Protecting your site and data is one of our top priorities. Here you can learn about steps we take to protect your site and suggestions to keep the site secure. Additionally, you can learn how we handle incidents and how to stay informed of issues that may impact your site.
We do not share the entirety of our security practices to keep some aspects confidential and guarded.
Platform Protections in Place
Full SSL
Ensuring your privacy and security is paramount, which is why we encrypt all Pressable sites using strong encryption (SSL). We also automatically redirect all insecure HTTP requests to the secure HTTPS version via a 301 redirect. You can learn more about how we secure your domain with SSL here.
Network Level Protection
Pressable preloads our Web Application Firewall with an intricate set of rules specifically for blocking web, PHP, and WordPress exploits. We’ve built this alongside Automattic to give you these protections without the need for third-party tools.
This is on top of a network of datacenters globally, which power a built-in CDN and global edge cache. All inbound requests route through an Anycast range of IPs, connecting the visitor to the closest edge data center. Each edge has a load balancer that determines if the request should route to a core datacenter or to cache. This also provides a layer of traffic protection and can dynamically route traffic differently based on incoming demand.
Anycast Network
With our Anycast Network, a request to a single IP address can be routed to one of many servers, routing the request to the best available server. Not only does this mask the IP address a physical machine is attached to, it helps to serve requests from a location geographically near the end user for a low latency connection to your site. Pressable offers this protection, similar to Cloudflare’s network, out of the box with no extra configuration needed. This setup, coupled with Edge Cache, gives you page caching as well as static asset a CDN from day one.
Defensive Mode
Under attack? Pressable’s defensive mode setting will show a challenge page, helping to mitigate spam bot and DDoS attack requests. Legitimate users will briefly see the challenge page before the site loads in their browser.
Security Team
By default, most sites can easily withstand a large influx of traffic or even a DDoS attack without our WAF, specialized rate limiting, and layers of DDoS protections; however, we have a dedicated team that actively monitors the network and ensures we’re deploying optimal resources and DDoS mitigations to prevent unnecessary resource utilization. This is on top of active vulnerability monitoring and platform-level mitigations for critical vulnerabilities without the need for plugin/theme/core updates or the need for Cloudflare-type proxies, as they can scramble security signatures.
Security Testing
We’ve established a bug bounty program with HackerOne to incentivize individuals who identify vulnerabilities, helping to bolster our security.
Please be aware that if you choose to conduct security testing on your Pressable-hosted site, we don’t add IPs to allow lists. You’re encouraged to test freely, but our system won’t indicate whether scan traffic is for testing or harmful. This may result in temporary IP address blocks of your security scanner.
Jetpack Security
Once activated and connected, Jetpack includes a variety of protection features for your site including real-time malware scanning and site backups.
Regular Backups
Pressable also offers daily filesystem backups and hourly database backups, as well as on-demand backups
Suggestions for Keeping Your Site Secure
Use a Strong, Unique Password
Using a strong, unique password is crucial for safeguarding your online accounts and personal information. A strong password enhances security by making it difficult for unauthorized individuals to guess or crack. It acts as a first line of defense against cyber threats such as hacking and identity theft. By choosing a strong password and regularly updating it, you significantly reduce the risk of unauthorized access. It is also important that your password isn’t used on any other accounts, as that increases the likelihood of compromise.
Two Factor Authentication (2FA)
To secure your Pressable account, an additional security layer can be enabled for the MyPressable Control Panel by enabling 2FA. With MyPressable two-factor authentication enabled, you need a code from your mobile phone to authenticate the login.
Update Plugins and Themes
Keeping your WordPress plugins and themes up to date is crucial for the security and functionality of your website. Updates often include patches for known vulnerabilities, which help protect your site from potential attacks and breaches. Additionally, updates can introduce new features, improve performance, and ensure compatibility with the latest WordPress version and other plugins. By regularly updating your plugins and themes, you enhance your site’s security and optimize its performance, providing a better experience.
Pressable offers a plugin management feature that can schedule automatic updates of your plugins.
Incident Response
We do not share the entirety of our security practices to keep some aspects confidential and guarded.
The steps we take in response to a security incident depend on the severity and the nature of the incident. Here is a general outline of the main actions we take:
- Internal communication regarding the issue.
- Relevant team investigates the issue.
- Compromised systems are cut off from access.
- Relevant logs and data are preserved for analysis during the investigation.
- Public communications, including posting on https://pressablestatus.com/ and if needed, direct customer communications.
- In-depth review of incident, root causes, and our response. Identify recommendations for better future processes and responses to avoid similar incidents in the future.
- Continue to monitor any further indication of compromise or suspicious activity, as needed.