{"id":5488,"date":"2024-10-18T10:13:09","date_gmt":"2024-10-18T08:13:09","guid":{"rendered":"https:\/\/www.lrob.fr\/?page_id=5488"},"modified":"2024-10-18T23:24:56","modified_gmt":"2024-10-18T21:24:56","slug":"security-and-vulnerabilities","status":"publish","type":"page","link":"https:\/\/www.lrob.fr\/en\/doc\/hebergement-wiki\/securite-et-failles\/","title":{"rendered":"Security and vulnerabilities"},"content":{"rendered":"<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Contents<\/h2><nav><ol><li class=\"\"><a href=\"#p\">The two main principles of IT security<\/a><\/li><li class=\"\"><a href=\"#s\">LRob safety devices<\/a><ol><li class=\"\"><a href=\"#securite-par-defaut\">Default security<\/a><\/li><li class=\"\"><a href=\"#securite-pour-word-press\">Security for WordPress<\/a><\/li><\/ol><\/li><li class=\"\"><a href=\"#f\">Security vulnerabilities<\/a><ol><li class=\"\"><a href=\"#f-1\">Server vulnerabilities<\/a><\/li><li class=\"\"><a href=\"#failles-frequentes\">CMS vulnerabilities<\/a><\/li><\/ol><\/li><\/ol><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"p\">The two main principles of IT security<\/h2>\n\n\n\n<p>According to LRob, there are two main principles that are as inescapable as they are dogmatic:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-style-plain is-layout-flow wp-block-quote-is-layout-flow is-style-plain--1\" style=\"font-size:clamp(0.929rem, 0.929rem + ((1vw - 0.2rem) * 0.62), 1.4rem);\">\n<ol class=\"wp-block-list\">\n<li>The final safety of a system is that of the weakest link in its chain.<\/li>\n\n\n\n<li>Safety at 100% is illusory (and anyone who claims otherwise is a liar or ignorant).<\/li>\n<\/ol>\n<cite>Robin LABADIE<\/cite><\/blockquote>\n\n\n\n<p><em>Note that users and administrators are part of the security chain.<\/em><\/p>\n\n\n\n<p>That's why we mustn't neglect any aspect of security, any link in the IT chain, because even if we do our best, we can still let things slip through the cracks, and we're never safe from a \"0-day\" flaw, i.e. one that's exploited before it's corrected.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"s\">LRob safety devices<\/h2>\n\n\n\n<p>LRob servers feature many levels of security designed to block attacks at the very top of the server chain. We try to be impeccable in every aspect, to get as close as possible to 100% security. Remember that perfect security never exists, but we can try to get as close as possible. LRob's security measures are rigorous, and some are unprecedented in the world of hosting providers, to ensure the highest possible level of security.<\/p>\n\n\n\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-77d436d9 wp-block-columns-is-layout-flex\" style=\"margin-top:var(--wp--preset--spacing--40);margin-bottom:var(--wp--preset--spacing--40);padding-right:0;padding-left:0\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\" id=\"securite-par-defaut\">Default security<\/h3>\n\n\n\n<p>The ultimate \"out of the box\" server security!<\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-4b827052 wp-block-group-is-layout-flex\">\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong>ModSecurity application firewall<\/strong><\/summary>\n<p>Effectively blocks malicious requests before they reach your sites. In the event of a repeat offence, fail2ban blocks the attacking IP for even greater security.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong>Fail2ban anti-bruteforce<\/strong><\/summary>\n<p>Completely blocks repeated unauthorized access to all server services. IP blocking of brute-force attempts on WordPress, Plesk, Email and FTP. Also blocks bots searching for vulnerabilities on servers.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong><strong>Site isolation<\/strong><\/strong><\/summary>\n<p>Each site is isolated in its default system user. If a problem occurs on one site, it cannot affect the others.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong>Server antivirus<\/strong><\/summary>\n<p>ImunifyAV regularly scans sites.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong><strong>PHP update<\/strong><\/strong><\/summary>\n<p>If you forget, we'll take care of it for you!<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong><strong>Daily serve updates<\/strong>urs<\/strong><\/summary>\n<p>Weaknesses in server applications may also exist (even if hosting companies deny this outright). Updating your software on a daily basis will keep your hosting as secure as possible.