Email Setup

Email Branding Setup

Secure Website Firewall

Frequently asked questions about the Secure Website Firewall website security service

Secure Website Firewall is a security service that provides comprehensive protection against website attacks and vulnerabilities. We offer this add-on service to our customers to assist you in protecting your website.

What is the difference between the security that Pixel Perfect already provides and this service?

We ensure that our servers and network are free from security threats. Secure Website Firewall offers website level security, which is a specialised service.

What is a Web Application Firewall (WAF)?

A web application firewall (or WAF) filters, monitors, and blocks website traffic to and from a website. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific websites, eg. WordPress, Joomla. By inspecting website traffic, it can prevent attacks stemming from website security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.

Can I trial the service for free?

Yes, we offer a free, no commitment 3 month trial period. You may cancel the service at any time if you are not satisfied. After three months, you will automatically be billed.

My website has been hacked? Will Secure Website Firewall fix it?

While a web application firewall is a proactive security solution that can prevent you from getting into trouble, you should check if your website is already infected. If you weren’t previously using a solution similar to Secure Website Firewall, your website potentially could have already been compromised. Secure Website Firewall focuses on protection and prevention and not the cleaning of already compromised websites. You can have it cleaned by a reputable website developer or website cleaning service.

Secure Website Firewall offers a free option for domains using less than 4GB per month on their website. Why should I use you?

Secure Website Firewall does not have any public African nodes that can be used directly (i.e. not via Pixel Perfect), therefore website speed will be significantly impacted as your site will be served via Asia. The dashboard will also be slower. Customers making use of Secure Website Firewall with Pixel Perfect will not experience this delay as everything will be hosted locally and will be much faster. You will also not be limited to 4GB of traffic per month.

Must Secure Website Firewall customers update their own DNS or will it be done automatically on activation?

We will update the DNS of domains whose website DNS is hosted by Pixel Perfect. (This is the default configuration). Domains with website DNS (@ and www records) hosted elsewhere will need to have the DNS updated at the relevant host before Secure Website Firewall activation can complete.

How does Secure Website Firewall’s WAF compare with security plugins?

One can not compare a cloud-based Web Application Firewall with an endpoint protection service such as a security plugin for your CMS. While there may be some overlap in the protection offered, it is a good idea from a security perspective to have both installed. Security plugins often offer malware detection and removal, which is not what cloud-based WAFs are intended for. 

Pixel Perfect already offers DDoS protection, so why do I need Secure Website Firewall’s DDoS protection?

Pixel Perfect’s DDoS protection protects the network layer against direct large scale DDos attacks (layer 3 & 4). Secure Website Firewall protects against the website application level DDoS attacks (layer 7).

Pixel Perfect already offers free SSL, so why do I need Secure Website Firewall’s SSL?

With Secure Website Firewall enabled, the SSL offered by Pixel Perfect will cover the connection between the Pixel Perfect hosting server and the Secure Website Firewall WAF server. Secure Website Firewall’s SSL will cover the connection between the Secure Website Firewall WAF server and the browser of the website visitor.

Will Secure Website Firewall work with a custom SSL certificate, such as GoDaddy and Thawte?

If you would like to use your own SSL certificate instead of the free Let’s Encrypt SSL certificate, please provide us with both the certificate and key files via email to Secure Website Firewall@Pixel Perfect.co.za.
If you have a custom Thawte SSL certificate that was provided by us, we will install this certificate on your behalf.

Why doesn’t my email work after activating Secure Website Firewall?

If your email is setup using the recommended default Pixel Perfect settings, your email will not be affected. However, if you have used alternative settings, you may experience an error. Ensure that you use these mail server settings in your mail programme:

  • Incoming mail server (POP or SMTP): mail.domain e.g. mail.example.co.za

  • Outgoing SMTP server: smtp.domain e.g. smtp.example.co.za

  • Alternatively, your server IP address can be used

Why can’t I FTP to my website after activating Secure Website Firewall?

