WordPress Security FAQ

On this page you’ll find frequently asked questions (and their answers) about information security at Seravo’s premium WordPress hosting and upkeep.

I think I’ve found a security vulnerability. Where can I report it?

Responsible security disclosures can be sent to security@seravo.com (PGP key available). We have paid small security bounties if the information provided has had significant value.

Can I run a security audit on a site in Seravo’s hosting and scan it for possible vulnerabilities?

Yes, but a prior permission is required. We constantly monitor our systems and launch investigations on malicious activity. To be indemnified against criminal charges that scanning and probing our systems without permission could lead to, please contact us as soon as possible at security@seravo.com to sign our security testing agreement before any scanning activities.

Improving WordPress security

Once a permission for security scan or audit has been granted, it’s good to find out whether or not the site’s security ought to be strengthened prior to scan. While Seravo has many security features by default enabled for all sites in our upkeep, there are also some potentially invasive additional settings that can be enabled on a site prior to a security audit, as long as the site’s developer determines the settings won’t have any limiting side-effects on the site. A developer may also configure site-specific HSTS, CSP or other headers. These headers Seravo cannot set for all sites by default, as they also could cause unwanted side effects.

Seravo offers many tools to make WordPress safer, such as the commandwp-check-passwordsfor detecting any weak passwords used on the site. Seravo also offers expert services to audit and harden the WordPress site beyond the settings and security measures that are enabled at Seravo upkeep by default. Contact us for more information!

Why is the security scan not working? I can’t get through!

For security reasons, Seravo’s WordPress hosting service has restrictions in place that are designed to never interfere with the normal use of any WordPress site, but to limit access to sites by malicious actors (such as denial-of-service attacks). However, in some rare cases, site scanning tools may encounter Seravo security restrictions if they scan a site too quickly and resemble a malicious attack. These protections cannot be turned off.

Why does the security scan report indicate open SSH ports?

These SSH ports belong to other sites hosted in the same server cluster. Each site has only one SSH port – no other ports can be used to access the site or its contents. While these ports are visible in the reports of automatic security scan tools, the ports’ visibility does not affect the security of your site. At Seravo, SSH credentials are always protected with an enforced, strong password.

Can Seravo make my WordPress site more secure?

Yes! As long as your site is hosted at Seravo’s premium WordPress upkeep, we take care of things like automatic backups and monitor your site 24/7 to detect any potentially malicious activities. In addition, at Seravo you’ll have many features and tools for making your site more secure.

Seravo also offers additional expert services for making your WordPress site more secure – contact us to learn more!

Expert Service – Security Hardening

Seravo also offers an additional Security Hardening expert service for an additional fee. The service includes a site-specific review which identifies areas for improvement in site’s implementation, taking into account the best practices for a WordPress site. Upon completion, a written summary of the review and a list of suggested actions will be provided.

Individual, customized configurations are also available as expert work for an additional fee. Don’t hesitate to get in touch with us if you are interested in ordering additional services.

How is the service protected against denial-of-service attacks?

All Seravo’s servers have protection against denial-of-service (DoS, DDoS) attacks on network as well as HTTP level. This protection includes both fully automated solutions and protection that can be deployed separately.

If necessary, whitelist rules can be configured, which bypass some of the protections if there are known IP addresses that bring significant amounts of network traffic to the site.

How is load balancing implemented at Seravo?

Seravo’s service has been implemented with a baseline architecture that takes into account possible contingencies. Load balancing is taken care of on several levels, making the service as fault tolerant as possible.

Seravo’s service is especially optimized for WordPress, and possible threats have been taken into account in the service’s architecture. Load balancing is implemented in a way that makes Seravo’s hosting and upkeep as fail-safe as possible.

  • DNS: The traffic from customers’ websites is routed to several different servers (DNS round robin)
  • Servers: Incoming traffic is distributed within a server cluster to several different web hosts
  • Content Delivery Network (CDN): The infrastructure implementation is currently generally similar to that of a Content Delivery Network (CDN), except for the geographical distribution.

It is possible to use third-party plugins and services, such as a CDN, if desired.

How are sites in Seravo’s hosting monitored (IDS/IPS)?

