Sometimes clients ask us about what we do for the security of their sites. This document summarizes the multiple layers of security hardening and checks that are done on all websites hosted on Tenseg’s hosting infrastructure. Our goal is to have layers of security software and practices that together form a secure environment for your website to run.
WordPress Security
There are a number of layers to security directly within the scope of your WordPress website. Generally speaking the security implemented on your WordPress website is all that you will see as the rest lies outside of WordPress directly. While some of this you will be able to change yourself, we highly recommend that you leave managing security-related aspects of WordPress to us.
Plugins
These are plugins we require to be active on your site, and we configure to help harden various aspects of security:
| Name | Purpose |
|---|---|
| Akismet | Spam comment and form response blocking. |
| Limit Login Attempts Reloaded | A plugin that helps block unauthorized login attempts. We configure this to allow a small number of password retries, and then a lockout of over a quarter of an hour, after two such rounds a lockout of a day will be enforced. |
| Sucuri | The security plugin we use for a set of on-site security features. |
| TG Help | Our helper MU plugin provides assorted security and environment hardening, as well as the links to get help found in your dashboard, for all websites we host. |
| TG Revision List | A plugin we wrote to easily surface all content modifications for administrators to review if needed to see who has done what regarding content editing on the website. |
| Two Factor | The feature plugin that we use to enable 2FA on logins, and which we recommend enforcing for anyone who can edit the website, but at least all administrators. |
| WPS Hide Login | Used to change the login URL to something other than the default so it is harder for bad actors to find the login form to attack. |
| WP-WebAuthn | A plugin to allow login via passkeys or hardware security keys, which is way easier and more secure than password and 2FA, which we would highly recommend all administrators consider using or even enforcing on themselves. |
Files
The bulk of the contents that are usually in the wp-config.php file we store in a PHP file that is not in the web-root of your website. This means that even if some illicit code managed to read the contents of the regular config file it would not get the important bits like database access info or other secrets that file usually keeps.
We are also keeping thorough logs of access and errors on your website, as well as nightly database backups your site makes (managed in system cron, not from a WP plugin), and likewise these are also outside of the web-root. Only files in the web-root are served to the open internet. There may be other files, both in and outside the web-root, that we keep alongside your website depending on what features you need.
We disable the ability to edit PHP files from the WordPress Dashboard. While some may consider the feature a convieience, we see it as a security hole. It may be much easier for someone to gain access to the Dashboard with stolen WordPress login credentials than it is to access the direct filesystem of the site via SSH. As such, we choose to eliminate this feature.
Database
The database of your website is configured to not use the default prefix for its tables. We use a slightly longer prefix, and one which bad actors will be much less likely to guess. This prefix is unique to just your website. The database is also inaccessible from outside the server. Even we tunnel in with SSH in order to access the database directly. Each database on a given server has its own user, and none of the site users have access to each other’s data. As best we can, depending on the specific plugin, we keep license keys or other secrets in the config file rather than in the database.
What you can do
You can help the security of your WordPress website by protecting your login credentials. We highly recommend using a password unique to your website, and one that is strong. If you have a password manager, let it generate a lengthy password for you. If not, we suggest looking at your bookshelf and picking at least 6 words from book titles, concatenating those with hyphens and use that as your password. But we also recommend taking advantage of the two factor and passwordless login capabilities of your website to further protect your account. You can also see our recommendations for online security if you want more information about any of this.
We also recommend that if anyone else needs access to the Dashboard side of your website you give them their own account. The account should also have the least number of privileges it needs to in order for the person to do what they need to do. For example, don’t make someone who just needs to post occasionally an administrator. As soon as the person no longer needs access demote their user to one that cannot access anything critical on the website’s backend. If you need help with this just ask us.
While any admin user on your website can install updates, and are free to, we would advise caution. While updating is usually fine and doesn’t cause problems, there may also be cases where we are intentionally waiting to ensure an update is safe before we update your website. We may also be testing updates on the Local copies of your website that we have, and doing this lets us make sure an update is as trouble-free as we likely can tell before we update your live website. Still, know that there are certain cases where this sort of testing can never be complete, most notably anything related to payments as only the live website is going against live modes on payment processors. If an update goes bad we can almost always cleanly roll back the update, with little to no disruption of the website, if needed.
We also ask that if you see anything suspicious on your website you reach out to us. We are not browsing your website all the time, and while we have a number of automated checks set up we summarize below, we won’t always see things quickly. So, please don’t hesitate to reach out to us if you see issues that need to be addressed.
Server-level Security Features
Our servers have a number of security-related configurations and practices that enhance security and protect your website.
