Below you’ll find frequently asked questions (and their answers) about information security at Seravo’s premium WordPress hosting and upkeep.
I think I’ve found a security vulnerability. Where can I report it?
Responsible security disclosures can be sent to firstname.lastname@example.org (PGP key available). We have paid small security bounties if the information provided has had significant value.
Can we do a security audit of our site in Seravo’s web hosting and scan it for possible vulnerabilities?
Yes, but a prior permission is required. We constantly monitor our systems and launch investigations on malicious activity. To be indemnified against criminal charges that scanning and probing our systems without permission could lead to, please contact us as soon as possible at email@example.com to sign our security testing agreement before any scanning activities.
Strengthen your site’s security
While Seravo has many security features by default enabled for all sites in our upkeep, there are also some potentially invasive additional settings that can be enabled on a site prior to a security audit, as long as the site’s developer determines the settings won’t have any limiting side-effects on the site. A developer may also configure site-specific HSTS, CSP or other headers. These headers Seravo cannot set for all sites by default, as they also could cause unwanted side effects.
Seravo offers many tools to make WordPress safer, such as the command
wp-check-passwordsfor detecting any weak passwords used on the site. Seravo also offers expert services to audit and harden the WordPress site beyond the settings and security measures that are enabled at Seravo upkeep by default. Contact us for more information!
Why does the security scan report indicate open SSH ports?
These SSH ports belong to other sites hosted in the same server cluster. Each site has only one SSH port – no other ports can be used to access the site or its contents. While these ports are visible in the reports of automatic security scan tools, the ports’ visibility does not affect the security of your site. At Seravo, SSH credentials are always protected with an enforced, strong password.
Can Seravo make my WordPress site more secure?
Yes! As long as your site is hosted at Seravo’s premium WordPress upkeep, we take care of things like automatic backups and monitor your site 24/7 to detect any potentially malicious activities. In addition, at Seravo you’ll have many features and tools for making your site more secure.
Expert Service – Security Hardening
Seravo also offers an additional Security Hardening expert service for an additional fee. The service includes a site-specific review which identifies areas for improvement in site’s implementation, taking into account the best practices for a WordPress site. Upon completion, a written summary of the review and a list of suggested actions will be provided.
Individual, customized configurations are also available as expert work for an additional fee. Don’t hesitate to get in touch with us if you are interested in ordering additional services.
How is the service protected against denial-of-service (DoS, DDoS) attacks?
All Seravo’s servers have protection against denial-of-service attacks on network as well as HTTP level. This protection includes both fully automated solutions and protection that can be deployed separately.
If necessary, whitelist rules can be configured, which bypass some of the protections if there are known IP addresses that bring significant amounts of network traffic to the site.
How is load balancing implemented?
Seravo’s service has been implemented with a baseline architecture that takes into account possible contingencies. Load balancing is taken care of on several levels, making the service as fault tolerant as possible.
Seravo’s service is especially optimized for WordPress, and possible threats have been taken into account in the service’s architecture. Load balancing is implemented in a way that makes Seravo’s hosting and upkeep as fail-safe as possible.
- DNS: The traffic from customers’ websites is routed to several different servers (DNS round robin)
- Servers: Incoming traffic is distributed within a server cluster to several different web hosts
- Content Delivery Network (CDN): The infrastructure implementation is currently generally similar to that of a Content Delivery Network (CDN), except for the geographical distribution.
It is possible to use third-party plugins and services, such as a CDN, if desired.
How are sites monitored (IDS/IPS)?
All plans include 24/7 monitoring, so that any malicious traffic can be identified and blocked. All sites are thoroughly scanned for malware at least once a day.
If necessary, the service also allows you to configure rules on the server itself to limit web traffic, for example by geographic location or IP address.
How to interpret Nessus security scan results?
Nessus (by Tenable) is one of the world’s most popular security scanners. We are currently not aware of any security vulnerabilities affecting systems maintained by Seravo that an external Nessus scan could currently find. There are however some false positives and warnings Nessus might give but which require no further actions due to the following reasons:
- Strict Transport Security Not Enforced: HSTS cannot be globally enabled for all of our customers, as we cannot determine where non-http traffic should still be allowed. It is very easy for our customers however to enable HSTS in their site-specific Nginx configuration. For more information, please see our developer documentation at seravo.com/docs.
- WordPress Administrative Interface Exposed: This means that logging into WordPress is possible via
/wp-login.php, and the implied solution is to move it to another address, such as
123login.php. This is purely security by obscurity, and does very little to actually help. It might even make the site owner worse off, giving a false sense of security, putting off real security measures like login logging, brute force limiting, strong password enforcement and other techniques that actually matter. All of the aforementioned are, of course, taken care of by default on all Seravo’s customers’ sites, thanks to the Seravo Plugin that implements them. Seravo advises against obfuscating the
/wp-admin/addresses, as it does little to help security but do actually introduce real usability and availability issues to end users. You can make the login page of your WordPrerss site much safer by deploying reCaptchas and two-factor authentication (2FA).
- WordPress Username Enumeration: Knowing usernames does not constitute a security flaw. The secret is the password, not the username. Due to brute force protection and other measures, knowledge of usernames do not help attackers. Knowledge of usernames does help other users to accomplish daily tasks, and usernames often leak via blog post authorship anyway. Any available resources should be put into enforcing good password hygiene instead.
- Web Server HTTP Header Information Disclosure: Seravo.com proudly runs Nginx! It is no secret and knowing that does not help an attacker in any way.
- PHP mb_send_mail() Function Parameter Security Bypass: PHP versions 4.4.2 and prior and 5.1.2 and prior contain a vulnerability that could allow an attacker to bypass
open_basedirrestrictions. Seravo has never been running anything less than PHP 5.6, so this does not apply. For this vulnerability to apply, the PHP code itself would need to pass visitor input into the fourth parameter of
mail()functions, which no known WordPress plugin or theme does.