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong>Daily host backups<\/strong><\/summary>\n<p>Outsourced backups with one-year retention for maximum peace of mind.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong>SSL\/TLS certificates included<\/strong><\/summary>\n<p>Automatic TLS certificate generation &amp; HTTPS forced by default. Free wildcard certificates available if you manage your sites' DNS zones via LRob.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong>Strong encryption<\/strong><\/summary>\n<p>Exclusive use of secure TLS ciphers.<\/p>\n<\/details>\n<\/div>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\">\n<h3 class=\"wp-block-heading\" id=\"securite-pour-word-press\">Security for WordPress<\/h3>\n\n\n\n<p>WordPress security made easy!<\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-layout-flex wp-container-core-group-is-layout-4b827052 wp-block-group-is-layout-flex\">\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong><strong>Control in a glance<\/strong><\/strong><\/summary>\n<p>Your hosting panel highlights any anomalies in your WordPress instances.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong><strong>Automatic WordPress updates<\/strong><\/strong><\/summary>\n<p>Activated with a few clicks for maximum security at all times.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong><strong><strong>WordPress Login Protection<\/strong><\/strong><\/strong><\/summary>\n<p>Block IP brute-force attacks on your WordPress login.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong>Server antivirus<\/strong><\/summary>\n<p>ImunifyAV regularly scans sites for known malicious files. In the event of an anomaly, you'll receive an email.<\/p>\n<\/details>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-container-core-details-is-layout-8a368f38 wp-block-details-is-layout-flow\"><summary><strong><strong><strong>WordPress security vulnerability detection<\/strong><\/strong><\/strong><\/summary>\n<p>Manually check for vulnerabilities and receive alerts when new vulnerabilities are detected, so you can react quickly.<\/p>\n<\/details>\n<\/div>\n\n\n\n<details class=\"wp-block-details is-style-default is-layout-flow wp-block-details-is-layout-flow\"><summary><strong><strong><strong>See the 24 security rules for WordPress<\/strong><\/strong><\/strong><\/summary>\n<ol class=\"wp-block-list\">\n<li>Change default administrator username (admin)<\/li>\n\n\n\n<li>Block access to .htaccess and .htpasswd<\/li>\n\n\n\n<li>Block access to potentially sensitive files (logs, scripts, executables)<\/li>\n\n\n\n<li>Block access to files containing identifiers<\/li>\n\n\n\n<li>Blocking bots looking for WordPress-specific vulnerabilities<\/li>\n\n\n\n<li>Change the default database table prefix<\/li>\n\n\n\n<li>Disable file editing in the WordPress dashboard<\/li>\n\n\n\n<li>Disable PHP execution in cache directories<\/li>\n\n\n\n<li>Disable unused scripting languages (Python, Perl, etc.)<\/li>\n\n\n\n<li>Disable pingbacks<\/li>\n\n\n\n<li>Disable script concatenation on the WordPress admin panel<\/li>\n\n\n\n<li>Block access to the wp-config.php file<\/li>\n\n\n\n<li>Prohibit execution of PHP scripts in the wp-content\/uploads directory<\/li>\n\n\n\n<li>Prohibit execution of PHP scripts in the wp-includes directory<\/li>\n\n\n\n<li>Block directory browsing (-indexes)<\/li>\n\n\n\n<li>Block access to xmlrpc.php file<\/li>\n\n\n\n<li>Configuring security keys<\/li>\n\n\n\n<li>Restrict access to files and directories (permissions)<\/li>\n\n\n\n<li>Block author scans<\/li>\n\n\n\n<li>Enable automatic updates<\/li>\n\n\n\n<li>Generate a secure password<\/li>\n\n\n\n<li>Automatic detection of security vulnerabilities<\/li>\n\n\n\n<li>Scan site for malicious files<\/li>\n\n\n\n<li>Define a PHP version with secure support<\/li>\n<\/ol>\n<\/details>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"f\">Security vulnerabilities<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"f-1\">Server vulnerabilities<\/h3>\n\n\n\n<p>Any security breaches that may occur on the server side are handled by LRob.<\/p>\n\n\n\n<p>LRob uses Linux servers (Debian), which is a highly reliable, stable and secure version, ideal for a production web server system. Security flaws in Linux are usually corrected very quickly, even before they become public knowledge.<\/p>\n\n\n\n<p>We have also put in place a number of measures to prevent server vulnerabilities, including active monitoring of Linux system vulnerabilities, with immediate manual updating in the event of a breach. We also automatically update all server applications on a daily basis, with a monthly manual check every first Monday of the month.