- The server is set up to progressively block IP addresses that are behaving in suspicious ways or failing server-level authentication too often in a short period of time. We can also explicitly add to a permanent blocklist if we are made aware of bad actor IPs or remove such blocks ahead of their expiration if needed.
- Requiring SSH keys means that anyone attempting to connect via SSH will be required to present a pre-authorized SSH key, and will never even be given the chance to try typing in a password. We manage the keys that are authorized from our 2FA-secured hosting dashboard. We only authorize our own keys on our servers, and our keys are only stored in our password manager (hence their use is gated with biometrics), to further limit the potential of damage with this means of access to the servers and sites.
- Each website uses its own user on the server, and the root user is disabled in place of a sudo user, meaning that no single website has any way to affect any other website, nor see its files or database, nor affect the core operating system, and vice-versa.
- Each website is only accessible over HTTPS and uses a TLS certificate that is automatically managed and issued by Let’s Encrypt. The certificates are valid for just 90 days, and should renew 30 days before they expire.
- PHP, the programming language that WordPress is written in, is completely disallowed from running command-line tools on the server. This is a vector of attack that some malware would try to use in order to further explore or infect a server. Our servers entirely block this means of attack at its root.
- The servers automatically install all security updates for underlying services such as nginx, MySQL, PHP, Ubuntu, and more, and only alert us if said updates require server reboots, which only take 2-3 minutes and we aim to do on Friday evenings after 9 pm CT. We regularly install other software updates manually.
- Only the required ports for HTTP, HTTPS, and SSH are exposed to the live internet.
- When the version of Ubuntu a server is running is about to reach end-of-life we migrate all sites on that server to a server running a newer version of Ubuntu.
External Systems
There are further functions that are done on external systems from our live servers but aid in the security of your website while hosted and maintained at Tenseg.
Backups
On a computer in our office (that is also not the computers we use day-to-day) we make automated nightly backups of all servers. Note that this is just one of three different backups of your website we are making every night. The others are made by the server provider and our hosting dashboard, and are stored in entirely separate storage systems. Each backup has a slightly different set of data it backs up, and would be used for restoration after different kinds of failures. Still, you are free to make whatever backups you wish to.
Central Dashboard
We perform the bulk of standard maintenance across all the websites we host from one central dashboard that is intentionally not hosted either under our regular domain nor on the same hosting infrastructure as client websites. This is to protect it, and in the hopes it will stay up even if one of our client servers is down. This system provides a number of security-related functions:
- Only we can log in to this system, and only with passkeys, to harden its security. The dashboard also has all applicable WordPress and Server Security described above enforced for further maximum security of this important system to our work.
- Automatically checks for updates to WP core, plugins, and themes every day, performs some key updates automatically, and makes it easier for us to perform all other updates when it notifies us of them across all websites we host and maintain with ease. If an update leaves the site in a broken state, it automatically rolls back to the previous version.
- Will alert us to a handful of site hardening tasks when they are needed.
- Stores a central log of security and update events for all websites that we can comb through as needed when investigating security or bug related incidents on a website. Importantly, this log is not stored on the individual websites, but rather on the central dashboard, so cannot be read or affected by any potential illicit code that makes its way onto live websites.
- Notifies us of any WP core, plugin, or theme changes (installations, deletions, activations, deactivations, updates) made directly on the site, and by whom, so we can be aware of changes we did not make from our central dashboard, and it logs these for recordkeeping.
- Pings every site every 5 minutes to alert us of downtime. If significant downtime occurs we will communicate this on our status website.
- Tracks the WP Site Health status information.
- Can run Sucuri scans on any site as needed from our central dashboard.
- Runs a virus and malware scanner every week against all websites and alerts us if anything is found so we can investigate and clean up, and it aids in that clean up.
- Checks all software on all websites against the National Vulnerability Database once a week and alerts us of any findings we should know about. Since we don’t make most of the software there isn’t always a ton we can do, but at least we are made aware of such vulnerabilities.
- Monitors TLS certificates as a failsafe if the server doesn’t succeed in renewing the certs 1 month before expiration as it should, and alerts us within 7 days of expiration so we can investigate.
- Monitors domain name expiration dates as a failsafe to alert us within 2 weeks if your domain name registration is about to expire, so we can get in touch with you to ensure your domain name renews as needed. Most domains should auto-renew, but this way we have an eye on them in case something goes wrong.
Always Improving
We are always improving the security configurations and services that form the security backbone of the websites we host and maintain. We aim to keep this document updated as our practices evolve. We are actively involved in assorted WordPress communities, and regularly read technology news, to help learn of new practices and security threats. If you have any suggestions for the security of our hosting infrastructure, please don’t hesitate to send us them.