The folks at WordFence have a new blog post that caught our attention titled 5 Security Questions For Your Hosting Company. We read it with interest and can would like to take this opportunity to answer all of their questions:
The first question is a multi-part question so we are going to break it down into digestible segments:
#1: Are you running up-to-date versions of the following products: CPanel, Operating System, Caching Technology, PHP, phpMyAdmin and MySQL?
cPanel: We typically do not install cPanel, opting instead to manage servers from the command line. However we do offer Plesk for clients who request it and it is updated when new releases are published.
Operating System: Most of our servers run the CentOS operating system. We have set cron jobs (scheduled tasks) to run nightly to update the core server software. We currently support CentOS 6 which is supported through 2020 and are currently deploying servers on CentOS 7 which is supported through 2024.
Caching Technology: Our server configuration consists of nginx for web servers and varnish for caching. For SSL customers we have implemented what is referred to a “varnish sandwich” which listens for connections, proxies to nginx and then back to varnish. While this may seem to add more overhead it is a much more efficient system than no caching at all. We are currently testing redis to replace varnish.
PHP: We currently support PHP 5.6 and PHP 7. We are finalizing a plan (as of this writing) to test and migrate all of our hosted sites to PHP 7.
phpMyAdmin: We discourage using phpMyAdmin in favor of using a MySQL client such as Sequel Pro (Mac) or MySQL Bench (all platforms). Access to databases are limited to MySQL user accounts – root access is never allowed.
MySQL: We prefer using MariaDB, an open-source fork of MySQL.
#2: Are you completely isolating hosting accounts from each other? Or is it possible for one hosting account to read files in another account on the same server?
Oh yes. Most of our sites are set up on their own VPS (virtual private server). VPSes cannot be cross-accessed. As we tell many of our clients we do not use passwords to access servers, using shared keys instead. We do not use plain-text FTP. While SFTP adds a level of complexity it also offers unparalleled security over unsecured FTP.
On our virtual hosted sites where multiple sites are hosted all sites are owned by their respective owners which are restricted to their home directory.
#3: Are my server logs available and how long are they kept?
Unless requested all logs are kept for at least one month. Logs are kept in a separate directory from the web root. Some users prefer complete anonymity and do not wish for us to keep logs.
#4: How are you backing up my site and how long are backups being retained?
It depends on which backup level you have purchased from us!
Standard: All packages come with a basic backup to an off-server location. We also do something most other hosts do not: we test to make sure the backups work.
Standard backups are typically kept for 30 days. Other levels of backup are:
Enterprise: Includes standard backups as well as backups to an additional server using the enterprise-level R1Soft software. “Hot” MySQL backups are included.
SononaCare: The 3-2-1 backup principle is used in our SononaCare package. Site backups are made hourly and stored off-site. Additionally UpDraftPlus WordPress backups are used and stored at Amazon S3 and Google Cloud.
#5: Does my current hosting plan allow me to enable HTTPS?
Yes! We are offering complimentary SSLs from LetsEncrypt! as well as commercial and extended validation (green bar) SSLs from Comodo.
These are some of the basics of security that WordFence reinforces. We also go to extra lengths to keep your site safe which we explain in our approach to hosting services.