What does Savvii do to secure your WordPress website?
Timo, February 25, 2020
As a premium hosting company, we take the security of your WordPress website extremely serious. In order to protect your site and our platform, we don’t take half-measures. But what exactly does Savvii do to keep your website secure? How have we built up our hosting stack and what do we do on a daily basis to ensure a safe managed WordPress hosting platform?
The structure of our hosting stack
What do we install on our servers?
Just the essentials, that’s what we install. If we don’t need the software to host WordPress sites, it’s not on there. This will reduce the surface of potential attacks. Weaknesses in software that is not used are excluded. In addition, we only support encrypted SFTP and SSH connections. This allows customers to communicate securely with their servers at all times. A DV certificate is also installed on every server by default. This allows website visitors to safely visit your website and leave their details or make payments.
Every website has its own PHP worker pool. So you don’t share PHP-workers with other sites. This applies to both VPS and shared. Because of this separation, no malicious PHP request can be forwarded from one website to another. In addition, we’ve disabled certain PHP functions that pose a threat to your website. For example, the ‘PHP exec’ which allows you to execute system commands.
Do you want to keep the door wide open for malware? Then make sure to not update plug-ins and the WordPress core. At Savvii you’ll find the functionality to automatically update these extensions and software. As well as taking some of the work off your hands, this prevents websites from becoming infected. If your website gets infected despite an up-to-date plug-in, we will clean it up for you free of charge.
If something does go wrong with your website, you can always fall back on your backups. We make a daily backup of all your websites and keep them off-site for 14 days. This means you always have your backups safely in a separate location.
Scanning and monitoring
We actively monitor our platform every day. This ranges from broad platform scanning of all sites for viruses and malware to monitoring abnormal traffic. An extremely high traffic load on the server? Then our system gets us notified and we’ll sort it out. Suspicious login attempts on the WP-Admin? Then we apply rate limiting and blacklisting. A vulnerable plugin that needs to be updated on a website of a customer that turned off the auto updates? Then we contact or block (in case of repeated no response) the site. We do not accept that harmful user behaviour of others endangers your website.
We are ISO 27001 certified and take data security very serious. If a data breach occurs despite all precautions we’ll always report this to you. We also expect the same precautions from our suppliers. In our supplier selection we actively ask for an ISO 27001 certificate. If a supplier does not have one, we will work together to find out whether safety is sufficient. We look at access security, password use, use of encryption and many other things that ensure that your information is handled securely with us and with our suppliers.
Security standards support
Before we proceed in making any changes to the settings of your website it’s mandatory to verify yourself. If you call us on an unknown phone number or if we receive an email from an unknown email address, we can’t make any changes. We’ll also never pass on confidential information without verification. These measurements will keep your website and data safe from people that might pretend to be you or work for you. Although it’s hopefully unlikely for this to happen we’re very strict on these verification measurements.
We do everything we can to keep our platform as secure as possible for your WordPress website. Our hosting stack is significantly different from most generic hosters. We dare to say that your website will be a lot safer on our platform. Still, we can’t protect everything. As always, user behavior and security sometimes work against each other. With our automatic update service we have made things a lot easier for you. If you keep this service switched on and still something does happen, we’ll clean your website free of charge.
Do you want an even safer solution for your website? Read more about our Security Plus package.