WordPress Security FAQ

On this page you’ll find frequently asked questions (and their answers) about information security at Seravo’s premium hosting and upkeep for WordPress.

I think I’ve found a security vulnerability. Where can I report it?

Responsible security disclosures can be sent to security@seravo.com (PGP key available). We have paid small security bounties if the information provided has had significant value.

Can I scan my site at Seravo for vulnerabilities?

Yes, but a prior permission is required. We constantly monitor our systems and launch investigations on malicious activity. To be indemnified against criminal charges that scanning and probing our systems without permission could lead to, please contact us as soon as possible at security@seravo.com to sign our security testing agreement before any scanning activities.

Improving WordPress security

Once a permission for security scan or audit has been granted, it’s good to find out whether or not the site’s security ought to be strengthened prior to scan. While Seravo has many security features by default enabled for all sites in our upkeep, there are also some potentially invasive additional settings that can be enabled on a site prior to a security audit, as long as the site’s developer determines the settings won’t have any limiting side-effects on the site. A developer may also configure site-specific HSTS, CSP or other headers. These headers cannot be configured by Seravo for all sites by default, as they also could cause unwanted side effects.

Seravo offers many tools to make WordPress safer, such as the commandwp-check-passwordsfor detecting any weak passwords used on the site. Seravo also offers expert services to audit and harden the WordPress site beyond the settings and security measures that are enabled at Seravo upkeep by default. Contact us for more information!

Why is the security scan not working? I can’t get through!

For security reasons, Seravo’s hosting service for WordPress has restrictions in place that are designed to never interfere with the normal use of any WordPress site, but to limit access to sites by malicious actors (such as denial-of-service attacks). However, in some rare cases, site scanning tools may encounter Seravo security restrictions if they scan a site too quickly and resemble a malicious attack. These protections cannot be turned off.

Why does the security scan report indicate open SSH ports?

These SSH ports belong to other sites hosted in the same server cluster. Each site has only one SSH port – no other ports can be used to access the site or its contents. While these ports are visible in the reports of automatic security scan tools, the ports’ visibility does not affect the security of your site. At Seravo, SSH credentials are always protected with an enforced, strong password.

Can Seravo make my WordPress site more secure?

Yes! As long as your site is hosted at Seravo’s premium WordPress upkeep, we take care of things like automatic backups and monitor your site 24/7 to detect any potentially malicious activities. In addition, at Seravo you’ll have many features and tools for making your site more secure.

Seravo also offers additional expert services for making your WordPress site more secure!

Expert Service – Security Hardening

Seravo offers Security Hardening expert service for an additional fee. The service includes a site-specific review which identifies areas for improvement in site’s implementation, taking into account the best practices for a WordPress site. Upon completion, a written summary of the review and a list of suggested actions will be provided.

Individual, customized configurations are also available as expert work for an additional fee. Don’t hesitate to get in touch with us if you are interested in ordering additional services.

How is the service protected against denial-of-service attacks?

All Seravo’s servers have protection against denial-of-service (DoS, DDoS) attacks on network as well as HTTP level. This protection includes both fully automated solutions and protection that can be deployed separately.

If necessary, whitelist rules can be configured, which bypass some of the protections if there are known IP addresses that bring significant amounts of network traffic to the site.

XML-RPC

XML-RPC is an interface between WordPress and external systems. Although the file xml-rpc.php is still found in WordPress installations, its use is blocked by default at Seravo as it can pose a security risk: XML-RPC can be used to carry out Denial of Service (DoS) attacks. Contact customer service if your site requires XML-RPC.

XML-RPC has been replaced by the newer, more modern, and more secure WordPress REST API.

Does Seravo have a web application firewall (WAF)?

Yes. A Web Application Firewall (WAF) is used to inspect the web traffic of a website. It allows for monitoring, filtering, and blocking unwanted connections, and preventing attacks that could bring harm to your site. At Seravo, all customer WordPress sites are protected against these common threats.

Read more about WAF in our knowledge base.

How is load balancing implemented at Seravo?

Seravo’s service has been implemented with a baseline architecture that takes into account possible contingencies. Load balancing is taken care of on several levels, making the service as fault tolerant as possible.

Seravo’s service is especially optimized for WordPress, and possible threats have been taken into account in the service’s architecture. Load balancing is implemented in a way that makes Seravo’s hosting and upkeep as fail-safe as possible.

  • DNS: The traffic from customers’ websites is routed to several different servers (DNS round robin)
  • Servers: Incoming traffic is distributed within a server cluster to several different web hosts
  • Content Delivery Network (CDN): The infrastructure implementation is currently generally similar to that of a Content Delivery Network (CDN), except for the geographical distribution.

It is possible to use third-party plugins and services, such as a CDN, if desired.

How are sites in Seravo’s hosting monitored (IDS/IPS)?

