Frequently Asked Questions

How often will my WordPress backend get updated/patched?

WordPress core file updates, theme updates, and plugin updates generally happen every Monday.

What security measures are being taken to prevent sites from getting hacked?

To prevent the server from getting hacked:

  • Server firewalls are in place.
  • Monitoring is in place for brute force attacks.
  • If the server detects bad behavior, notifications go out and appropriate action is taken.
  • Offending IP addresses are automatically blocked from accessing the server when appropriate.
  • Manual monitoring and evaluation of the overall server health is undertaken monthly.

To prevent your WordPress site from getting hacked there are several measures taken:

  • All new sites on the server are evaluated to ensure they are up-to-date and don't have any existing security issues.
  • Good fences make good neighbors. While your neighbor's sites will have the same high standard as yours, you also have an environment and account that keeps you separate from them. Shared servers are more risky because if your neighbor has a problem, there is a greater chance it can affect you — which is why I don't offer them.
  • Keeping your core files and plugins updated is one of the most important things that can be done. Outdated versions can have exploits. Available updates are done for you every 1-2 weeks.
  • Additional coding measures are taken to prevent snooping.
  • Additional login measures are implemented to prevent easy brute force logins.
  • Malware scanning happens nightly.
  • Other detailed measures:
    • Security Measures
    • Restrict access to files and directories
    • Configure security keys
    • Block directory browsing
    • Forbid execution of PHP scripts in the wp-includes directory
    • Forbid execution of PHP scripts in the wp-content/uploads directory
    • Block unauthorized access to wp-config.php
    • Disable scripts concatenation for WordPress admin panel
    • Turn off pingbacks
    • Disable PHP execution in cache directories
    • Disable file editing in WordPress Dashboard
    • Change default database table prefix
    • Enable bot protection
    • Block access to sensitive files
    • Block access to potentially sensitive files
    • Block access to .htaccess and .htpasswd
    • Block author scans(can be reverted)
    • Change default administrator's username

What happens if I get hacked?

Unfortunately, even with security measures and best practices, sometimes, something can happen. This is why you want to be prepared in case disaster strikes.

  • Nightly, weekly, and monthly backups of your site exist at all times. These are done for you automatically. 
    • Daily Backups are nightly. Retention is 10 backups.
    • Weekly Backups are at the beginning of the week (Sunday). Retention is 4 backups.
    • Monthly Backups are on the 1st and 15th. Retention is 4 backups.
  • If disaster strikes, a backup of your site can be pulled within minutes of notification.
  • If you get hacked, a deeper evaluation of your site will begin to find the source of the problem and where security may need to be reinforced.

Do your servers provide PCI Compliance?

PCI compliance can be applied to a server based on your requirements. We can interface with your PCI Compliance vendor (Trustwave, Sysnet, etc) and assist in making sure the server meets those requirements and corrects any failures.
Some items that are currently covered*, but not limited to include:
  • Restrict database access
  • Disable HTTP OPTIONS method
  • Restrict access to DNS
  • Upgrade to the latest version of Exim
  • Disable FTP plaintext authentication
  • Disable ICMP timestamp responses on Linux
  • Disable IMAP plaintext authentication
  • Disable POP plaintext authentication
  • Disable SMTP server EXPN and VRFY commands
  • Disable SMTP plaintext authentication
  • Disable SSLv2, SSLv3, and TLS 1.0. The best solution is to only have TLS 1.2 enabled
  • Disable TLS/SSL support for 3DES cipher suite
  • Disable TLS/SSL support for DES and IDEA cipher suites
  • Disable insecure TLS/SSL protocol support
  • Disable TLS/SSL support for RC4 ciphers
  • Disable TLS/SSL support for static key cipher suites
  • Generate random Diffie-Hellman parameters
  • Upgrade ISC BIND to latest version
  • Use a Stronger Diffie-Hellman Group

How do cPanel updates work?

Updates of actual software installed and managed by cPanel typically happen during cPanel's daily updates via the Yum Repository. These would include updates to services like Exim, minor PHP updates, and MySQL/MariaDB (If updates are still being pushed out for the version you're using). Servers are on a dedicated platform.

How often is the server software updated?

Update frequencies vary. Generally we wait until there is a stable release of a new version of the server OS or cPanel/WHM.

What about Firewall and DDoS Attacks?

Servers have an advanced and configurable firewall and DDoS Attack Protection to keep your information protected provided by Corero Network Security (LSE: CNS), a leading provider of First Line of Defense® security solutions against DDoS attacks using the SmartWall Threat Defense System (TDS) to protect its world-class data centers against DDoS attacks. With the Corero solution in place, we are safeguarding our networks from these attacks and extending that protection, maintenance, and updates, to its customers as part of our hosting services.

Where can I find SOC1 or WCDC documentation?

Where is storage location for any data that is accumulated?

Unless customers configure transport, CDN, or other replication, all data files for your website are maintained on a Elite1726 server in the West Coast Data Center (LA) or East Coast Data Center (VA).

 

*Note: these items could change at any time. If PCI compliance is important to you, you should run your own server scan to determine what may be required.