Default WP Grid Security and Additional Options

WP Grid takes care of a significant part of the general security for your websites out of the box.

It is, however, handy to know exactly what we do take care of so that you don’t need to worry about it.

WP Grid’s Default Security

  1. Secure PHP version by default
    New websites will always be provisioned on an up-to-date version of PHP – unless you go out of your way and manually make it otherwise.
  2. Secure usernames and passwords by default
  3. We install the latest version of WordPress on new site builds
    No unpatched security vulnerabilities in out of date versions.
  4. Disable directory browsing / System file protection
    Prevent anyone from seeing your WordPress files and prevent access to readme.html, readme.txt, install.php, and wp-includes.
  5. Disable PHP execution in the uploads and themes directories
    Automatically block requests to maliciously uploaded PHP files in your WordPress directories.
  6. Secure wp-config.php
    We store the wp-config.php file one level up from the htdocs directory. Your wp-config.php file contains your database username and password along with other information about your website. We keep your wp-config hidden and protected.
  7. Security headers
    We implement security headers by default to ensure security vulnerabilities such as cross-site scripting and clickjacking are automatically prevented. This shuts down one of the biggest security vulnerabilities on all websites online today, WordPress or not.
  8. SFTP access only – We enforce secure server connections. No exceptions.
  9. Nginx rate limiting
    Out of the box we limit requests to wp-login.php to 1 hit per second to protect against brute force attacks. We also implement a slightly less strict rate limit on the admin-ajax endpoint.

Additional Security Options

Above are the things we do by default. This section details additional options that you can configure on an as-needed basis, and are completely customizable to your specific needs.

  1. Web Application Firewall (WAF) options
    We have deep, customizable integrations with the 7G, 6G WAF and ModSecurity. These allow us to implement a WAF at the server level to protect your websites against a variety of malicious URI requests, bad bots, spam referrers, and more. It only protects your website, but it will help reduce your server’s resource consumption.
    – Site Firewalls: ModSec
  2. – Site Firewalls: 7G
    – Site Firewalls: 6G
  3. Website isolation through System Users
    Assigning each of your websites to a unique system user will keep them completely isolated from one another. If a site was ever compromised, it will be unable to infect any other websites if it’s on its own system user.
  4. Fail2Ban integration
    We have handy CLI integration with Fail2Ban on the server level to implement brute force protection, and also with the wpFail2Ban plugin on a site by site basis. This will allow you to implement a variety of different security options to keep the bad guys off your server.
  5. Disable XML RPC
    XML RPC is an old, outdated, and insecure method of remotely posting to your WordPress website. If you’re not using it, you should disable it completely. Check out the beginning of the Fail2Ban article above or the Nginx hardening article below for instructions – it’s quick and easy.
  6. Further Nginx hardening.
    The following commands will allow us to configure individual websites on an as-needed basis to easily increase their security. This includes blocking XML-RPC, load-scripts.php, blocking PHP executing in wp-content, block comments, block links opml, block trackbacks, and block the wp-admin upgrade and install file. Learn more here:
  7. A+ Grade SSL certificates
    Exactly what it says on the tin. We can’t force SSL’s, but you should always use them.