What Steps Can You Take to Enhance WordPress Security on Cloudways?

By Vijay Suthar
18 minutes read
Wordpress Security on Cloudways
Tweet
Share
Pin
Share
0 Shares

Cloudways has always stood out with solid security features and flexible pay-as-you-go pricing, making it a serious contender against top WordPress hosting providers like WP Engine.

So, it wasn’t a big surprise when WP Engine users started migrating to Cloudways after their hosting provider was blocked from WordPress resources by co-founder Matt Mullenweg.

Are you one of those users?

If so, you’re probably eager to start using the powerful security features you’ve heard about.

Below, we’ll show you how to strengthen your website security with Cloudways tools such as:

  • IP white-listing and access restriction
  • Bot Protection
  • Monitoring and alerts
  • Scheduled backups.

And more.

While we’re at it, we’ll also provide some timely reminders about standard WordPress security tasks you may want to address as part of this process.

Ready?

10 Key Steps to Enhance WordPress Security on Cloudways

1. Enable Cloudways Security Features

Cloudways offers several built-in security features at both the server and application level. We’ll look at some of these in more detail later on, but for now, here’s a couple of quick and easy wins for your new Cloudways account:

A. Utilize Your Vulnerability Scanner

The first step to dealing with vulnerabilities in WordPress is spotting them in the first place. To do that, Cloudways provides a WordPress vulnerability scanner which provides consistent monitoring for problems with your core, theme, and plugin files.

Vulnerability Scanner

Although this tool sends you notifications of potential threats, you can also manage it manually by going to Application – Application Security – Vulnerability Scanner and click Refresh to bring up new data.

Should this reveal any vulnerabilities, you’ll also be provided with recommendations and instructions on how to eliminate them.

B. Manage SSH/SFTP Access to the Servers

SSH and SFTP are secure protocols that provide remote access to your server.

On the upside, this makes it possible for you and your team to embrace remote working and tackle projects anytime, anywhere.

On the downside, SSH and SFTP can also be exploited by bots and human hackers alike.

By default, Cloudways takes on full responsibility for blocking the IP addresses of anyone or anything attempting to gain unauthorized access to your site via these protocols, while allowing all other IP addresses through.

However, to really tighten your WordPress security, it’s a good idea to switch to a white list.

This means that all IP addresses are blocked by default until you manually add them to a list which tells Cloudways to let them through.

Sure, it’s more time-consuming, but it also gives you far greater control over who -or what- can access your server.

For example, say you’ve hired a remote team of three developers to help you launch a new eCommerce store. You could limit SSH and SFTP access to just four or five IP addresses – one for each team member plus one or two of your own devices. That way, you’re not worrying about your project being compromised before it’s even launched.

C. Manage Database Access

Taking access management one step further, Cloudways also lets you use white-listing to control remote access to your WordPress site’s MySQL databases.

Switch to the MySQL tab under Sever – Security and add trusted developers to ensure only database access only goes to those who really need it the most.

D. Enable Bot Protection

Did you know that bots account for 42% of all web traffic? What’s more, 65% are malicious.

So it’s a good thing that Cloudways comes with in-built bot protection to keep those nefarious automated programs out of your website.

Found under your application settings (Application – Bot Protection), this feature is enabled right out of the box, with a clear dashboard that shows you:

  1. How much bot traffic has been blocked from your site
  2. How many attempted logins by bots have been thwarted.

We recommend keeping this exactly as it is to keep your site protected against:

  • Bots gaining unauthorized access to your site through Brute Force Attacks
  • DDoS (Distributed Denial of Service) attacks
  • Unauthorized web scraping.

E. Deploy Code From Git Repositories

Deploying code changes directly from a Git repository is an efficient way to manage website updates, but as with most things in the world of web development, it’s not without its own security risks.

Git Deployment

To mitigate those risks, Cloudways allows you to deploy code from git repositories via SSH, ensuring that unauthorized users can’t make changes to your WordPress site.

To take advantage of this feature:

  • Go to Application – Deployment via GIT
  • Generate and download a new SSH key
  • Add the SSH key to your Git repository
  • Copy the Repository SSH Address
  • Deploy your code.

2. Be Proactive About WordPress Updates

You don’t get far as a WordPress website owner without encountering updates. Still, there’s already so much you have to do to manage your site. So isn’t it better to focus on other tasks and ignore updates, especially when your site seems to be working just fine without them?

No, it isn’t.

Of course, you know that, but you’d be surprised at how many people don’t.

