server goes down for any reason, we can quickly spin up your site on a new host and have most of your recent changes ready to go. This also takes the strain of daily backups and compression off of your server which increases performance of the server and reliability of the backups.
Our backup server takes daily snapshots of the database that can be used in the event of human error or other catastrophic event that requires that the site be rolled back. Roll-backs can happen in minutes when needed. Settings and text content can be rolled back through database backups, images and other media may require full site snapshots as seen below. 2 weeks of database snapshots are held on our backup server.
Our backup server takes weekly snapshots of the entire site including media in the event that something so catastrophic happens that even media needs to be rolled back (such as a malware attack or unintentional media file overwrite). Roll-backs can happen in minutes when needed. 4 weeks of full site snapshots are held on our backup server.
This is the bread and butter of our service. One of the most common ways to exploit a WordPress site is when updates aren’t applied frequently. Many people are afraid of what might happen during updates or simply don’t have the time (or forget to) handle the updates themselves. We take care of all of that for you – using our multi-site automation, we are able to quickly test and deploy updates to all of our customers. Patches for vulnerabilities are often installed within hours of their release (whereas the average WordPress site stays vulnerable for months or years after patches are released).
We will configure and optimize SSL/TLS for you using any certificate you provide (we take care of getting this certificate for you on the managed hosting plan, we will need you to provide a certificate on the managed security plan unless your host is compatible with Let’s Encrypt automation or you choose to use Cloudflare).
Google reCaptcha integration on sensitive pages such as login and comment/contact forms can help keep many automated attacks away from your site by making users prove that they are human. While this isn’t required, we do strongly recommend using it.
WP Rocket is the industry standard caching plugin for WordPress. This can help speed up your site drastically, and is included at no additional cost to any customer who asks for it (a $50/year value).
Cloudflare is a free content delivery network and web application firewall reverse proxy that can help speed up your site and stop attackers before they even get to your server. Additionally, Cloudflare also offers free DDoS protection making sure that your site stays up even when someone is doing their best to take it down for any reason. Cloudflare configuration is optional if you use your own host, but is required if you use our hosting as we only allow Cloudflare’s IP addresses to access our server on the necessary ports for web traffic – all other IPs are unable to browse to our server. As long as your site is configured with Cloudflare, people will not notice a difference other than your site is often faster than it was before you switched over to Cloudflare. Using Cloudflare will require you to move your NS server records away from your current DNS provider. We can assist with this as long as we have access to your current DNS provider and domain name registrar. You can keep registration of your domain name at your current registrar if you prefer; or it can be transferred to Cloudflare once the domain is setup on their services for cheaper renewal and management all from a single console.
These days serving your site over SSL/TLS (which gives you the “s” at the end of “https” and makes sure your site isn’t marked as “Not Secure”) is an absolute must. Not only does it help protect your users, but Google also prioritizes sites with properly configured SSL/TLS in their search results over sites that do not have properly configured SSL/TLS. Any site on our hosting service will automatically be assigned a free SSL/TLS certificate. We are also happy to assist with gaining a free SSL/TLS certificate on your current host if you only use our managed security service; but we can’t guarantee that every host will be compatible with free certificate services.
One of the biggest issues with shared hosting services is that they open up FTP(S) to any IP address that tries to connect to it. This can make brute-forcing credentials very easy and basically leaves the doors wide open for script kiddies and other threat-actors. While it does make management a little more of a pain, we only allow specific IP addresses to connect to our servers via SFTP and STP. We can walk you through the steps necessary to find your IP address in order for us to whitelist it; or we are also happy to assist with anything which you require access to the raw files on the server. We are working on a way to allow you to whitelist your IP yourself; however, that is a ways off from being completed as it requires extensive custom development.
Another problem with shared hosting services is that even if you are using Cloudflare, it is possible for someone to bypass it if they can figure out the IP address of your server which is behind Cloudflare. Finding that IP address is usually fairly easy. This means that Cloudflare might stop many automated attacks, but it doesn’t do much good in a targeted attack on a shared host. Since our server blocks any IP addresses attempting to access the website which aren’t routing through Cloudflare, this bypass method will not work on our servers – making Cloudflare useful for stopping almost every type of attack.
One of the biggest problems with shared hosting is that their servers are very slow. The average shared hosting server has around 0.5GB of RAM available for your site to use. This means that many times dynamic sites such as WordPress are often slow as molasses which can affect your search engine optimization as well as your user retention rate. While our server is shared among our clients, it is rather beefy featuring over 4 GB of RAM, and 2 vCPUs. Our clients often see a drastic difference in site performance once they have moved over to our server.