This will occur if you are using your domain name as the host name in your FTP or SSH client. As web traffic is now routed via the Secure Website Firewall servers rather than directly to your website, use your server IP address as the host name in FTP or SSH.

Can I use Secure Website Firewall on a Parked Domain?

If your Secure Website Firewall protected domain has parked domain(s), it is highly recommended that you secure your parked domain(s) via an .htaccess redirect. The redirect will reroute all traffic from your parked domain(s) to your main domain. This will change the web address (URL) in the browser to that of your main domain. The following rules need to be placed within a .htaccess file in the public_html of your main domain. Replace the example domain names with your relevant domain names. If you are having difficulty adding these rules, please contact our Support team for further assistance.

RewriteEngine On

# Entry for each parked domain. Add more lines if more Parked domains exist:
RewriteCond %{HTTP_HOST} ^(www.)?parked-domain-one.com$ [OR]
RewriteCond %{HTTP_HOST} ^(www.)?parked-domain-two.com$ [OR]

# Entry for temporary URL:
RewriteCond %{HTTP_HOST} ^(.*).host-h.net$

# Redirect Destination:
 RewriteRule ^/?$ "https://www.example.com" [R=301,L] 

Does Secure Website Firewall affect Google Analytics/AdSense?

Secure Website Firewall has no effect on Google Analytics. Secure Website Firewall is located between the web server and traffic – not between Google servers and traffic -- and thus has no impact on Google Analytics. Also, Secure Website Firewall does not block search engine bots or crawlers, since they are considered safe and are included in the system’s ‘Whitelist IP’ list. Secure Website Firewall has no effect on JavaScript, and thus will have no impact on AdSense as well. You do not need to add banner or ad code in order to use Secure Website Firewall.


Secure Website Firewall is a security service that provides comprehensive protection against website attacks and vulnerabilities. While Pixel Perfect ensures that the infrastructure and hosting servers are secure, it is your responsibility to secure your own website or web applications. Secure Website Firewall provides this service – with an easy two-click installation. The solution includes the following components:

Web Application Firewall (WAF):

A web application firewall (or WAF) filters, monitors and blocks web traffic to and from a web application. All web traffic to the website is routed through the WAF, which filters out malicious attacks and allows legitimate traffic through.

Secure Website Firewall blocks all kinds of web attacks accurately and quickly with an industry-leading logic based analysis detection technology, powered by Penta Security Systems. Secure Website Firewall enterprise level web application firewall protects your websites from unknown web attacks as well as known attacks with the highest precision.

DDoS Protection:

Secure Website Firewall mitigates and blocks DDoS attacks which attempt to exhaust your website resources, thereby making your site inaccessible. While Pixel Perfect sophisticated DDoS system protects our network infrastructure, your websiteremains your own responsibility to secure. Secure Website Firewall protects you from DDoS attacks at the website level.

How to order Secure Website Firewall

There is no need for hardware, installations or coding – your Pixel Perfect hosted website is protected with a simple one-time activation. If you’re not yet a Pixel Perfect customer, here’s how to get started. Order Secure Website Firewall in konsoleH:

  1. Browse to konsoleH and log in at Admin level
  2. Select or search for the applicable domain name in the Hosting Service tab
  3. Select Software > Security > Secure Website Firewall on the left-hand menu 
  4. The Secure Website Firewall launch page will be displayed. Click Launch >> 
  5. Toggle the switch to begin the activation  
  6. Click Activate to confirm the activation  
  7. This screens shows the activation status. The domain is in pending mode and will display as active when activation is complete. 
  8. If your website’s DNS is hosted by Pixel Perfect, then Secure Website Firewall will successfully be protecting your site once you receive our confirmation email. The following day your website attack statistics will be viewable on your Secure Website Firewall dashboard (see below).
  9. If your DNS is not hosted by Pixel Perfect, our confirmation email will inform you of the DNS updates that will be needed at your current DNS host to secure your website.
Manage Secure Website Firewall

The Secure Website Firewall dashboard in konsoleH is updated once daily and will be available the day after your website activation is complete. The dashboard allows you to perform the following actions:

