WordPress Security on Server Layer

Last week we talked about WordPress security on the network layer (with Cloudflare as an example). This week, we’ll look into what will happen once the traffic gets passed to the server.

On the server, things are getting a lot more complicated. This complication is also one of the reasons why we have “Managed Hosting” services in the first place. Most of the people just want to put their stuff in the server, so it would be online. Nothing else.

Servers are just computers, and computers are a combination of hardware and software. Both of which needs maintenance, configuration and monitoring. Just to save everyone from pain, let’s not talk about hardware.

What to focus on at the server?

First of all, you would need to know what your server are made of. Exactly like on a WordPress site, it’s as important to keep the server operation system and any of the installed programs up to date and correctly configured. The latter is very important! Luckily, this is what you pay for when you’re using a managed hosting service.

If you’re self-hosting, then make sure you know the system well. Keep an eye on the software releases and look out for security updates. If you’re not entirely sure what runs on the server, look into security solutions that do SCA (it means Software Composition Analysis, we’ll get more into that next week). If you’re not interested being part-time sysadmin, don’t self-host.

Server configuration and isolation

The most important thing you would want to make sure is that the filesystem, database and entire server environment is properly configured. Back in the day, it was common that cheap shared hosting providers had security incidents where hackers were able to move from one customer website to another, because they were not properly isolated or “caged”.

I’ve personally seen cases where the same server is also used for emails, so the hackers can not just access website files, logs and database contents, but also read all of the emails being sent in and out.

This has luckily changed and hosts do much better now… but users don’t change that easily. People want to save money, so they go for the cheapest host, purchase a single server and then add large number of sites into different folders. As soon as one of the sites get hacked, all of them go with it. We see that all the time.

If that happens, you’re in for a treat! You can’t clean up the sites one by one, because they are all infecting each other. You would need to make every site publicly inaccessible until all of them are cleaned up. If you don’t, you’ll be stuck in an infinite loop of reinfections.

Malware scanning

Once a hack goes through and your site gets infected, it’s important to know where to look. What ever you use for malware scanning should not rely on anything that is already compromised. Never just rely on WordPress malware scanning plugins.

While they are great tools that you can just quickly install to scan for potentially malicious code, they are also the first target by malware itself. Again, just last week, we saw malware being spread that first turns off both WordFence and Sucuri and then moves on.

Relying on plugin based malware scanners can provide false sense of security (which makes the incident even worse) and is also very inefficient way of scanning through files and database, and therefore also slows down your website and hinders performance.

If you’re choosing a hosting provider, ask them if they do regular malware scanning. Today, most of the hosting companies do, some better than others. Just ask how fast you’ll be notified and if they provide a report.

If you’re self-hosting, then first look into some of the open source malware scanners such as ClamAV and Maldet. Additionally, set up an integrity scanning for WordPress core files, it’s actually very effective way to detect malware. You can do that with WP CLI.

If you’re stuck with a host that is not helpful, and don’t have full control over your server then reach out to companies who provide malware scanning and incident response services. One popular provider is also here in the TAB community: https://wewatchyourwebsite.com/

Backups

The best case scenario is that your site never gets compromised. The second best case scenario is that a) malware gets immediately detected b) you can just restore a clean backup.

However, for this to happen, you’ll need to make sure you have backups stored with a regular interval and then stored over a longer period of time. In case the malware is not immediately detected, then you have a risk that the backups are also compromised. So, bonus points to hosts that separately scan backups for malware as well.

As probably expected, similarly to malware scanning, backups should also be done in the way that it doesn’t rely on the compromised site to do so. Try to avoid backup plugins and go for a hosting provider that does the backups on the server side.

Conclusion

If you’re just hosting few sites and are not into becoming sysadmin, choosing a great managed hosting company is incredibly important. When you do that, put an emphasis on “managed” and ask what is really getting managed. Unfortunately, “Managed WordPress Hosting” is a buzzword, so it’s often also used just for the marketing purposes.

Well configured server that is tailored to your application (WordPress) makes a big difference. Regular server-side malware scanning and reliable backups are a must have. Before you go with a host, make sure they offer both of them.

Next week, let’s dive into the WordPress application.

Resources:

• Example of malware used in mass-attacks turning off WordFence and Sucuri: https://gist.github.com/lynt-smitka/1eef476aed934fd3bc0be0813ea82f39
• WordPress core integrity scanning with WP CLI: https://developer.wordpress.org/cli/commands/core/verify-checksums/