At Surge, we take web hosting very seriously. We employ staff trained in Dev Ops who maintain our hosting environment. As we build the majority of our websites on WordPress, we have set up our hosting services to be optimised for WordPress security.
Why we use the open source WordPress CMS platform
When WordPress was first released on May 27 in 2003 by its founders, Matt Mullenweg and Mike Little, as a fork of b2/cafelog, it was originally designed for managing blog posts. However, after over 200 feature and security updates, it has been updated to have all the features of a professional central management system.
With every new feature update, WordPress becomes more and more powerful and opens new possibilities to our web developers so that they can bring these new features into the websites they build. You can find out more about why we use WordPress here.
Why we prefer WordPress as an open source CMS over a closed down source CMS
At Surge, we believe WordPress is the best choice of CMS available as it brings so many benefits to our customers’ websites in terms of features we can utilise.
As WordPress is open source, anyone can contribute to improving the features and help the core WordPress developers by submitting bug and security reports. WordPress has around 25 security experts who have the job of working on security patches. With 23% of the top 10 million websites in the world being powered by WordPress, there will always be pressure on WordPress to drive its features and security updates forward.
We at Surge recognise that when any platform gets big enough, it will be more susceptible to being targeted by people who are motivated to find vulnerabilities in such platforms because of its exposure and wide adoptance. As the nature of websites is that they are publicly available for anyone to load on a web browser, websites require security systems set up to stop attackers from gaining access to certain parts of the website files and processes, but they should still allow enough access to your legitimate web traffic. This problem is true of any large, publicly-accessible, Internet-based system because attackers will always be more motivated to find ways of finding vulnerabilities if they can then use the exploit they have discovered on other installations.
This is true on WordPress because WordPress is the most widely used CMS on the Internet today. The same can be said for many other large applications like the iPhone’s IOS platform or the Android platform that runs across millions of mobile phones today, or even Microsoft Windows.
Attackers will always be there attempting to find ways to either exploit a feature of a platform or to reverse engineer a feature for their gain, but to solve this problem the makers of these platforms actively work on security updates and push out patches. When a new security patch has been released, the developers of the application will actively promote that you install them for your own security.
For example, most Microsoft Windows users know that if they don’t keep on top of the security updates available to them through the Microsoft Windows updates screen, or if they neglect installing antivirus onto their computer system, over time their computer could get a virus or malware and become slow, unstable or it could even fail. With every update of Microsoft Windows, security does improve – that’s why you should always upgrade to the latest version of Microsoft Windows when available and this is exactly the same for WordPress.
As WordPress is a large system running on millions of web hosting platforms, we take WordPress security updates very seriously. At Surge, if a company hosts their website with us, and the website was built by us, a maintenance package can be set up to automate the process of installing the latest security patches. We also have a plethora of other ways to further secure WordPress websites.
WordPress Security Patches
We always build and host sites on the highest supported version of PHP that WordPress and its plugins support and we make sure that every website on our server is backed up regularly. We even offer free web hosting for your first year and for customers with maintenance packages we progressively watch for the release of new patches to ensure your website is on the latest version of WordPress with the latest security releases.
Web application firewall
We also have a web application firewall installed on our hosting that watches every connection to your website and runs the connection parameters through an ever-evolving list of security test cases. If a connection is deemed to be violating one of the web application firewall rules, the connection is terminated before it can do any damage.
Websites we host are protected with Fail2ban, which watches for malicious activity on your website hosting, blocking attacks it recognises and registering any new threats in order to shield websites from them in future instances.
All our most recent WordPress builds include the WP-SpamShield feature. This blocks spam submissions on your website. Not allowing spam into the website’s database can improve security by potentially preventing SQL injection, DDoS, and XSS exploit attacks – these could be submitted through automated spam comments. By using WP-SpamShield, the security issues inherent to Pingbacks will be fixed, and Pingback-based DDoS attacks will be prevented. As part of the Miscellaneous Form Spam Protection, the plugin protects against XML-RPC brute force amplification attacks. Furthermore, there are various other features of this plugin that improve security, such as blocking certain potentially dangerous URLs in spam comment submissions and limiting comment size to 15kb (15kb of text is roughly the equivalent of three typed pages in Microsoft Word, single-spaced, so that’s more than enough for even the longest of comments).
Backups and Restoration
If something does go awry you can always count on our many restore points available through our backup service.
With Surge’s hosting, all website data files, databases, mail and configuration files are backed up weekly at 2:45am on a Saturday. This backup is made to the dedicated server’s hard drive. As we have the dedicated server’s hard drives set up in RAID, all website data gets mirrored to another location. This prevents the loss of data in a single hard drive failure situation.
We also run a monthly manual download of all website data which is placed on a secondary hard drive. This second hard drive is kept in another location away from the dedicated server to protect against fire damage taking out both of the backups. As a final precaution, a quarterly cloud-based backup is made of all website data, and all backups are encrypted to secure the data.
Where possible, we write our own features instead of relying on too many third party plugins on the sites we build. We have built features in-house such as sliders and navigation bars etc. In a scenario where we need to use a plugin, we make sure to check that it comes from a secure and reliable source.
Every six months, we assess our current hosting hardware and research opportunities moving forward. We manage our hosting so that it never gets overloaded and we always plan to have spare capacity. In the event that a problem does occur with the hosting that is stopping the website from loading, we are able to reboot the full web hosting or restart single services through a secured, web-based control panel. This allows us to manage the dedicated server from a remote location out of office hours.
If you have any further questions about our web hosting, please do not hesitate to get in touch with our team – we’re more than happy to help!