  • View attack statistics
  • Download Monthly Web Security Reports
  • Whitelist or blacklist IP addresses
  • Bypass the filter
  • Set SSL modes
  • Block specific countries from accessing your website (useful if many attacks originate from a particular location)
Access your Secure Website Firewall dashboard

The dashboard is accessed in the same menu where Secure Website Firewall was ordered:

  1. Browse to konsoleH and log in at Admin level
  2. Select or search for the applicable domain name in the Hosting Service tab
  3. Select Software > Security > Secure Website Firewall on the left-hand menu
  4. Click Launch >>

There is no need for hardware, installations or coding – your Pixel Perfect hosted website is protected with a simple one-time activation. As we offer a complimentary 3 month free trial, there is also no billing required. If you’re not yet a Pixel Perfect customer, here’s how to get started.

Order Secure Website Firewall in konsoleH:
  1. Browse to konsoleH and log in at Admin level
  2. Select or search for the applicable domain name in the Hosting Service tab
  3. Select Software > Security > Secure Website Firewall on the left-hand menu
  4. The Secure Website Firewall launch page will be displayed. Click Launch >> 
  5. Toggle the switch to begin the activation
  6. Click Activate to confirm the activation
  7. This screens shows the activation status. The domain is in pending mode and will display as active when activation is complete.
  8. If your website’s DNS is hosted by Pixel Perfect, then Secure Website Firewall will successfully be protecting your site once you receive our confirmation email. The following day your website attack statistics will be viewable on your Secure Website Firewall dashboard (see below).
  9. If your DNS is not hosted by Pixel Perfect, our confirmation email will inform you of the DNS updates that will be needed at your current DNS host to secure your website.
Manage Secure Website Firewall

The Secure Website Firewall dashboard in konsoleH is updated once daily and will be available the day after your website activation is complete. The dashboard allows you to perform the following actions:

  • View attack statistics
  • Download Monthly Web Security Reports
  • Whitelist or blacklist IP addresses
  • Bypass the filter
  • Set SSL modes
  • Block specific countries from accessing your website (useful if many attacks originate from a particular location)
Access your Secure Website Firewall dashboard

The dashboard is accessed from the same menu that Secure Website Firewall was ordered:

  1. Browse to konsoleH and log in at Admin level
  2. Select or search for the applicable domain name in the Hosting Service tab
  3. Select Software > Security > Secure Website Firewall on the left-hand menu
  4. Click Launch >> 
  5. Click Secure Website Firewall Dashboard 
  6. Select Dashboard 

There is no need for hardware, installations or coding – your Pixel Perfect hosted website is protected with a simple one-time activation. As we offer a complimentary 3 month free trial, there is also no billing required. If you’re not yet a Pixel Perfect customer, here’s how to get started.

Order Secure Website Firewall in konsoleH:
  1. Browse to konsoleH and log in at Admin level
  2. Select or search for the applicable domain name in the Hosting Service tab
  3. Select Software > Security > Secure Website Firewall on the left-hand menu
  4. The Secure Website Firewall launch page will be displayed. Click Launch >> 
  5. Toggle the switch to begin the activation
  6. Click Activate to confirm the activation
  7. This screens shows the activation status. The domain is in pending mode and will display as active when activation is complete.
  8. If your website’s DNS is hosted by Pixel Perfect, then Secure Website Firewall will successfully be protecting your site once you receive our confirmation email. The following day your website attack statistics will be viewable on your Secure Website Firewall dashboard (see below).
  9. If your DNS is not hosted by Pixel Perfect, our confirmation email will inform you of the DNS updates that will be needed at your current DNS host to secure your website.
Manage Secure Website Firewall
The Secure Website Firewall dashboard in konsoleH is updated once daily and will be available the day after your website activation is complete. The dashboard allows you to perform the following actions:
  • View attack statistics
  • Download Monthly Web Security Reports
  • Whitelist or blacklist IP addresses
  • Bypass the filter
  • Set SSL modes
  • Block specific countries from accessing your website (useful if many attacks originate from a particular location)
Access your Secure Website Firewall dashboard
The dashboard is accessed from the same menu that Secure Website Firewall was ordered:
  1. Browse to konsoleH and log in at Admin level
  2. Select or search for the applicable domain name in the Hosting Service tab
  3. Select Software > Security > Secure Website Firewall on the left-hand menu
  4. Click Launch >> 
  5. Click Secure Website Firewall Dashboard 
  6. Select Dashboard 
  7. Your dashboard displays a variety of reports and graphs which can be filtered by date.

