Webinar: Search function and how to customize it
Seravo’s first webinar of 2021 on January 14th. How to use and customize WordPress search function.
30.12.2020Responsible security disclosures can be sent to security@seravo.com (PGP key available). We have paid small security bounties if the information provided has had significant value.
Yes, you do need prior permission. We constantly monitor our systems and launch investigations on malicious activity. To be indemnified against criminal charges that scanning and probing our systems without permission could lead to, please contact security@seravo.com to sign our security testing agreement.
While Seravo has many security features by default enabled for all sites in our upkeep, there are also some potentially invasive additional settings that can be enabled on a site if the site developer decides those settings don’t have any limiting side-effects on the site in question.
A developer may also configure site specific HSTS, CSP and other headers which Seravo cannot have for all customers by default, as they also could cause unwanted side effects.
There are also many other measures that can be made to a site. Seravo offers many tools, like the command wp-check-passwords
for testing that passwords used on the site are not too easy to guess. Seravo offers expert services to audit and harden the WordPress site beyond the default settings and hardening that all sites have automatically in Seravo’s upkeep. Contact us for more information.
Nessus is one of the world’s most popular security scanners. We are not aware of any security vulnerabilities affecting systems maintained by Seravo that an external Nessus scan could currently find. There are however some false positives and warnings Nessus might give that do not need to be addressed due to the following reasons:
/wp-login.php
, and the implied solution is to move it to another address, like 123login.php
. This is purely security by obscurity and does very little to actually help. It might even make the site owner worse off, because it gives false sense of security and will put off real security measures, like login logging, brute force limiting, strong password enforcement and other techniques that actually matter. All of the aforementioned are, of course, in place by default on all Seravo’s customers’ sites thanks to the Seravo Plugin that implements them. Seravo advises against obfuscating the wp-login.php
or /wp-admin/
addresses, as it does little to help security but do actually introduce real usability and availability issues to end users. A much better approach would be to deploy recaptchas and two factor authentication instead of ineffective obfuscation.safe_mode
and open_basedir
restrictions. Seravo.com has never been running anything less than PHP 5.6, so this does not apply, and even for this to apply, the PHP code itself would need to pass visitor input into the fourth parameter of mb_send_mail()
or mail()
functions, which no known WordPress plugin or theme does, so this is surely a false positive.Seravo’s first webinar of 2021 on January 14th. How to use and customize WordPress search function.
30.12.2020Seravo has sponsored making PHP 8.0 available for all users of Debian and Ubuntu. Seravo was probably the first hosting provider to support PHP 8.0 for WordPress.
15.12.2020New WordPress 5.6 published. Support for PHP 8.0 and many updates to REST API
9.12.2020On November 26th 2020, there will be a new version of PHP released. This new release has a number of new features, as well as implementing some non-backward compatible changes. Seravo has already started testing and deploying the release candidates of PHP 8.0 to our servers.
19.11.2020On October 6th 2020, the WordPress Core team put out a call for testers. Specifically, there was a requirement for […]
28.10.2020At Seravo, we occasionally encounter cases where customers contact us regarding information security cases. In occasion these include situations where […]
14.10.2020