← ServerPilot Docs

Security

Secure Hosting

ServerPilot is designed to keep your servers secure and your data safe. Our team has a strong security background. Security research published by our team members includes identifying vulnerabilities in Linux package managers, designing secure software update systems, and securing browsers against CSRF exploits.

How to Manage Public SSH Keys

If you would like to login as a ServerPilot system user without having to use a password, you can do so by adding SSH public keys to your account.

How to Force SSL by Redirecting HTTP to HTTPS

Once you have enabled SSL on your site, ServerPilot makes it easy to redirect all plain HTTP requests to HTTPS.

How to Maintain a Secure Server and Apps

Maintaining the security of your apps and servers is key to the success of your business and that of your clients.

Firewall Rules

ServerPilot enables an iptables firewall on your server. The firewall allows only the following incoming ports: TCP port 22 (SSH) TCP port 80 (HTTP) TCP port 443 (HTTPS) If you need to change any of these settings, be sure to read our article on customizing the firewall.

How to Use SSH Public Key Authentication

Overview Public key authentication is a way of logging into an SSH/SFTP account using a cryptographic key rather than a password.

How to Enable TLS 1.0 and TLS 1.1

By default, TLS 1.0 and TLS 1.1 are disabled on your server as they are outdated protocols that are no longer considered secure.

How to Disable TLS 1.0

ServerPilot no longer supports TLS 1.0 or TLS 1.1. This article is obsolete. You do not need to take any action to disable TLS 1.

How to Enable SSH Password Authentication

Some server providers, such as Amazon EC2 and Google Compute Engine, disable SSH password authentication by default. That is, you can only log in over SSH using public key authentication.

How to Configure CAA Records

Creating a CAA record is not required. If you are having problems obtaining an SSL certificate due to your domain having an incorrect CAA record, you should delete your domain's incorrect CAA record.

How Changing Your root Password and SSH Port Affects ServerPilot

After the initial installation, ServerPilot does not depend upon SSH or your root password in any way, so you may change the SSH port, disable password authentication, etc.

How to Create a Strong Password

Password strength is one of the most important factors in determining the ability of your server and your apps to ward off brute force attacks.

How to Install and Configure the Wordfence Plugin for WordPress

HeatShield is a Wordfence alternative from the developers of ServerPilot. HeatShield is the only WordPress plugin that uses ModSecurity. Wordfence Security is a free plugin for WordPress that includes a web application firewall (WAF), virus scanning, and real-time traffic monitoring with geolocation.

Automatic Package Updates

ServerPilot automates daily updates of your Ubuntu server's installed .deb packages. This includes packages ServerPilot installs as well as any additional packages you install from Ubuntu's repositories.

How to Customize Your Server's Firewall

If you need your server's firewall rules to be different than the firewall rules configured by ServerPilot, you can customize your server's firewall.

Fail2ban Alternative

Fail2ban is a script for blocking SSH brute force login attacks. However, using Fail2ban puts you at risk of locking yourself out of your server and makes it difficult to know what addresses are blocked or how to whitelist them.

Guide to PCI Compliance

Introduction The Payment Card Industry (PCI) Data Security Standard is an information security standard for the handling of credit card information.

How to Allow IP Addresses with a .htaccess File

If you wish to only allow specific addresses to access an app, you can add the following to your app's .

How to Block Brute Force Attacks in WordPress

A brute force attack on WordPress occurs when an attacker attempts to log in to WordPress by trying a large number of common passwords.

How to Block IP Addresses with .htaccess

If you suspect you are under attack from a specific IP address, you can block it from accessing your server by using a service like CloudFlare or by using security plugins if you're running WordPress.

How to Block IPs with CloudFlare

If you use CloudFlare for your site, you can change your settings to block visitors by IP range. First, log in to your CloudFlare account and select Firewall from the menu.

How to Check WordPress Plugins and Themes for Vulnerabilities

Vulnerable plugins and themes are the leading causes of WordPress compromises. To ensure the security of your app's code, you should use a web-application firewall, such as CloudFlare or Wordfence.

How to Configure Protect in WordPress

Protect is a key part of WordPress's Jetpack plugin that helps block brute force attacks against your site. Protect provides brute force attack prevention by tracking failed login attempts across all Jetpack installations and blocking any IP that has too many failed login attempts.

How to Disable SSH Password Authentication

As long as you use strong passwords, it is not necessary to disable SSH password authentication for your server; however, you can disable it if you would like.

How to Enable Cross-Origin Resource Sharing (CORS)

By default, web browsers do not allow websites to make cross-origin requests in certain security-sensitive situations. To tell browsers to allow cross-origin requests to a site that belongs to you, you can use cross-origin resource sharing (CORS).

How to Enable HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security mechanism in which a website tells the browser that all future requests should be made over HTTPS.

How to Password Protect a Directory

If you want to limit access to one of your apps, you can place password protection on it using a .

How to Password Protect a Single File

You can give limited access to a single file on your server by using a .htaccess file, similar to protecting a directory.

How to Reset the Firewall

If you have customized your firewall, you can easily reset it back to ServerPilot's default settings. First, open your server in ServerPilot and navigate to the Settings tab.

How to Stop Spam Comments on WordPress with Akismet

Just like the unwanted messages in your email inbox, comment spam consists of unsolicited advertisements or links to other sites that can appear in the comments on your site's forums, blogs, wikis, and guestbooks.

How to Use CloudFlare with ServerPilot

For additional security from online threats to your site, CloudFlare is a popular—and free—content delivery network (CDN) that accelerates your site while protecting it from DDOS (distributed denial of service) attacks.

How to Use CloudFlare with WordPress

The CloudFlare plugin is compatible with the HeatShield WordPress firewall plugin. The CloudFlare plugin works in tandem with Akismet to filter spam comments on your WordPress site.

How to Use NinjaFirewall for WordPress

HeatShield is an alternative WordPress firewall plugin that uses ModSecurity. HeatShield is developed by us, the developers of ServerPilot. NinjaFirewall is a stand-alone web application firewall that stands between your WordPress site and everyone else.

What Is SSL?

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are protocols used for securing the communication between web browsers and servers.

Launch your first site in 5 minutes