The Secure Website Firewall dashboard in konsoleH is updated once daily and will be available the day after your website activation is complete. The dashboard allows you to perform the following actions:

  • View attack statistics
  • Download monthly web security reports
  • Whitelist or blacklist IP addresses
  • Bypass the filter
  • Set SSL modes
  • Block specific countries from accessing your website (useful if many attacks originate from a particular location)
Access your Secure Website Firewall dashboard

The dashboard is accessed from the same menu that Secure Website Firewall was ordered:

  1. Browse to konsoleH and log in at Admin level
  2. Select or search for the applicable domain name in the Hosting Service tab
  3. Select Software > Security > Secure Website Firewall on the left-hand menu
  4. Click Launch >> 
  5. Click Secure Website Firewall Dashboard 
  6. Select Dashboard 
  7. Your dashboard displays a variety of reports and graphs which can be filtered by date.

The Secure Website Firewall dashboard in konsoleH is updated once daily and will be available the day after your website activation is complete. The dashboard allows you to perform the following actions:

  • View attack statistics
  • Download monthly web security reports
  • Whitelist or blacklist IP addresses
  • Bypass the filter
  • Set SSL modes
  • Block specific countries from accessing your website (useful if many attacks originate from a particular location)
Access your Secure Website Firewall dashboard

The dashboard is accessed from the same menu that Secure Website Firewall was ordered:

  1. Browse to konsoleH and log in at Admin level
  2. Select or search for the applicable domain name in the Hosting Service tab
  3. Select Software > Security > Secure Website Firewall on the left-hand menu
  4. Click Launch >> 
  5. Click Secure Website Firewall Dashboard 
  6. Select Dashboard 
  7. Your dashboard displays a variety of reports and graphs which can be filtered by date.

Its easy to deactivate Secure Website Firewall, if you need to do so temporarily, by using the Bypass mode in your Secure Website Firewall dashboard.  This mode allows you to switch off the web application firewall without needing to update any DNS settings.

  1. Browse to konsoleH and log in at Admin level
  2. Select or search for the applicable domain name in the Hosting Service tab
  3. Select Software > Security > Secure Website Firewall on the left-hand menu 
  4. The Secure Website Firewall launch page will be displayed. Click Launch >> 
  5. Select Dashboard 
  6. Select Settings on the top menu
  7. Toggle the  Bypass Mode to ON and confirm your selection 

Pixel Perfect uses advanced security protocols to secure our network and servers. Your website, however, needs to be secured by you – we don’t have access to this layer. Here are some security measures for your website:

  • Use Secure Website Firewall – a web application firewall that shields your website against attack. It guards against suspicious and malicious website traffic, which specifically looks for opportunities to exploit weaknesses in your website’s code. Try Secure Website Firewall for free for 3 months.
  • Ensure you are running the latest version of your Content Management System (CMS) e.g. WordPress or Joomla.
  • Subscribe to your CMS’s security alerts. Most CMS’s provide an email subscription that alert users to vulnerabilities.
  • Run regular virus scans on your PC and ensure that your virus scanning software is up to date (include anti-spyware) to avoid falling prey to malware. Perform regular virus scans on the computer from where FTP uploads are performed.
  • Check your file permissions to ensure you are not using weak permissions.
  • Regularly change your passwords and use strong passwords for FTP and email.

