xCloud ensures robust security for your websites by default, locking down servers during the provisioning process. However, it’s important to maintain good security practices and assist clients in doing so to further enhance security.

This documentation details the security measures xCloud implements by default, allowing you to create a comprehensive security checklist for setting up new websites on xCloud.

xCloud’s Network and Server Security #

1. SSH Lockdown #

The root user is restricted to secure SSH access only to minimize the risk of unauthorized access.

2. SSH Key Authentication Recommended #

SSH Key Authentication is more secure than password-based authentication, supporting public and private key authentication.

3. System User Isolation #

System users created via our platform are completely isolated and secure from one another, each with only the essential permissions assigned.

4. Managing Server Access: Sudo Users vs. Site Users #

In xCloud Sudo users have full server-wide access, allowing them to control all aspects of the server. In contrast, site users are restricted to managing a single site on the server, ensuring they cannot access or modify other sites’ files or server configurations.

5. Firewall Control – Linux UFW Configuration #

At xCloud, the Linux Uncomplicated Firewall is configured during the server provisioning process.

6. Strict Port Control #

By default, only essential ports are open (22/TCP for SSH, 80/TCP for HTTP, 443/TCP for HTTPS, and 34210/TCP for xCloud communication), reducing attack risks. Users can also change the default port if needed.

7. Fail2Ban Preconfigured #

Fail2Ban, an intrusion prevention software, is enabled on xCloud by default to protect against brute-force attacks on the SSH port.

xCloud’s WordPress Security #

1. Secure PHP Version #

By default, new WordPress websites are provisioned with the most current version of PHP, ensuring compatibility and security.  

2. Latest WordPress Version #

New websites created by any user employ the latest WordPress version to avoid unpatched vulnerabilities.

3. Disable Directory Browsing/System File Protection #

xCloud prevents access to critical WordPress files and directories.

5. Disable PHP Execution in Uploads and Themes Directories #

xCloud blocks maliciously uploaded PHP files in WordPress directories.

7. SFTP and SSH Access Only

xCloud enforces the use of secure server connections exclusively via SFTP and SSH. 

Additional WordPress Security Options #

1. Security Headers #

Customize security headers to prevent cross-site scripting and clickjacking. Beyond default measures, xCloud offers customizable security options to meet specific needs:

2. Web Application Firewall (WAF) Options #

Integrates with 7G and 8G firewalls to protect against malicious requests, bad bots, and spam referrers.

3. Website Isolation Through System Users #

Assign unique system users to websites to keep them isolated and prevent cross-infection in case of a compromise.

4. Disable XML-RPC #

Disabling the outdated and insecure XML-RPC method if not in use. It can be customized from PHP settings.

5. 1 Click SSL Certificates #

Users are encouraged to use SSL certificates for enhanced security. With just one click, SSL certificates can be implemented in xCloud.

Product Security #

1. Two-Factor Authentication (2FA) on account #

It is highly recommended for password-based authentication, requiring a second form of identification.

2. Permission Levels #

Different permissions can be assigned to users or teams within the xCloud dashboard including server/site access, billing, user data, and message permissions.

3. Password and Credential Storage #

xCloud enforces a complex password standard, storing credentials in hash form to reduce the risk of password theft and unauthorized access.

4. Credit Card Information #

Payments are handled by the payment gateway (Stripe), ensuring no access to your credit card information.

5. Best Practices #

Automated server configuration follows industry best practices for securing your server or web applications.

Still, facing any security issues? Contact our support team for any of your queries.