Source: W3 Techs

A 2018 security analysis determined that 33% of all WordPress websites were at least two versions behind. Meanwhile, recent data shows that more than 15% of WordPress users aren’t running version 6. To put that in perspective, that version was released on May 24, 2022.

Here’s the problem:

Each new WordPress version is an improvement on the last one in terms of performance and security. Bugs are fixed, vulnerabilities patched up to stop them being exploited by bad actors, things are tweaked and optimized to give your users a safe, smooth experience.

So, neglecting to update WordPress only makes your site, and, as a consequence, your users, more vulnerable to a security breach by leaving those vulnerabilities wide open to attack.

And that’s before we get to themes and plugins.

Reputable developers release their own updates, sometimes to offer new features, but normally to keep up with new WordPress versions and eliminate any security risks of their own.

Given that some 52% of WordPress attacks are said to be caused by outdated plugins, you can see why staying on top of them is paramount.

Here’s a few methods and strategies to help you take control of WordPress update management.

A. Use the Updates Page

The WordPress Updates page is your central hub for all theme, plugin, and core updates.

It provides information on your current WordPress version, and one-click installation buttons for theme, core, and plugin updates.

As a best practice, get into the habit of checking for any notifications next to Updates in your dashboard menu.

If you see a red/orange circle with a number inside it, that number represents how many update-related issues you need to attend to. In our example, there’s three.

B. Consider if Auto-Updates are Appropriate

Themes and plugins can be set to install new updates on their own. Alas, as the old saying goes, just because you can doesn’t necessarily mean that you should.

On the plus side, putting your updates on autopilot can be a good idea if you’re absolutely certain you won’t have time to handle them yourself. However, it’s worth considering what might happen if updates cause a problem on your site that you don’t notice until some time later.

If you’re prepared for that eventuality, you can enable auto-updates and disable them again via your theme and plugin pages.

C. Check Your Notification Settings

Notifications can be a useful way to mitigate the risk of any kind of automated updates, be they plugins, themes, or minor WordPress updates.

That is, as long as they’re configured correctly.

As a rule, all notifications regarding updates go directly to your site administrator’s email account.

If you’re not the site admin, you can either:

  1. Request that they set up email forwarding so that you receive important alerts
  2. Change the administrator email in Settings – General.

When you’re sure that emails are going to you, set up inbox filtering to ensure WordPress update notifications are always prominent so that you can attend to them as soon as possible.

3. Use Strong Passwords and Authentication

Your WordPress log-in screen is essentially the first line of defense in the fight against the thousands of potential security nightmares. So, it pays to strengthen that defense as much as possible by using reputable password management tools and deploying two-factor authentication for both your Cloudways accounts and your WordPress site.

A. Password Management

Password management tools such as LastPass, 1Password, or Keeper generate and save strong, complex passwords unique to each of your online accounts. As you can imagine, they’re invaluable for preventing one leaked password from putting all of your accounts at risk.

For example, say you’re one of the 78% of people using one password on three or more accounts.

Now, say one of those accounts is for a website that has just had its data stolen. That means your account information, including your password, is out there. Someone gets hold of it, and ties your information back to your Cloudways account. Armed with all the details they need, they breeze right in.

Password managers solve this problem, ensuring that each of your online accounts has one, hard-to-crack password.

B. Two-Factor Authentication

Two-factor authentication puts an extra step between the log-in page and your account. After entering a username and password, you’ll typically be asked to provide a code sent to your phone or email.

The idea is that even if a hacker has your password unless they have access to your device as well, there’s no way of getting into your account.

You can enable two-factor authentication for your Cloudways account by going to Account – Security and clicking Activate TFA.

You can then use WordPress plugins such as Google Authenticator or WP 2FA to create two-factor authentication for your site.

Top security plugins like All-in-One Security (AIOS) and WordPress also have authentication features built in, so check if you already have those features available to you before using another plugin.

4. Limit Login Attempts

Speaking of strengthening security for your WordPress login page, use a plugin such as LoginPress or Limit Login Attempts Reloaded to prevent the number of times a user can attempt to log in.

Of course, this means you’ll have to be on your A-game when it comes to storing and remembering your login credentials, but it can be an invaluable step in preventing brute force attacks, which is when a hacker or automated bot simply tries every combination of log-in credentials possible until they get it right.

5. Implement Backups and Restore Points

Backups are the bedrock of good WordPress security, providing you with a good working copy of your site that you can deploy in case of emergencies.