Pixel Perfect uses advanced security protocols to secure our network and servers. Your website, however, needs to be secured by you – we don’t have access to this layer. Here are some security measures for your website:

  • Use Secure Website Firewall – a web application firewall that shields your website against attack. It guards against suspicious and malicious website traffic, which specifically looks for opportunities to exploit weaknesses in your website’s code. Try Secure Website Firewall for free for 3 months.
  • Ensure you are running the latest version of your Content Management System (CMS) e.g. WordPress or Joomla.
  • Subscribe to your CMS’s security alerts. Most CMS’s provide an email subscription that alert users to vulnerabilities.
  • Run regular virus scans on your PC and ensure that your virus scanning software is up to date (include anti-spyware) to avoid falling prey to malware. Perform regular virus scans on the computer from where FTP uploads are performed.
  • Check your file permissions to ensure you are not using weak permissions.
  • Regularly change your passwords and use strong passwords for FTP and email.

distributed denial of service (DDoS) attack is when a number of servers on the internet bombard a target website or server by sending extremely large numbers of requests. The result is that the website can’t respond to legitimate requests, or the target website responds so slowly that it is effectively unavailable. The target website (and the network it is hosted on) is unable to cope with the volume of requests and denies the service to others trying to access it. A hacker achieves this type of attack by taking advantage of security vulnerabilities or weaknesses on website and servers and then uses those websites for the attack.

Can I prevent a DDoS attack?

While you can secure a server and your web content, this will only prevent your server from being used in a DDoS attack. It is not possible to prevent your server from being targeted by a DDoS attack. There are steps that can be taken to help mitigate the risk and to better manage these attacks when they do happen. We use advanced technologies to detect and block these attacks on our network and infrastructure and are able to absorb very large attacks without any observable affect to our customers websites. While we protect our servers and infrastructure from attack, customers are responsible for securing their individual websites against attack. This can be done through the use of protective applications such as Secure Website Firewall.

What is the impact of a DDoS attack?

The DDoS attack impact varies, depending on the size and nature of the attack i.e. the number of servers that are used to launch the attack and how effective the attack is at consuming all available website or server (and network) resources. The impact can vary from a single website being slowed or down for a few minutes or hours, to an entire network feeling a significant effect of the attack.


The details of each hosting package can be viewed on the Account Information page in the konsoleH control panel. These include access details and quotas for mail, FTP, databases, URL’s, DNS, IP address and the server & database names.

  1. Browse to konsoleH and log in at Admin level (Note that most Account Information and Access Details are also available at Domain level – some details are not displayed in the main window, but are found within the left menu).
  2. Select and click the relevant domain, then click Info
  3. Account Details: The settings in the main screen are the default account settings and quotas. The settings in the left pane show quotas used. (Note that passwords are no longer displayed)
    1. Domain Details displays the hosting package, location and billing method
    2. Quota Allocation displays the quotas for the relevant hosting package type. The actual quotas used are displayed in the left hand panel.
    3. FTP Access displays the default FTP login.
      • FTP passwords are not displayed. For new accounts, the password first needs to be set (here’s how)
      • Additional FTP user logins (where applicable) can be viewed on the left menu under Manage Services > Configuration > FTP users
    4. Email Access displays the mail server names. Go to Mail > Manage Accounts in the left menu bar for mailbox details
    5. URL Options displays the range of URLs that point to the domain. URL 5 is a temporary URL which can be used to view the website before domain propagation has completed (e.g. to check that the website has been uploaded correctly)
    6. DNS displays the relevant name servers for the domain
    7. MySQL displays the database names (left) and their host server (right)
    8. Domain Details on the left menu displays the actual quotas used, as well as the:
      • Hosting Server name – used to enable SSL for email
      • Server IP Address is used to upload (FTP) web content before domain propagationhas completed or when using a web application firewall (WAP) such as Secure Website Firewall.
  4. To Email these Account Details to a recipient of your choice, insert the relevant email address in the Email Info field at the top, select the relevant sections by ticking the boxes, then press > to send.