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"failles-frequentes\">CMS vulnerabilities<\/h3>\n\n\n\n<p>Interactive and dynamic websites, such as those built with CMS, are vulnerable to security breaches. That's why it's essential to control and secure the interactions between the user and your site.<\/p>\n\n\n\n<p>CMS like <strong>WordPress<\/strong> are regularly subject to security breaches. LRob provides many additional server-side safeguards and tools to help you stay secure. Nevertheless, in the face of a security breach, your site may remain vulnerable. So it's important to :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep your CMS and plugins up to date (activate automatic updates).<\/li>\n\n\n\n<li>Use strong, unique passwords.<\/li>\n\n\n\n<li>Monitor site users and files to prevent intrusions.<\/li>\n\n\n\n<li>Use Plesk tools to check for and correct any existing vulnerabilities (by updating, deactivating or replacing scripts).<\/li>\n\n\n\n<li>Use Plesk tools to add additional security rules to WordPress<\/li>\n<\/ul>\n\n\n\n<p>Tools like Plesk's WordPress Toolkit help you keep your WordPress and other applications more secure than on most hosting packages. However, you can't rely solely on these additional safeguards: if your application is intrinsically insecure, then it could be hacked.<\/p>\n\n\n\n<p>Note that the PHP application running your end-user application (CMS) may also contain security holes when you use an obsolete version that no longer receives security support. We recommend checking your PHP version 1x a year. Vulnerabilities arising from obsolete versions of PHP are avoided as far as possible by LRob, by pushing new versions of PHP used on websites once a year (and by notifying any hosting owners whose sites are incompatible with new versions of PHP).<\/p>\n\n\n\n<p>If you suspect a hack or an unexpected change on your site, <a href=\"https:\/\/portail.lrob.fr\/support\/\" target=\"_blank\" rel=\"noopener\">contact your support<\/a> who will guide you and help you effectively.<\/p>\n\n\n\n<div class=\"wp-block-group is-vertical is-content-justification-left is-layout-flex wp-container-core-group-is-layout-69824cbe wp-block-group-is-layout-flex\" style=\"margin-top:var(--wp--preset--spacing--40);margin-bottom:var(--wp--preset--spacing--40)\">\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-default\" style=\"margin-top:var(--wp--preset--spacing--40);margin-bottom:var(--wp--preset--spacing--40)\"\/>\n\n\n\n<p>Related pages :<\/p>\n\n\n<ul class=\"wp-block-page-list\"><li class=\"wp-block-pages-list__item has-child\"><a class=\"wp-block-pages-list__item__link\" href=\"https:\/\/www.lrob.fr\/en\/doc\/webmastering\/wordpress-docs\/\">WordPress Docs<\/a><ul class=\"wp-block-navigation__submenu-container\"><li class=\"wp-block-pages-list__item\"><a class=\"wp-block-pages-list__item__link\" href=\"https:\/\/www.lrob.fr\/en\/doc\/webmastering\/wordpress-docs\/installer-wordpress-chez-lrob\/\">Installing WordPress at LRob<\/a><\/li><li class=\"wp-block-pages-list__item\"><a class=\"wp-block-pages-list__item__link\" href=\"https:\/\/www.lrob.fr\/en\/doc\/webmastering\/wordpress-docs\/publier-des-pages-et-articles-avec-gutenberg\/\">Publishing pages and articles with Gutenberg<\/a><\/li><\/ul><\/li><\/ul><\/div>","protected":false},"excerpt":{"rendered":"<p>Les deux grands principes de la s\u00e9curit\u00e9 informatique Deux grands principes aussi incontournables que dogmatiques sont \u00e0 retenir selon LRob : A noter que les utilisateurs et administrateurs font partie de la cha\u00eene de s\u00e9curit\u00e9. C&rsquo;est pourquoi il ne faut n\u00e9gliger aucun aspect de la s\u00e9curit\u00e9, aucun maillon de la cha\u00eene informatique, car m\u00eame en [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":5511,"parent":5468,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-5488","page","type-page","status-publish","has-post-thumbnail","hentry"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/5488","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=5488"}],"version-history":[{"count":5,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/5488\/revisions"}],"predecessor-version":[{"id":5618,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/5488\/revisions\/5618"}],"up":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/pages\/5468"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/5511"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=5488"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}