WordPress Site Security & Hosting: Features & Implementation List

Freshy WordPress website security

Freshy takes website security seriously. Our clients' WordPress sites are secured with a combination of proactive measures, best-practices, automations, and redundant fail-safes.

Below is a brief overview of some of the security features we implement.

Backups

Backups (×4)

• Jetpack has up to 1TB of real-time (per change) backups per install.
• BlogVault syncs a backup daily, stored up to 1 year.
• Hosting platform takes a backup nightly/hourly (files every 24 hours, database every hour) – stored for 30 days.
• Snapshot backups on-demand, before big changes, via All-in-One WP Migration.

Monitoring/detection

Jetpack license and BlogVault connected for each new install

• Downtime monitoring (×2) with “urgent” internal workflow upon any alerts (even false-positives).
• Malware detection (×2) and removal/patching for both themes and plugins with “urgent” internal workflow upon any alerts (even false-positives).
• Activity log (×2) for key user actions.
• Brute-force detection (×2) to prevent unintended login attempts.
• Vulnerability detection (×2) for themes and plugins with known/published vulnerabilities.
  • Plugins and themes proactively updated on a recurring basis by Freshy — via our Plugin Management plan with visual regression.
• Vulnerability, malware, and other threat monitoring at the server level, with Freshy having direct access to hosting platform admins.

Other measures

Additional security measures implemented and available for Freshy client sites

• Complimentary secure socket layer (SSL) certificates powered by Let’s Encrypt.
• Managed WordPress core updates (automatically).
• PHP version bump when previous branch becomes unsupported.
• Freshy admin passwords stored via the industry-leading enterprise-grade password safe — with access for only necessary employees — and reset annually.
• SOC (System and Organization Controls) reports and penetration testing (pen test) available for hosting platform data centers, upon request (after NDA).
• Spam prevention on forms via Akismet.
• Web application firewall (WAF) identifies, filters, and blocks malicious activities to protect from DDoS attacks like XSS or cross-site scripting, cross-site forgery, cookie poisoning, file inclusion, SQL injection, among others.
• Cloudflare firewall (for DDoS protection, etc.) available for sites that have DNS managed by Freshy.
• Additional security measures and hardening available upon request/scoping
  • e.g., 2FA, reCAPTCHA, preventing user enumeration, changing login URL, forcing password strengths, blocking countries, etc.

Freshy WordPress website hosting infrastructure

Freshy hosts sites on the WordPress Cloud platform. It’s an enterprise-grade and cloud-based infrastructure, which is built exclusively for WordPress CMS and maintained by Automattic (the parent company of WordPress).

The hosting infrastructure is a pooled server architecture — not really a shared setup, nor a typical dedicated setup. There are pools of servers and the load is split between database servers, file servers, and web servers. The setup is fully redundant with load balancers sitting on top of each server pool. This allows for zero downtime and powerful scaling. Since moving all sites to this infrastructure in 2017, we’ve had high performance and zero downtime.

Performance

• 100% uptime of data center network.
• Automatic failover as needed, as the system monitors the network for any disruptions. 
  • Each site has primary and secondary servers. If a site’s primary server experiences interruptions in connectivity, connections will automatically switch to the secondary server.
• Automatic scaling and load balancing helps maintain optimal performance by distributing the load across servers if traffic on your site spikes.
• Global content delivery network (CDN) allows content to load from the location closest to your audience, to minimize latency and data errors.
• Proactive monitoring of performance and memory usage by hosting platform admins, with direct communication if any issues are identified.
• Optimized servers with non-volatile memory express (NVMe) storage protocol to deliver the highest throughput and fastest response times.

Tools

• Jetpack Complete plan included to improve backups, security, and activity monitoring.
• Mailgun added to client sites for improved transactional email deliverability and monitoring (user notifications, orders, password resets, etc.).
• Collaborator access to the install — on a case-by-case basis — including SFTP access, database access via phpMyAdmin, cache control, and more.
• Staging environments available upon request/scoping.

Additional security details

At the network and load balancing level, many different factors are leveraged when determining suspicious activity — such as IP, fingerprint hashes, user-agents, ASNs, and more — to implement rate-limiting and full-on blocking of certain requests. These policies help protect against application vulnerabilities by determining the malicious traffic from the safe traffic, then filtering out the malicious traffic. Such traffic can be blocked from interacting with the site (via a 429, 403, etc.).

There are additional layers of DDoS protections as well that can be triggered well below a high quantity of visits.

All inbound requests route through an Anycast range of IPs, connecting the visitor to the closest edge data center. Each edge has an NGINX load balancer that determines if the request should route to a core data center or — if enabled — serve edge cache. This also provides a layer of traffic protection and can dynamically route traffic differently based on incoming demand. By default, most sites can easily withstand a large influx of traffic or even a DDoS attack without the hosting infrastructure's firewall (WAF), specialized rate limiting, and layers of DDoS protections. The hosting infrastructure also has a dedicated team that actively monitors the network and ensures its deploying optimal resources and DDoS mitigations to prevent unnecessary resource utilization.

The WAF itself is a custom solution that blocks many PHP and WordPress-specific vulnerability exploitation attempts. The WAF also blocks specific types of malicious requests.

This is on top of active vulnerability monitoring and platform-level mitigations, or patches, for critical vulnerabilities — without the need for plugin/theme/core updates. However, you should always continue to apply updates for other security benefits and less-critical vulnerabilities.

As for more detailed specifics (threshold numbers, etc.) those can vary widely depending on the signature, user-agent, IP, etc.