No single tool secures a WordPress site. We layer defenses at every point in the stack, so if one layer is bypassed, the next one catches the problem. Every layer below is in place by default on every PMPro Hosting site: nothing to configure, nothing to maintain. You do not need and should not use any additional security plugins or third-party paid tools in your PMPro-hosted site.

Security By Layer

1. Network Edge: Cloudflare

Every customer domain sits behind Cloudflare’s network, which provides DDoS mitigation and bot management. We’re actively standardizing WAF rules across all customer sites.

2. Server Firewall (UFW)

At the OS level, the firewall only permits SSH, HTTP, and HTTPS. Everything else is closed. Redis, MySQL, and PHP-FPM are bound to localhost and cannot be reached from the public internet.

3. Fail2Ban: Log-Driven Ban System

Fail2Ban watches your server logs in real time and automatically bans IPs that misbehave:

• SSH: 5 failed logins > 24-hour ban.
• WordPress comment spam: 3 POSTs to wp-comments-post.php in 2 minutes > 24-hour ban.

4. Apache Hardening

Beyond the network edge, Apache itself enforces:

• Backup-file blocking: Blocks direct requests to .tar, .tar.gz, .zip, .sql, .bak, and similar extensions return 403. Attackers can’t download a stray backup.sql if it lands in the web root.
• Comment-origin check: Blocks pingback and bot comment attempts that don’t originate from the site or pass through Cloudflare are rejected before reaching PHP.
• Directory listing disabled on every virtual host.
• SSL enforced site-wide. HTTP redirects to HTTPS; admin and login are HTTPS-only.

5. WordPress Hardening

Every site’s wp-config.php ships with security defaults locked in:

Constant	Effect
DISALLOW_FILE_EDIT	No in-browser theme/plugin file editing. Removes a common post-compromise tool.
FORCE_SSL_ADMIN	Admin and login always use HTTPS. Session cookies are HTTPS-only.
FS_METHOD = direct	No FTP credentials stored or needed for updates.
DISABLE_WP_CRON	Replaced with a server-level scheduled runner. Attackers can’t spam the cron endpoint to cause load.

The PMPro Hosting plugin also provides a Clear Logged-In User Sessions button in the Tools panel. This is a useful feature to use if you suspect unauthorized access.

6. Isolated Per-Site Droplets

Each customer gets a dedicated DigitalOcean Droplet. No shared hosting, no shared filesystem, no noisy neighbors. A compromise on someone else’s site cannot reach yours.

7. Managed OS and Web Stack Updates

Operating system, Apache, PHP, MySQL, and Redis patches are applied by us, including security updates. WordPress core, themes, and plugins remain the customer’s responsibility (you own your site), but the platform underneath is kept current.

8. Daily Malware Detection

Every site is scanned daily (and on demand) by our built-in health check. See the Malware Detection and Cleanup page for details.

9. Transactional Email Protection

All outgoing email is routed through a local Postfix relay with per-domain rate limits. One compromised site can’t burn through the shared sending reputation. If a site hits its limit, emails queue for retry instead of silently failing. Your password resets and receipts stay reliable.

10. Encrypted, Off-Site Backups

Daily backups run to a separate S3 bucket, independent of the server itself. Plus, DigitalOcean automatically snapshots the whole Droplet nightly. If anything catastrophic happens, we rebuild from backup.

Default Retention Terms: 7 daily, 4 weekly, 6 monthly, 1 yearly.

Admin Access Without Shared Passwords

Support engineers never log in with your admin password. We use Magic Admin links. These one-time URLs that expire automatically and leave an audit trail. Temporary access is explicit, scoped, and cleaned up on its own.

What You Don’t See in the Plugin Admin

A lot of what keeps your site safe happens outside WordPress entirely at the network edge, at the server, or at the mail relay. We don’t surface every dial and log, by design: the point is that it just works. Every layer above is in place the day your site provisions.