Security Tips

We are trying to make the code as safe as possible, but some of the security related aspects are up to the site owner. This page lists some tips for you to read.

Always use HTTPS instead of HTTP
The main advantage of using HTTPS is that all the requests which are sent from the browser to the server are encrypted. This might not be very important for the random user reading the content of the site, but it is very important for logged in users, as each request carries the user’s login information in a cookie.

If not encrypted, as happens while using HTTP, anyone that controls equipment through which the request is delivered can read (and manipulate) that information. For example, the owner of the coffee shop is able to see your authentication cookies, and use them to “hijack” your site.

It used to be that the certificates required to be installed at the server to enable the usage of HTTPS cost money, but nowadays shared hosting providers are likely to offer this service for free, and if you are using your own VPS to host your calmPress you can use let’s encrypt to get one for free. If it is not clear how to use it, you should ask your hosting provider about that (most of them probably have documentation which explains it).

Why do we keep the option of running calmPress on HTTP?

• On local host setups, which many developers use for their development environment, it is almost impossible to get and configure a proper certificate.
• Less friction for people that want to migrate HTTP based sites from WordPress to calmPress.

Use your own VPS (Virtual Private Server)
We do not have anything specific against shared hosting, but the security risk when you are hosting on a machine to which many other people, who you know nothing about, have access to is by definition higher.

With your own VPS you are assured that the only people that have access to your server are you, people you approved, and the hosting stuff and no one else. It used to be that VPS was expensive, but for a long time basic setups are not much more expensive than basic shared hosting plans.

The main cost in a VPS is setting it up and doing anything which relates to administering the VPS. With shared hosting you are likely to just ask the support if you fail to understand how to do things by yourself, but with a VPS you will either need to learn it, or hire someone. Some VPS providers offer the administration support for extra cost.

Use one site per VPS
The reason is that a security breach on one of the sites might cause the “infection” of another. From a security point of view it is better to have unrelated sites on a different VPS.

Directory permission
It is unfortunately common in WordPress setups to have all the directories writable by the user associated with the web server (many times www-data). This way it is easier to make modifications to the .htaccess and wp-config.php files from the admin, and easier to install and upgrades plugins and themes.

The problem is that with this kind of setup, any “bad” php file can modify all the other files in the system, and in case of a security breach, it is much harder to hunt down all the changes which were done by the malware.

In this context “bad” php does not mean that the file was explicitly designed for hacking the site, but any file which has security weaknesses which can be used in such a way.

The additional effort of entering the FTP credentials when doing plugin and theme install/upgrade is nothing compared to the effort of recovering a hack site.

What does it mean in technical terms
All directories, except for the uploads one, should be associated with the user you are using for FTP. The uploads directory should be associated with the web server user.

If you are hosting more than one site on a VPS it is also wise to use a configuration in which the web server uses different users when handling different sites.

If you are using a VPS, and properly upload files only via SFTP, you should consider running an FTP server which is limited to handling only requests from the local machine and local users for the use case  of installing plugins and themes from the admin.

Always have backups
Restoring from a known good backup is the only sure way to recover from a hack. Sophisticated malware is going to leave extra files, or newly created admin users which it can use in the future to reestablish itself even after you have “cleaned” it, and you can never be 100% sure that you found and removed it from all the places that it was hiding.