  • Has your site been wrecked by hackers? Restore a backup.
  • Server failure knocked your site offline? Restore a backup to a different server and redirect URLs until you’re up and running again.
  • Rogue plugin caused everything to go haywire? You guessed it, use your backup.

Cloudways allows you to create backups at both the server and application level with several options available to you:

A. Schedule Automated Server Backups

Select your server and click on it to open the server options, then head to Backups.

Here, you can configure a backup schedule that works for you and determine how long your backup copies should be retained for.

As a rule, backup copies are saved on Cloudways servers. It’s a good start, but hardly ideal if the company itself ever runs into problems. With that in mind, it’s also worth enabling local backups. This creates a second copy of your site that you can download to your device.

B. Manual Server Backup

Making changes to your server set-up in between regularly scheduled backups? Cover yourself in case something goes wrong by using the On Demand backup on the server backups page.

This will create a one-time backup without affecting your regular schedule.

C. Manual Application Backups

The last two options back up every application on your server, but what about backing up your individual WordPress site?

You can do that manually by accessing the application settings for your site, and then head to Backup and Restore.

Unfortunately, Cloudways doesn’t offer automated backup scheduling at the application level.

So, in addition to -or, perhaps, alternatively- the hosting provider’s own tools, you may also want to use a WordPress plugin like UpdraftPlus to schedule automatic backups and have them stored in a secure cloud location of your choosing.

That way, you can be confident that, no matter what happens to your site or the server it sits on, you’ve got all the bases covered.

6. SSL Installation

SSL -or Secure Sockets Layer, if you prefer its full name- is a protocol that protects data passed between your website and a user’s browser by encrypting it. For example, when a user enters a credit card number to buy a product or a password for your member site, that data is scrambled beyond comprehension, rendering it meaningless and unusable for bad actors.

They’ve been a Google ranking factor for the last decade now, which should be enough to convince any serious website owner of why they’re so essential.

After all, when search engines can trust that your site is above board, that’s only going to work in your favor in terms of generating positive search ranking positions.

Still, boosting positive signals to Google and upping your SEO game isn’t the only reason to put one in place.

From there, the fact that users can trust their connection to your website is secure means they’re more likely to do business with you.

As a Cloudways user, you automatically have a free SSL certificate powered by Let’s Encrypt. For those unfamiliar, Let’s Encrypt is the largest SSL certificate authority on the web, serving as the trusted source of free certificates for scores of web hosting companies, digital agencies, and individual users alike.

Source: W3Techs

To set yours up, head to SSL certificate, choose your preferred provider, then enter an email address and the domain name you want to protect.

Should You Use a Wildcard?

To wildcard or not to wildcard, that is the question, especially if you’re not sure what a wildcard is in the first place.

In basic terms, wildcards encrypt multiple subdomains under a single domain. For example, if your main website is at joesbakery.com but your eCommerce store is at store.joesbakery.com, applying a wildcard means that both would be protected by SSL.

If you currently use subdomains or you plan into the future, it’s worth applying this option.

Either way, once you’re finished configuring your SSL, simply click Install Certificate.

7. Disable File Editing and XML-RPC

The more you can do to limit access to your site, the better. So, in this step, you’ll learn how to eliminate two potential access points:

A. File-Editing

Disabling file-editing access is a simple way to prevent hackers from injecting your source code with malware or engaging in a spot of good old-fashioned website vandalism.

The easiest way to do this is by pasting the following code snippet at the bottom of your wp-config.php file.

define( ‘DISALLOW_FILE_EDIT’, true );

You can access this file in Cloudways by going to Server – Master Credentials and clicking Launch SSH Terminal.

 

From there, follow Cloudways’ instructions on locating WP-Config.

B. XML-RPC

The XML-RPC protocol is designed so that your site can communicate with third-party plugins and other tools. However, it can also be exploited by those looking to get into your site uninvited.

The good news is that you can disable this too. The even better news is that you don’t have to edit any code to do it.

To disable XML-RPC in Cloudways, go to Application – Application Settings – WordPress Settings and toggle the switch into the off position.

8. Use of Security Plugins

WordPress security plugins such as Sucurri, WordFence, or BulletProof Security provide added protection for your site, offering a suite of tools that make it easy to manage security settings within the WordPress dashboard.

These plugins, along with other popular options such as Solid Security and Jetpack, provide features such as:

  • Malware scanning and notifications
  • Two-factor authentication
  • Spam filtering
  • IP address white-listing.

Combined, this gives you multiple layers of protection without the need for multiple plugins.