Sites are most often hacked through vulnerabilities in the website code, compromised Content Management Systems or by accessing the site via FTP, which is often linked to spyware or brute force attacks. It is imperative that you repair and secure the website as a matter of urgency, as there can be serious consequences.

What should I do if my site is hacked?
  1. Remove the content the hacker uploaded to your website. This may be a complex process as it may not be obvious where or what the hacked content is. You may need the help of a web specialist or website cleaning services – find help here.
  2. Replace the hacked content with your local website copy. If you don’t have a copy of your website, your content and databases can be restored via konsoleH’s Restore Backup Tool. (Ensure that you are updating a backup version from before the hack – this is not always possible.)
  3. Update your CMS and review your site’s security. Please refer to the CMS provider’s website and forums for information on security patches and version upgrades. If you need any assistance in managing your website content and security, we can refer you to specialists in this field.
  4. Ensure that your website is protected against future attacks i.e. for a start, update the anti-virus software on your computer and change your FTP password. Use a security application such as Secure Website Firewall. Try it now for free for 3 months.

The motivation behind the site being hacked may be to engage in phishing or to send out spam. This kind of abuse associated with hacked websites is damaging to the reputations of your company and the hosting provider alike.


The login details needed to connect to your hosting site via FTP are:
  • hostname
  • username
  • password

Your FTP access details are not provided in your Welcome mail due to the security risk of sharing the password. The first step in managing your hosting account is to log in to konsoleH to view your FTP details and set your own FTP password. For security reasons we do not keep a copy of FTP passwords, so once an FTP password has been set, you will need to keep your own record. Forgotten passwords can be reset using the same process. Note: The Account Information screen in konsoleH includes the Host name and FTP username, but not the password.

View FTP Login details
  1. Browse to konsoleH and log in at Admin or Domain level
  2. If Admin level: Select or search for a domain name in the Hosting Service tab
  3. Select Manage Services > Configuration on the left-hand menu
  4. Click FTP Users 
  5. The Main FTP Username (example) is listed and there may be additional users, but the password is not shown.
  6. If you have no record of the password, or it has not been set yet, click Reset Password 
  7. Click Auto-generate or insert your own password. Copy to Clipboard and paste in a secure location as we keep no record of passwords.
  8. You now have all the FTP access details needed by your FTP programme:
    • Host: domain name (e.g. example.co.za) 
      • Note: If you are using a web application firewall (WAP) such as Secure Website Firewall, then use the server IP address instead.
    • Username (e.g. example)
    • Password: your own recorded password
    • Port: 21 (if required)

You can use Search Console, a free service offered by Google, to tell if your website has been hacked. This tool can be used to track and fix website errors to optimise your website’s performance, safety, and visibility.

Register and verify your site in Google Search Console

  1. Select Start Now

  2. Copy and paste your Site URL in the open field. Use the exact address, for example, include https://.  If your site supports multiple protocols (http:// and https://), you must add each as a separate property.
  3. Select Add Property

    Data collection
     for a property (website) starts as soon as the property is added in any Search Console account, even before it is verified.
  4. A pop up will appear with a recommended verification method. Other verification methods will also be offered
  5. Proceed with your preferred site verification method. If you choose the recommended verification method, download the file to your desktop and upload it to your site via the File Manager in konsoleH.
     
    Once the download is complete, Google will provide you with an authorisation code.
    Confirm the successful verification file upload by visiting your site followed by the verification code in your browser.
  6. Select Verify

    After your site verification has been confirmed, do not remove the HTML file. If you’re struggling with the verification process,  you can refer to the Common verification problemspage.
  7. Once the site verification process has been completed, sign into the Search Console.

    If you are using the new version of Search Console, select Coverage under Index on the left-hand side.

    If you are using the old version of Search Console, select Security Issues on the left-hand side under Dashboard.

    Google will confirm there are no issues with your site’s content at this time if no issues have been detected.

