Free guide: Learn how to make extra cash and provide a better client experience by reselling hosting

Download

Help articles Security

How does Flywheel keep my site secure?

Secure Site - WordPress Core

WordPress core files are locked down

One of the great things about WordPress is that everything is built around the same core software.  This allows plugin and theme authors to create awesome tools and designs that can be used by anybody running WordPress.

One of the not-so-great things about WordPress is that the same core that makes plugin and theme development easy can also make spreading malware easy.  Hackers love code shared by a large number of people since it allows their malicious changes to one piece of software to then to achieve wide-spread damage. What better place to make these kinds of changes than in the set of files every WordPress site is guaranteed to have: the WordPress core?

On Flywheel, nobody can overwrite your WordPress core files.

Everything in your WordPress install is locked down tight, aside from your custom content. Does somebody want to edit your wp-config.php file in order peddle creepy products on your site? Not on our watch!

Note

It is worth noting that locking down core files means users also can’t edit these things. This is a good thing because it’s best practice to leave core files alone as they’ll get swapped out in WordPress updates. You don’t want your hard work getting wiped out every time WordPress is updated (quite often). If there are files like wp-config.php that you’d like to make changes to, just let our team know and we’ll make those for you! Unlike manual edits, these will carry over from update to update.

Shield - WordPress up to date

Automatic WordPress updates

In order to prevent outsiders meddling with your stuff, we make sure your site is running the latest and greatest version of WordPress. These updates often include security patches, which close any doors and windows that hackers may have found in previous versions.

On Flywheel, these updates are automatic and usually happen within a few days of their release.

Note

While we strongly advise that our customers stay on the automatic update cycle, we will allow customers to stay on older major releases of WordPress. We will still provide periodic minor security updates to these older versions as they are released to keep your sites secure. That being said, it is very important to us that sites on Flywheel do not fall more than two major releases behind the update schedule. If they do, we may reach out to you work out a strategy for getting back on the update wagon.

Insecure passwords? Not on our watch.

Although it may not seem like a big deal, having hard-to-guess username and passwords really goes a long way on WordPress. Due to the uniform structure of WordPress, a lot of web bots will crawl across websites, simply appending a /wp-admin to the domain name. If the page loads, the bot will start trying username and password combos starting with some of the most common insecure passwords. So if you have a user named admin and a password of password1234, you’re at a pretty high risk of getting hacked.

That’s why Flywheel goes to great lengths to ensure that our customers use strong passwords. From our app to WordPress itself, if you try to create a new password that doesn’t make the cut, we’ll let you know.

Note

A secure password doesn’t have to be impossible to remember. Randall over at xkcd has a comic to help you come up with a super-secure password that you won’t forget. If you’d like to learn about hiding your wp-login page or additional security steps, check out our article here.

Intelligent IP Ban

Intelligent IP blocking

Intelligent IP address blocking on Flywheel detects intruders and blocks them across all sites on our servers within seconds.
We monitor popular points of entry for hackers and immediately lock out any IP address trying to get through. These points include:

  • Failed SSH Access Attempts
  • Failed WordPress Login Attempts
  • Spam WordPress Comments
  • XMLRPC Connections

Flywheel uses a variety of techniques to block traffic starting with preventing known malicious IP addresses from opening a session with the server, which is a very severe and immediate action. Another softer layer of security we provide is our proprietary caching ban. This method detects “banned” access attempts and displays a cached page to the visitor stating that their connection has been banned. This method stops the connection at the highest layer of the Flywheel software stack and utilizes the fewest server resources while still presenting a user-friendly response. In the rare of occasion that a user has forgotten their password and keeps trying dozens of time in just a few minutes, they’ll see a ban page but will be presented with easy, on-screen instructions to get their IP un-banned.

Since banned IP information is shared across sites, we develop a kind of “herd immunity” to malicious actors in real time as the attacks come in. So your site’s protected from hackers before they even try to attack your site.

 


Proactive Malware Scan
Malware monitoring

We pride ourselves on keeping the bad guys out of your site’s files and database through the preventative security measures mentioned above. That being said, malware prevention is an ongoing cat and mouse game where systems have to react and adapt to the ever-changing security gaps introduced by third-party plugins, third-party themes, or weak passwords.

In the event that you find your site has been compromised by a plugin or theme vulnerability, Flywheel’s Happiness Engineers can jump in right away and get to work cleaning up the infection. We’ll also notify you of our progress along the way.

If we learn of a wide-spread malware vulnerability within a particular plugin, we will send out messages to owners of all sites currently running the vulnerable versions of this plugin and will encourage them to update to the latest version or remove the plugin.

 



Free malware removal

In the rare event of a site getting hacked, our incredible support team of WordPress experts will quickly and carefully remove the malware for you.  For free.

Steps that you can complete while we’re working on cleanup are updating all themes and plugins on the site to their most recent version, uninstalling any plugins or themes that aren’t being used any longer, and updating all admin user passwords to something as strong as possible. Since outdated plugin/theme versions and insecure passwords are overwhelmingly the cause behind WordPress sites becoming infected with malware, taking care of these updates as soon as possible will also help us to ensure the site stays clean while we’re working on it.

Was this article helpful?

  • Billing & Accounts

    Questions relating to payments, billing and managing your account on Flywheel.

    14 Articles
  • Blueprints

    Learn everything there is to know about what Blueprints are, how to create them and how to make the best use of them.

    5 Articles
  • Database

    How to access your WordPress database to make changes and update content.

    3 Articles
  • Domain Names

    Details about how to manage DNS and point your domain names at Flywheel.

    14 Articles
  • Frequently Asked

    The most commonly asked questions, and a few we just think you should know.

    26 Articles
  • General Questions

    Questions that don't fit elsewhere, or those about Flywheel in general.

    58 Articles
  • Getting started

    Everything you need to know to get your first Flywheel site up and running.

    16 Articles
  • Local by Flywheel

    Everything you need to know about our amazing, free local WordPress development software for Mac and PC.

    15 Articles
  • Organizations

    Everything you need to know about managing your team with our Organizations feature.

    8 Articles
  • Plugins

    Which plugins work best, which plugins work worst, and everything in between.

    7 Articles
  • Security

    Details about everything Flywheel does to makes your site so secure.

    15 Articles
  • SFTP

    Information on setting up and troubleshooting with SFTP connections and file transfers.

    5 Articles
  • Simple SSL

    All there is to know about our free, automatically installed and activated SSL certificates.

    9 Articles
  • Staging

    How to get the most out of Staging, which allows you to duplicate a site, make changes, and then push those changes to the live site.

    6 Articles
  • White Label

    Everything you need to know about our Whitelabel subscriptions for branding and reselling Flywheel.

    4 Articles

Flywheel help

Help is just a click away! Log into the Flywheel dashboard to instantly chat with an expert, open a ticket, or follow along with in-depth documentation. We happily offer support 24 hours a day, 7 days a week, 365 days a year!

Log in

Try it yourself. It's free & takes less than 60 seconds. Sign up