WordPress Database Protection at Seravo

In 2020, the security of Finnish online services has been a hot topic in the wake of the Vastaamo data breach. According to public reports, Vastaamo had fundamentally failed to protect its data, and an external intruder had gained access to the MySQL database for the following two reasons:

  • The database connection was unnecessarily open to public network.
  • The password for the username was weak, so the intruder gained access by guessing the password.

The question that many now may ask is: could the same happen to their company’s online service? In principle, yes, if the website has not been professionally maintained. As Seravo’s customer, you need not worry, as Seravo employs top WordPress security experts, many of whom have experience in maintaining Linux servers and MySQL/MariaDB databases since the late 1990s.

In general, Seravo’s WordPress security expertise is exemplary. Most recently, in early September 2020, several Finnish and international medias reported on a zero-day vulnerability found by Seravo in the WP File Manager plugin, which we responsibly reported to the plugin’s developers and helped coordinate a global security update. All security updates to the MariaDB database over the last five years for Debian and Ubuntu distributions were made by Seravo’s staff.

We also contribute to the development of many other open source software products that are important to Seravo’s business. Our staff have also given numerous presentations at WordCamp events across Europe: both on WordPress security in general, and specifically on the best practices of the MariaDB database for WordPress developers. Seravo does not yet have ISO 27001 security certification, but we are working on obtaining it. We are already complying with the requirements of the certification, for example by holding regular internal security training sessions for all staff.

Protecting database passwords

People are often the weakest link in coming up with passwords that are complex enough and keeping them secure. For this reason, at Seravo, all database passwords are pre-generated, meaning that customers cannot change them to weaker ones. Database passwords are only visible to PHP code through environment variables (ENV). This way, database identifiers are not found in any PHP file in WordPress at all. In other words, unlike normal WordPress, there are no identifiers in the wp-config.php file. The development shadows provided by Seravo, as well as the local Vagrant and Docker development environments all have different IDs, and thus the production database is not stored outside the WordPress environment, unless the customer has explicitly done so.

Protecting Database Connections

In Seravo’s premium hosting and upkeep, database connections are only visible to the WordPress environment, and the database service is not open to the public internet. If the client needs to access the database directly, it can be done over SSH from the command line by running the mariadb command. When the command is run, it automatically gets the login and password, so the user does not have to provide them. This reduces unnecessary and risky password handling.

For graphical use, we provide a browser-based Adminer, which is of course only available over HTTPS-protected connections (99.9% of traffic on Seravo’s servers is HTTPS-protected anyway). The use of the traditional and sometimes problematic PHPMyAdmin is not allowed in the Seravo environment for security reasons. Adminer is always pre-installed and updated to the latest version by Seravo. If you would like to use some external database software, the connection can be made via an SSH pipe, so that the database connection remains always protected. Seravo has consistently prevented any use of usernames and passwords over unencrypted connections.

Protecting Database Contents

In our WordPress hosting and upkeep, all customers always have access to backups automatically taken once a day, with a 30-day history. This includes the database. The backups are made using technology that is independent of WordPress and will not stop working even if there is a bug in WordPress. All backups are also backed up offsite, in case of a complete server destruction.

In Seravo’s environment, in the dashboard of your WordPress site, under the menu Tools > Security you can also find additional features that are not usually available in WordPress. One of these features is a junk file finder, which alerts the site administrator if additional .sql files are found on the site and suggests deleting them. It is unfortunately common for site developers to make extra database dumps when moving or modifying sites, and this tool has been developed to make it easier to detect and remove them, to make saving disk space easy for our customers.

In the WordPress admin under Tools > Security checks if there are any extra .sql database dumps on the site that should be removed.

Active Monitoring

By default at Seravo, many things are logged automatically and customers can view their own logs on the server in /data/log/. Logs can be read via SSH connection from the command line, or from WordPress admin dashboard in the Tools > Logs menu. All SSH connections are logged: when connections started and ended, and which SSH key was used to log in (if enabled). For WordPress itself, all logins are logged, both successful and failed. Key WordPress administrative actions are also logged, such as changes to user permissions, changes to important settings, and additions and deletions of plugins. Logs’ data allows the client to see for themselves if there are events on the site that should not be occurring. Seravo uses logs to investigate data breaches, although fortunately the need for such use is extremely rare.

From the WordPress admin under Tools > Logs, you can view logs in the Seravo environment

If Seravo does things this well, does a WordPress developer need to do anything else?

Yes, but less than one would without Seravo’s service. Security is as strong as its weakest link. The site builder should use their own expertise when selecting good plug-ins and themes to ensure that they are also of high quality in terms of security. When designing and implementing a website, sufficient professionalism is needed to avoid pitfalls. Seravo provides some tools (e.g. the wp-theme-security-check command can be used to scan for obvious security vulnerabilities in the PHP code of a theme), but of course no one can guarantee that a site will never have problems. Security is a process where practices and skills need to be constantly developed.

Seravo can review the security of the code and settings of an individual website, both for WordPress and for the selected plugins and theme. If you as a customer wish to order a security audit from our experts for your WordPress website, contact us.

What if something happens?

At Seravo, security is taken care of as well as can be on a WordPress site. We do ask our customers to note that WordPress is intended as a publishing system, and is well-suited for business websites and e-commerce – however, it is not intended to be used as a patient information system, for example. If the information to be protected is particularly valuable, the system should be implemented as bespoke software with a completely different architecture to an e-commerce/publishing system or CMS such as WordPress.

However, despite the safeguards, data breaches do happen. Seravo maintains more than 4.000 sites, and we encounter data breaches every month. The most common cause of a data breach is a security flaw: for example in a plugin, a theme or a Windows user’s workstation where a password has been leaked to a criminal, and the problems are almost never directly related to the database. In order to respond quickly to data breaches, Seravo has in addition to the system administrators, a dedicated security officer who conducts data breach investigations and monitors security bulletins, including on wpvulndb.com. Seravo has a constantly evolving protocol for investigating data breaches and cleaning up after them.

In addition to all kinds of technical measures, Seravo also has a contractual instrument to promote security. We offer our customers a security guarantee: if a website maintained by Seravo is hacked, we will clean it up for free. We are not an insurance company and we don’t cover any damages, but at least we will take care of the data breach on WordPress and clean up the site so it can be opened again. This operation costs hundreds or thousands of euros per site, and so acts as a very good built-in incentive in our service to promote data security. We hope that other players in the IT industry will start offering similar guarantees, so that the level of security will actually increase.

Move Your WordPress Site to Seravo’s Protection Now!

We often receive enquiries from owners of compromised WordPress sites, asking us to help them investigate a data breach because of our reputation. If you are concerned about the security of your WordPress site, you should become Seravo’s customer immediatelyafter a data breach, switching to Seravo won’t help if the disaster has already happened!

Investigating a data breach is difficult or even impossible in a server environment without proper logging, good backup policies with several weeks of history or extensive Linux tools available. This makes it difficult for us to help users whose sites are not hosted on our servers. The only way to benefit from Seravo’s expertise is to move your sites to Seravo’s premium hosting and upkeep before any problems occur – this way, problems can even be prevented!