Multiple Domains (and Sub-domains) share the hosting space of the main account (parent domain), therefore the Multiple Domain’s content needs to be uploaded into the corresponding sub-folder within the ‘public_html’ directory of the parent domain. The sub-folder name will correspond with the domain name of the Multiple Domain:

 /public_html/your-multiple-domain.com/

Requirements
  • An FTP programme e.g. FileZilla
  • The domain/host name (e.g. example.com) or IP address (e.g.123.45.67.89) of the parent domain (note: use the IP address if a web application firewall (WAP) such as Secure Website Firewall is activated)
  • FTP login/username and password of the parent domain (forgotten password?)
  • The FTP port is: 21
FTP Upload
  1. Connect to the server via FTP
  2. In the left pane, find the files that you want to upload from your local computer
  3. In the right pane, open the public_html folder
  4. Within that folder, select the folder named after your Multiple Domain or Sub Domain
  5. Highlight all the files needed from the left pane and upload (drag and drop) to the right pane. (Note: exclude the main folder and upload the files and folders from within the main folder)
  6. At bottom left you will see a progress indicator.

In this image, WordPress files are being uploaded from a local computer to a parent domain’s (example.co.za) subfolder within the public_html folder.


Pixel Perfect is responsible for server administration and  network security, while you are responsible for the administration and WordPress security of your website. The popularity of WordPress (WP) makes it an appealing target for intruders. Outdated versions of WordPress installations, themes & plugins could result in your website being attacked. Vulnerabilities make your website susceptible to intrusions from outsiders with malicious intent. If you don’t take care of vulnerabilities, your online business may lose credibility.

Security tips:

Keep your site updated

When a security vulnerability becomes known, it is quickly fixed and an update is released by the WordPress community. Older versions of WP are not maintained with WordPress security updates.

  • Update to the latest version of WordPress
Carefully choose which themes and plugins you download
It only takes one theme or one plugin to make your website vulnerable.
  • Update your plugins
  • Delete unused plugins
  • Don’t use unverified plugins and/or themes.
Use a strong password

A strong password protects your website content and prevents intruders from gaining access to your admin account to compromise your entire website. Many potential vulnerabilities can be avoided with a strong password.

  • Use strong FTP passwords, WordPress login passwords and database passwords.
  • Should your domain be compromised, it’s advisable you change all passwords relating to that domain.
Use security applications

These applications provide pro-active security. They scan your WordPress site for vulnerabilities and inform you if any are found. They can block incorrect log-ins, notify you of new edits, and warn you when your site is vulnerable to attacks:

  • We recommend Secure Website Firewall – get a 3 month free trial
  •  Install a trusted security plugin, such as WordFence. Use the plugin user ratings as a guide.
Avoid using default configurations

Changing your default settings, adds another thin layer of protection against intruders. The default WordPress login is “admin” and most intruders know this.

  • Delete the default admin and create a new custom login.
Make backups

Before you delete anything make a full backup of your site. Pixel Perfect backups are only intended for disaster recovery purposes.

  • Schedule regular backups
  • Backup your data on read-only media, to ensure your data has not been tampered with.

A component of our Shared and Dedicated Managed hosting products is the storage of customers’ Website and Email data. As we store the data, under the GDPR we are viewed as a processor of the data. Pixel Perfect has no knowledge of the actual data which our customers store on our hosting platform, which may include personal data. As we have no involvement with the data other than storing it, our obligations relating to the GDPR in this context are limited. Contrast this to the personal data of our customers that we store in our customer database; here we are fully obligated under the GDPR as a data controller.

An example:

When a customer signs up with us, they voluntarily provide us with their personal data as part of the signup process. We have full knowledge and control of this data. If a customer requests that we make visible to them what data of theirs we have, we are able to do so. Customers are able to independently access contact and banking details associated with their hosting accounts and update or remove this data via the konsoleH control panel. When a customer uploads their Web application and associated data to our managed hosting platform, we don’t know the type nor the content of the data uploaded. Should our customer, in turn, store their end customer’s personal data, only our customer can make visible to the end customer what data about them is stored. Here the end customer is the controller, our customer the processor and we are the sub-processor of any personal data.

