vCanopy takes care of a significant part of the general security for your websites out of the box.
This does not mean your websites are invulnerable, and developing good security practices (and perhaps even helping your own clients implement), is still a requirement when locking down your websites.
It is, however, handy to know exactly what we do take care of so that you don’t need to worry about it, and can create your own process / checklist that you can follow each time you set up a new website on vCanopy.
vCanopy’s Default Security
- Secure PHP version by default
New websites will always be provisioned on an up-to-date version of PHP – unless you go out of your way and manually make it otherwise. - Secure usernames and passwords by default
You also have the ability to set your own default username and password.Also please note that if you import a website that overwrites the database, this also overwrites the default username and password. - We install the latest version of WordPress on new site builds
No unpatched security vulnerabilities in out of date versions. - Disable directory browsing / System file protection
Prevent anyone from seeing your WordPress files and prevent access to readme.html, readme.txt, install.php, and wp-includes. - Disable PHP execution in the uploads and themes directories
Automatically block requests to maliciously uploaded PHP files in your WordPress directories. - Secure wp-config.php
We store the wp-config.php file one level up from the htdocs directory. Your wp-config.php file contains your database username and password along with other information about your website. We keep your wp-config hidden and protected. - Security headers
We implement security headers by default to ensure security vulnerabilities such as cross-site scripting and clickjacking are automatically prevented. This shuts down one of the biggest security vulnerabilities on all websites online today, WordPress or not. - SFTP and SSH access onlyWe enforce secure server connections. No exceptions.
- Nginx rate limiting
Out of the box we limit requests to wp-login.php to 1 hit per second to protect against brute force attacks. We also implement a slightly less strict rate limit on the admin-ajax endpoint.
Additional Security Options
Above are the things we do by default. This section details additional options that you can configure on an as-needed basis, and are completely customizable to your specific needs.
- Web Application Firewall (WAF) options
We have deep, customizable integrations with the 6G WAF, 7G WAF and ModSecurity. These allow you to implement a WAF at the server level to protect your websites against a variety of malicious URI requests, bad bots, spam referrers, and more. It only protects your website, but it will help reduce your server’s resource consumption. Learn more here:
– Site Firewalls: ModSec
– Site Firewalls: 6G
– Site Firewalls: 7G - Website isolation through System Users
Assigning each of your websites to a unique system user will keep them completely isolated from one another. If a site was ever compromised, it will be unable to infect any other websites if it’s on its own system user. At the time of writing, system users are optional, but in the future they may be mandatory. Learn more here:
Change the Site Owner (System User) of a vCanopy Site - Fail2Ban integration
We have handy CLI integration with Fail2Ban on the server level to implement brute force protection, and also with the wpFail2Ban plugin on a site by site basis. This will allow you to implement a variety of different security options to keep the bad guys off your server.
Configuring Fail2Ban to Prevent Brute Force Attacks - Disable XML RPC
XML RPC is an old, outdated, and insecure method of remotely posting to your WordPress website. If you’re not using it, you should disable it completely. Check out the beginning of the Fail2Ban article above or the Nginx hardening article below for instructions – it’s quick and easy. - Further Nginx hardening through with GP-CLI
The following commands will allow you to configure individual websites on an as-needed basis to easily increase their security. This includes blocking XML-RPC, load-scripts.php, blocking PHP executing in wp-content, block comments, block links opml, block trackbacks, and block the wp-admin upgrade and install file. Learn more here:
Nginx Site Hardening with GP CLI - Content Security Policy (CSP)
vCanopy makes it easy to activate a CSP with GP-CLI. You can run a single command to create a CSP configuration file, and then edit it as per your needs. Learn more here:
How to create a Content Security Policy (CSP Header) - A+ Grade SSL certificates
Exactly what it says on the tin. We can’t force SSL’s, but you should always use them.