All plans include 24/7 monitoring, so that any malicious traffic can be identified and blocked. All sites are thoroughly scanned for malware at least once a day.

If necessary, the service also allows you to configure rules on the server itself to limit web traffic, for example by geographic location or IP address.

What happens if a security breach is detected on the site?

Any malicious activity on the site will be halted and the site will be investigated to prevent further damage. Seravo will notify the site’s technical contact of the incident and an investigation will be initiated under the terms of the security response SLA.

Once the investigation is complete, the site will be cleaned of malicious code. At the same time, necessary measures will be taken to prevent future intrusions. These measures will depend on the type of breach identified during the investigation. Once the clean-up is complete, the site will be made live, and the findings will be reported to the customer.

What does Security Guarantee mean at Seravo?

Seravo guarantees to clean up and restore the customer’s site free of charge, if – despite protections and updates – there is a security breach on the site while hosted at Seravo. It is the customer’s responsibility to use the service with normal precautions and maintain good password hygiene.

Seravo is not responsible if a security problem on the site is caused by a leaked password or self-installed malware. Furthermore, Seravo’s monthly fee does not include liability for damages caused by the actions of a criminal, and a separate security insurance policy can be obtained from an insurance company if desired.

Read more about security at Seravo.

How to interpret security scan results (Nessus)

Nessus (by Tenable) is one of the world’s most popular security scanners. We are currently not aware of any security vulnerabilities affecting systems maintained by Seravo that an external Nessus scan could currently find. There are however some false positives and warnings Nessus might give but which require no further actions due to the following reasons:

  • Strict Transport Security Not Enforced: HSTS cannot be globally enabled for all of our customers, as we cannot determine where non-http traffic should still be allowed. HSTS can however be enabled at Seravo in the site-specific Nginx configuration. For more information, please see our developer documentation at seravo.com/docs.
  • WordPress Administrative Interface Exposed: This means that logging into WordPress is possible via/wp-login.php, and the implied solution is to move it to another address, such as123login.php. This is purely security by obscurity, and does very little to actually help. It might even make the site owner worse off, giving a false sense of security, putting off real security measures like login logging, brute force limiting, strong password enforcement and other techniques that actually matter. All of the aforementioned are, of course, taken care of by default on all Seravo’s customers’ sites, thanks to the Seravo Plugin that implements them. Seravo advises against obfuscating the wp-login.php or /wp-admin/ addresses, as it does little to help security but do actually introduce real usability and availability issues to end users. You can make the login page of your WordPrerss site much safer by deploying reCaptchas and two-factor authentication (2FA).
  • WordPress Username Enumeration: Knowing usernames does not constitute a security flaw. The secret is the password, not the username. Due to brute force protection and other measures, knowledge of usernames do not help attackers. Knowledge of usernames does help other users to accomplish daily tasks, and usernames often leak via blog post authorship anyway. Any available resources should be put into enforcing good password hygiene instead.
  • Outdated Component: jQuery: This means that a JavaScript library (in this example jQuery 1.x) is not of the latest version (3.x). This does not necessarily mean that all previous versions of that JavaScript library have a security bug and that only the latest one would be secure. This only affects the client-side browser and thus does not constitute a relevant attack vector against the site. WordPress core – purposefully – includes a jQuery version that is of the older 1.x series, as only the old version is backwards compatible with certain old browsers that WordPress wants to stay compatible with. All sites in Seravo’s upkeep also have Access-Control-Allow-Orgin headers set by default, which prevent this attack avenue.
  • Web Server HTTP Header Information Disclosure: Seravo.com proudly runs Nginx! It is no secret and knowing that does not help an attacker in any way.
  • PHP mb_send_mail() Function Parameter Security Bypass: PHP versions 4.4.2 and prior and 5.1.2 and prior contain a vulnerability that could allow an attacker to bypass safe_mode and open_basedir restrictions. Seravo has never been running anything less than PHP 5.6, so this does not apply. For this vulnerability to apply, the PHP code itself would need to pass visitor input into the fourth parameter of mb_send_mail() or mail() functions, which no known WordPress plugin or theme does.