9. Staging Environment for Testing

The more your site grows, the more updates you’ll be making. The more updates you make, the greater the risk that something might go wrong, negatively affecting the experience of your end-users.

The easiest way to prevent that is by taking advantage of Cloudways’ effortless staging environment features. This allows you to create a clone of your live website and use it to test out any changes you need to make without affecting your live website.

That way, if something doesn’t turn out as expected, you can remedy the problem before migrating those changes back to your live site.

Here’s how it works:

A. Create a New Staging Environment

Click on your WordPress site under Applications to bring up the management options, then select Staging Management from the left-hand menu.

Next, click Launch Staging Application.

B. Select Your Server Option

You’ll be asked to select a server for your new staging environment.

Ideally, you should add a new server to ensure your cloned website is 100% isolated from the live version, keeping potential problems to an absolute minimum.

C. Manage and Migrate Changes

From there, you can find the staged version of your WordPress site under the Applications tab for your new server.

Open up the site and make any updates you need to make.

When you’re done, you can return to the Staging Management sections to push changes from your staging environment to your live environment, and vice versa.

For example, if you have a new plugin you want to use, install it on the staging application, test that it works, and then click Push to copy it to the live site.

Alternatively, you might be experimenting with new page layouts, in which case test them out for functionality and mobile responsiveness in the staging environment and follow the same process to make those changes live.

Whatever updates you’re rolling out, clicking either the Push or Pull button will allow you to determine what is copied and, if you’ve already got your Cloudways backup options configured, make a live site backup in the process.

10. Monitoring and Alerts

Last but not least, it’s always worth checking that Cloudways’ monitoring features are:

  1. Active
  2. Configured correctly
  3. Sending alerts to an account that’s sure to receive them.

That way, you’ll be notified as soon as a problem arises and can act quickly in rescuing your site from harm.

First, head to Server – Monitoring to ensure server resource monitoring is up and running.

Here, you can also integrate New Relic, a powerful cloud-based performance monitoring platform that looks out for security threats and performance-related issues.

To do so, access or create your New Relic account and generate a license key.

Back in your Cloudways environment, select New Relic in the monitoring dashboard and paste your license key in the field provided.

From there, click Save Changes followed by Launch New Relic.

From now on, you’ll have access to real-time performance metrics, detailed insights into your website’s health, and alerts for potential issues.

Finally, be sure to check that alert notifications aren’t going to your spam folder or otherwise going ignored. Those of you working with a team may also want to explore how you can use CloudwaysBot to send notifications to communications platforms like Slack.

Improving WordPress Security

Whether you’re moving from WP Engine to escape the WordPress ban or signing up simply because Cloudways’ flexibility and scalability are just what you need, the 10 steps above will go a long way to enhancing your WordPress security on Cloudways.

Although 10 steps may seem like a lot, protecting your site ultimately comes down to three key things:

  • Restricting Access – From prohibiting remote server access via SSH/SFTP to disabling file-editing and XML-RPC protocols, the more doors you can bolt shut, the better.
  • Avoiding Negative Changes to Your Live Site – Use staging environments to test updates before pushing them to your live site while ensuring a backup copy is always on hand in case the worst happens.
  • Being a Proactive WordPress User – Cloudways may have many useful security features of its own, but you’ll still need to play a proactive role in maintaining your website by carrying out updates and using security suite plugins as an extra layer of defense.

And one final tip:

Take action now. The sooner you enhance security, the sooner you’ll see the benefits—safer user experiences and fewer risks to your business.

Managing a WordPress site can become demanding, especially as your business grows. Let us take care of the maintenance so you can stay focused on scaling up.

Check out our White Label WordPress Maintenance and Support services and keep your clients’ sites running smoothly without the extra burden.

Tweet
Share
Pin
Share
0 Shares

Join the community of 300+ Digital Agency Owners.

Food for thoughts for Agency Owners

Our White Label Services:

khushbu-doshi

Hi, Khushbu here

Are you a digital agency owner? Let’s talk. Our White Label Services are designed to help you solve bandwidth/capacity problems and scale/grow your agency business.


Categories

  • Vijay Suthar
    Vijay Suthar is the IT Head and Partner responsible for Infrastructure & Server Administration at E2M. He has 10+ years of cross-platform experience in Systems Administration and holds a Master's degree in Computer Application, along with being a Microsoft-certified IT professional. He specializes in managing IT infrastructure, networking, web hosting, and database servers, including Cloud Computing, with superior troubleshooting and technical support abilities in migrations, network connectivity, security, and database applications.