The Flywheel is a hosting company that specifically focuses on services tailored for WordPress websites. They offer amazing hosting features, performances and security options throughout their unique Dashboard from where you can manage from 1 to 100 websites. As many as you need. If you aren’t familiar with Flywheel, visit their website to find out more about their extraordinary hosting services.
Flywheel invests a lot in security so they can live up to the highest security standards for all of their customers. I will try to highlight all features that Flywheel provides and procedures they implement to keep servers and websites under maximum protection. Let’s start with some general procedures that are run on server and platform level and move to more specific features and add-ons users can use or activate per website.
Here is the list of features and we will give short description of each below:
Table of Contents
The Flywheel security story starts with an internal cross-department organization where every team is responsible for ensuring the highest security standards during development. This is something that users can’t see directly in their Flywheel dashboard or turn on and off but these teams play significant roles in keeping Flywheel so protected. There are four teams at Flywheel:
- Security Team – The Flywheel Security Team is a cross-departmental effort focused on maintaining top-to-bottom security standards throughout the company.
- Software Engineering – The Software Engineering Team is dedicated to maintaining development standards for every line of code that Flywheel pushes to production.
- Infrastructure Engineering – The Infrastructure Engineering Team is invested in ensuring the security of code installed on customer websites.
- Hosting Operations – The Hosting Operations Team is responsible for resolving security vulnerabilities identified on customer sites.
Locked WordPress core files
As you probably know, WordPress is open-source software and many developers and contributors are working daily on updates, improvements and maintenance of WordPress code. There is also a tremendous amount of open-source themes and plugins which are used to improve the look and functionality of WordPress websites. An environment like this is quite suitable for hackers to abuse to place malicious software.
For example, the file that is often attacked is wp-config.php because this file contains your website database credentials. Flywheel locks the core files and makes them uneditable for users. To edit this file a user needs to contact Flywheel support team which will carry out these edits.
Automatic WordPress core updates
WordPress core is frequently updated and it’s important to always use most recent WordPress version on your website since many of these updates contain security patches. For Agency that maintains a large number of websites, this can be a time-consuming and repetitive process. This is why Flywheel offers automatic WordPress core updates for all Flywheel users. Flywheel will automatically perform these updates in a matter of days after a new one is released.
Flywheel users can choose what types of updates Flywheel should manage. All updates or Minor updates only. Flywheel will also allow users to run on older versions of WordPress but no more than two major releases behind.
Automatic WordPress plugins updates
This feature comes as an add-on at Flywheel, not included in pricing plans. It needs to be activated per website and it’s paid monthly. Users can also specify which plugins Flywheel can update for them. If Flywheel encounters a problem during the update, it will investigate the issue and help website owners in fixing them. After a successful update, Flywheel will generate a detailed report about their work.
Keeping plugins up-to-date is very important from a security perspective. With Flywheel Managed Plugin Updates you can be sure that your website plugins will be updated to their latest versions.
If your website is collecting visitors data (for example credit card numbers for payment processors, personal information for contact form or login form) you want to appear as a safe location on the world wide web for leaving that kind of information. Google will also value your website more if it runs with SSL (Secure Socket Layer) certificate.
Flywheel provides all their users with Let’s Encrypt Simple SSL certificates. Certificates can be installed after a few clicks from Flywheel Dashboard. And you can secure more than one domain for the same website as of August 2020 when Flywheel released Multi-Domain support.
Certificates are valid for 90 days, and Flywheel takes care of the renewal process for all websites they manage.
Losing your website data, content or settings can be very frustrating. Numerous things can go wrong and website owners must be certain they can retrieve their data in this case. Regular backups are the way you can secure you always has access to your website data.
Flywheel provides daily backups that run ower night and won’t interfere with website functionality. Backups cover the last 30 days and Flywheel users can control them from Flywheel Dashboard. In Dashboard’s Backups tab users can see a list of all available backups, statistics about posts, pages, plugins, comments and WordPress version saved in a specific backup. Users can download backups locally or restore any saved version on the live website from the same tab. Backups can also be created manually.
Flywheel stores created backups completely offsite and on different servers than the one client website uses. This makes your website data very secure and always available. No need for any additional backup plugins on your WordPress website.
Free malware removal
As a result of their audit and monitoring procedures, Flywheel is constantly on guard for unwanted software or malware on servers. Hacker breaches into servers are rare and Flywheel invests a lot of effort to keep the bad guys away.
In case something does go wrong or users experience malware issues, the Flywheel support team will help them in removing malware. This service is free for all Flywheel users and our agency had a couple of projects where Flywheel coordinated with our development team to clean up websites of clients that reached out with problems from other hosts.
Here are some recommendations for users on how to avoid malware-related security risks. Keep your WordPress core files, themes and plugins updated, remove unused or deactivated plugins and create strong passwords for all website users.
Limited Login Attempts
Brute Force attacks are one of the most common ways to break into a website, server or any other platform that supports login option or a way to find hidden pages. Attackers use the method of guessing. They will repeatedly try to guess username and password for backend access.
This is where Limited Login Attempts comes in place. This is a plugin installed by Flywheel by default and has two parts. On the website backend side, users can control allowed number of attempts of the username and passwords entries, lockout time duration, lockout time duration after multiple lockout attempts (users can set the number of lockouts and duration), the time when the number of login attempts is reset, and some other options. There is also a counter of total lockouts and the possibility of resetting it.
If users experienced lockout on their website and don’t want to wait for lockout time to expire there is an option inside Flywheel Dashboard to reset login attempts manually.
Doing website updates through a file transfer software like FileZilla, WinSCP, Cyberduck, or any other that works by creating a connection with the server by using Secure File Transfer Protocol (SFTP), is a far better option than standard transfer protocols. SFTP uses secure encryption to protect all data during transfer. Encryption will protect the data from the exposure to the outside entities on the Internet.
A common problem with FTP or SFTP access is that every single website will have its credentials for accessing it through file transfer protocol. If you work on and maintain one or two websites this probably won’t be a problem for you. But if you need access to 10, 20, 30 or more websites keeping track of all those credentials is not easy.
What Flywheel offers you is one SFTP login for all your websites inside the same Flywheel account. Credentials are the same as username and password you set for Flywheel Dashboard login. Inside your SFTP client on the server-side, you will see all websites organized by their owners. If you need to grant or revoke access to someone add them as Collaborators by entering their email address. Simple as that.
Security Insights - Upcoming feature
Flywheel is an innovator in managed WordPress hosting and always looking for ways to improve their offer. In 2018 they announced Flywheel Cloud Platform, based on Google Cloud technology, that will be the main hosting place for all existing and upcoming users. To offer even more secure web hosting Flywheel is developing Security Insights add-on. This is work in progress and it will require purchasing it separately from standard Flywheel plans. Add-on will offer monthly security summary with actionable data on how to improve website security, tips on how to stay ahead of hackers and in-depth quarterly security audits with vulnerabilities and areas to improve.