Is WordPress Secure?

Digital Key
Click to enlarge

One of our plugin vendors, WordFence, wrote a detailed post answering the question “Is WordPress Secure.”  “The short answer is yes, but it does require a modest amount of work and education on the part of the site owner.”  Fortunately for our hosting clients, we already do much of that work (AND MORE!) for you!

Our hosting environment runs the Plesk hosting control panel on top of Ubuntu Linux. Ubuntu, Plesk, and WordPress core and repository plugin updates are automatically installed on schedule as they become available.

Your website on our hosting benefits from several different layers of protection, at the network level, the server level, and at the application level. Traffic is continuously monitored by Apache ModSecurity for dynamically updated (Atomic Subscription) patterns of abuse such as brute force login attempts, form POST abuse, excessive 404 request, 404 requests for commonly abused filenames, etc. These automated systems then temporarily ban offending IP addresses using Fail2Ban. Repeat offenders get blocked for longer periods of time. At the application level, the WordFence security plugin is used to monitor WordPress core files and plugins for changes from the official versions, as well as to overlap some of the ModSecurity functionality blocking abusive requests if they make it through the previous layers of defense. We also have systems, Cacti, Graylog, Watchdog, Health Monitor in place to monitor overall server and network load levels that alert us to suspicious conditions outside the norm for manual inspection so that we can respond to and mitigate threats as necessary.

We take your website security seriously.  If you have questions about security please ask!