All plans include 24/7 monitoring, so that any malicious traffic can be identified and blocked. All sites are thoroughly scanned for malware at least once a day.

If necessary, the service also allows you to configure rules on the server itself to limit web traffic, for example by geographic location or IP address.

What happens if a security breach is detected on my site?

Any malicious activity on the site will be halted and the site will be investigated to prevent further damage. Seravo will notify the site’s technical contact of the incident and an investigation will be initiated under the terms of the security response SLA.

Once the investigation is complete, the site will be cleaned of malicious code. At the same time, necessary measures will be taken to prevent future intrusions. These measures will depend on the type of breach identified during the investigation. Once the clean-up is complete, the site will be made live, and the findings will be reported to the customer. Read more about investigating security breaches at Seravo.

What does Security Guarantee mean at Seravo?

Seravo has a unique Security Guarantee: we guarantee to clean up and restore the customer’s site free of charge, if – despite protections and updates – there is a security breach on the site while hosted at Seravo. It is the customer’s responsibility to use the service with normal precautions and maintain good password hygiene.

Discover the details of our Security Guarantee here.

Seravo is not responsible if a security problem on the site is caused by a leaked password or self-installed malware. Furthermore, Seravo’s monthly fee does not include liability for damages caused by the actions of a criminal, and a separate security insurance policy can be obtained from an insurance company if desired.

Read more about security at Seravo or learn more in our knowledge base.

How does Seravo handle takedown requests?

Seravo offers managed hosting for WordPress, which includes handling third-party takedown requests.

Content subject to removal may include, but is not limited to:

  • Copyrighted material (e.g., DMCA notices)
  • Malicious content (e.g., malware or phishing)
  • Other sensitive, restricted, or unauthorized data

We evaluate every request for legitimacy and provide a prompt response. Certain requests, such as those from Finnish authorities concerning malicious content, may trigger immediate action.

While Seravo offers a point of contact between the claimant and the site owner, the site owner is ultimately responsible for removing the content. If the owner is unresponsive or if the violation is clear, Seravo reserves the right to block the content and will notify the site owner of such action without delay.

How to interpret security scan results

When performing automated security audits, it is common for professional-grade vulnerability scanners (such as Tenable Nessus, Qualys, or Rapid7) to flag certain configurations. While these tools are essential for identifying true risks, they often generate “false positives” or low-priority warnings that do not reflect an actual security issue on Seravo’s platform.

Here is an overview of common security scan findings and why they are often categorized as non-critical or merely informational within our infrastructure.

Administrative Interface Exposure

Scanners identify that WordPress login page is accessible at the default URL (wp-login.php) and suggest “obfuscation” (changing the URL).

However, moving a login page to a non-standard URL is a practice known as security by obscurity. It does not stop a determined attacker, but can create a false sense of security. Changing the URL does not offer real protection, and may interfere with Seravo’s 24/7 monitoring. Our infrastructure allows better security measures:

  • Rate limiting and brute-force protection.
  • Logging WordPress login attempts.
  • Support for 2FA (two-factor authentication) and CAPTCHA.

Information Disclosure via Server Headers

The scanner detects the web server type at Seravo (Nginx) in the HTTP response headers.

Knowing the web server software is a standard part of internet communication. This information alone does not provide a path for exploitation. Seravo keeps software stacks fully patched, and critical security updates are taken care of. Hiding the name of a secure, up-to-date server provides no measurable security benefit. More information about the Nginx web server in Knowledge Base.

Legacy PHP Function Vulnerabilities

Scanners may flag potential vulnerabilities in PHP functions like mb_send_mail() or mail().

These specific vulnerabilities typically apply to extremely outdated versions of PHP and require very specific, poorly written code to be exploitable. The legacy vulnerabilities flagged by generic scan templates do not apply to our managed WordPress environments. Seravo’s hosting platform utilizes modern, supported PHP versions, all of which are listed on our Knowledge Base

Outdated or Legacy Components

Scanners may flag older versions of JavaScript libraries (like jQuery 1.x) as outdated, often assuming that any version behind the “current” stable release is vulnerable.

In many CMS environments, specific legacy versions are maintained for backward compatibility with browsers and plugins. Seravo mitigates the risks associated with client-side scripts through server-side security. For example, the use of Access-Control-Allow-Origin headers helps prevent the cross-site attack vectors that these scanners are concerned about when flagging older libraries.

WordPress Username Enumeration

The scanner reports that it can discover valid WordPress usernames (e.g. via author archives or API endpoints).

In modern web security however, a username is not considered a secret; the password is. Usernames often appear publicly in blog posts or metadata by design. Seravo focuses resources on password hygiene and protects your site from brute force attacks. Even if an attacker knows a username, our platform’s automated blocking of repeated failed login attempts renders that knowledge unactionable. At Seravo, you can block WordPress username enumeration with Seravo Plugin’s security settings.