WordPress Security FAQ

Below you’ll find frequently asked questions about WordPress security at Seravo’s premium hosting and upkeep, as well as our answers.

I think I’ve found a security vulnerability. Where can I report it?

Responsible security disclosures can be sent to security@seravo.com (PGP key available). We have paid small security bounties if the information provided has had significant value.

We would like to make a security audit of our site and Seravo’s infrastructure running it. Do we need a permission for it?

Yes, you do need prior permission. We constantly monitor our systems and launch investigations on malicious activity. To be indemnified against criminal charges that scanning and probing our systems without permission could lead to, please contact help@seravo.com to sign our security testing agreement.

Hardening a site before a security audit

While Seravo has many security features by default enabled for all sites in our upkeep, there are also some potentially invasive additional settings that can be enabled on a site if the site developer decides those settings don’t have any limiting side-effects on the site in question.

A developer may also configure site specific HSTS, CSP and other headers. These headers Seravo cannot set for all customers by default, as they also could cause unwanted side effects.

There are also other security measures that can be taken on a site to make WordPress safer. Seravo offers many tools, like the commandwp-check-passwordsfor testing that passwords used on the site are not weak or too easy to guess. Seravo also offers expert services to audit and harden the WordPress site beyond the settings and security measures that all sites have in Seravo’s upkeep by default. Contact us for more information!

How to interpret Nessus security scan results?

Nessus (by Tenable) is one of the world’s most popular security scanners. We are currently not aware of any security vulnerabilities affecting systems maintained by Seravo that an external Nessus scan could currently find. There are however some false positives and warnings Nessus might give but which require no further actions due to the following reasons:

  • Strict Transport Security Not Enforced: HSTS cannot be globally enabled for all of our customers, as we cannot determine where non-http traffic should still be allowed. It is very easy for our customers however to enable HSTS in their site-specific Nginx configuration. For more information, please see our developer documentation at seravo.com/docs.
  • WordPress Administrative Interface Exposed: This means that logging into WordPress is possible via/wp-login.php, and the implied solution is to move it to another address, such as123login.php. This is purely security by obscurity, and does very little to actually help. It might even make the site owner worse off, giving a false sense of security, putting off real security measures like login logging, brute force limiting, strong password enforcement and other techniques that actually matter. All of the aforementioned are, of course, taken care of by default on all Seravo’s customers’ sites, thanks to the Seravo Plugin that implements them. Seravo advises against obfuscating the wp-login.php or /wp-admin/ addresses, as it does little to help security but do actually introduce real usability and availability issues to end users. You can make the login page of your WordPrerss site much safer by deploying reCaptchas and two-factor authentication (2FA).
  • WordPress Username Enumeration: Knowing usernames does not constitute a security flaw. The secret is the password, not the username. Due to brute force protection and other measures, knowledge of usernames do not help attackers. Knowledge of usernames does help other users to accomplish daily tasks, and usernames often leak via blog post authorship anyway. Any available resources should be put into enforcing good password hygiene instead.
  • Outdated Component: jQuery: This means that a JavaScript library (in this example jQuery 1.x) is not of the latest version (3.x). This does not necessarily mean that all previous versions of that JavaScript library have a security bug and that only the latest one would be secure. This only affects the client-side browser and thus does not constitute a relevant attack vector against the site. WordPress core – purposefully – includes a jQuery version that is of the older 1.x series, as only the old version is backwards compatible with certain old browsers that WordPress wants to stay compatible with. All sites in Seravo’s upkeep also have Access-Control-Allow-Orgin headers set by default, which prevent this attack avenue.
  • Web Server HTTP Header Information Disclosure: Seravo.com proudly runs Nginx! It is no secret and knowing that does not help an attacker in any way.
  • PHP mb_send_mail() Function Parameter Security Bypass: PHP versions 4.4.2 and prior and 5.1.2 and prior contain a vulnerability that could allow an attacker to bypass safe_mode and open_basedir restrictions. Seravo has never been running anything less than PHP 5.6, so this does not apply. For this vulnerability to apply, the PHP code itself would need to pass visitor input into the fourth parameter of mb_send_mail() or mail() functions, which no known WordPress plugin or theme does.