General question about WordPress cloud security

July 15, 2014 1.1k views

I've been working with WordPress using normal 'shared' hosting packages with other providers for years. I'm really comfortable with CPanel, setting up databases etc. and everything works fine.

Cloud hosting has always been in the back of my mind, however, and I stumbled across DigitalOcean.

In seconds I was able to install WordPress, I followed a couple of tutorials for putty etc, and got things working - It's also super quick compared to any shared hosting I've worked on before.

My problem is - obviously the speed and the price of everything is great, but I'm sort of left thinking - this is a bit too easy. The thing that has stopped me from using cloud hosting in the past is that obviously it's a complete learning curve and server administration is not everyone's cup of tea.

Basically, if I install WordPress as an application on DigitalOcean and sort out the DNS and domain stuff - will that install of WordPress be as safe and secure as something on a shared hosting package with another provider? Would I be better off starting with a blank Ubuntu install, and learn about the intricacies of firewalls etc? Or is the default WordPress 1-click application safe (or as safe as WordPress generally can be anyway!)

Many thanks

2 Answers

One of the most important things you can do in order to keep WordPress safe is make sure it is kept up to date. Most websites get compromised by using known exploits that have already been fixed. People scan the internet looking for older versions of software to use the known vulnerabilities.

Keeping everything else on the server up to date is also important. The biggest difference between shared hosting and running your own site, is that you can't just set it up and walk away. You need to apply security updates regularly.

Some general tips:

by Etel Sverdlov
SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. With SSH keys, users can log into a server without a password. This tutorial explains how to generate, use, and upload an SSH Key Pair.

It depends on which cloud hosting provider you choose for your wordpress website, however most of the cloud hosting provider offers below security features with in their package

Basic Security Level
Basic Security level uses data sources to identify potentially malicious visitors to site by IP threat scoring. If the IP has recently shown problematic behavior online, including spam and attacks, then a visitor from that IP would receive a challenge page before they actually hit your website (this is also highly effective at stopping many botnet attacks)

Threat Control
Many WordPress site owners just installed their WordPress site through a few clicks at a hosting provider. Many of these site owners do not know server commands that they can use to restrict access to their site through things like .htaccess, but hosting provider Control panel will let you do many of the same things that you would do in .htaccess through an intuitive interface that will let you either block or whitelist IPs.

Things you can do:

  1. Block an individual IP
  2. Block an IP range
  3. Block a country

Web Application Firewall
This option mostly available as paid, however it is designed to make it harder for someone to penetrate your site (you should still have to follow other security practices).

DDoS protection
Each hosting usually offers basic DDoS protection and advanced DDoS protection, whereas basic will be available freely and advance may need monthly charges.

Hope this helps!

Have another answer? Share your knowledge.