Pixel Perfect’s security obligations and how we fulfil them

We are obliged to implement appropriate technical and organisational measures to prevent a breach into our managed hosting servers which may allow access to personal data stored on the servers.  We have always viewed this as an obligation on us, and therefore at a technology level, GDPR does not change anything for us in the context of these products. Our servers are managed in accordance with security best practices for servers on the internet, providing a mass market managed hosting service.

  1. We do not run any services on our servers which are not required to deliver the hosting service. Having extraneous services active on a server increase the attack risk unnecessarily.
  2. We apply software package security updates provided by our Linux distribution (Debian) as follows:
    • Non-critical updates are applied within a week of release.
    • Critical updates are aimed to be applied within 24 hours of release.
  3. We do not store customer’s mailbox, FTP or MySQL database passwords in clear text.
    • Passwords are stored using a salted, one-way hashing algorithm.
  4. Vulnerability scans and penetration tests are performed against our managed hosting servers and any critical issues exposed are resolved as a priority.
  5. Firewalls are employed to restrict access to any services on the servers which are not purposed for public consumption.
  6. Various intrusion detection mitigation systems are employed at the server level.
  7. A basic Web Application Firewall is employed to mitigate a certain degree of relevant attacks.
    • An advanced Web Application Firewall (Secure Website Firewall) is available as an optional extra for customers who store particularly sensitive data.
Encryption of data stored by customers on our managed servers

Pixel Perfect does not encrypt any data stored by customers on our managed servers.  The reasons for this are:

  1. The controller of the data (ie. our customer) is the only one positioned to know whether or not data should be encrypted.
  2. Our view is that the most effective place to encrypt personal data is at the point where the controller is able to affect the encryption (and decryption).
    • Sensitive emails should be encrypted at the source and decrypted only by the recipient (i.e. utilising asymmetric key pair encryption)
    • Web application files and database tables should be encrypted and decrypted by the Web application itself.

SourceAsk Wordfence: Why Is an Insignificant Site Like Mine Being Attacked? At a high level, an attacker views a vulnerable website as a juicy collection of resources that they can steal or exploit:

  • It’s backed by a server that they can use to run their own programs
  • It’s connected to the internet and likely has a squeaky-clean reputation
  • It might include interesting user data
  • It probably has traffic coming to it
  • It is likely important to you

Most of the time, they use those resources to make money. And they continue to find new creative ways to do so.

Using Your Server to Run Their Own Programs

If you’re running a WordPress site, your web server is most likely a fully functioning Linux server with MySQL and PHP installed. Depending on your hosting situation, it may also have a meaningful amount of processing power. (All true for Pixel Perfect servers. Note: MariaDB on our servers is equivalent to MySQL)

Cryptocurrency Mining

Since late 2017 there have been massive cryptomining campaigns, particularly targeting WordPress sites. In the most intense period of attacks ever recorded, attackers were compromising sites and using them to both attack other WordPress sites and to mine for specific cryptocurrencies that can be mined efficiently using web server hardware. This method uses brute force attacks to hack huge numbers of innocent websites and use their combined processing power for cryptomining. Read this article for a detailed technical case scenario.

Leveraging Your Reputation

Your site reputation makes you a target. All site owners are targets, even if you don’t collect credit cards, or capture and store user data and even if you just have a plain old static website. The reason is because your website has a clean reputation. Your site doesn’t need to be popular or well trafficked, it just has to be ‘clean’ for a hacker to be able to use it. If your site is not blacklisted by Google’s Safe Browsing list or any other blacklist, then you are ‘clean’.

Hosting Phishing Pages

A phishing page is one that attempts to fool you into sharing sensitive information, like your password or credit card number. An example of a phishing page is a fake login page that gives you the impression you are on a legitimate login screen. You enter your credentials and the attacker logs them and can now sign into your real account and steal data or money (on banking sites). So why hack your website? Your site probably has a squeaky clean reputation. When attackers hack your site and then use it to host phishing pages on your site, services like Google Safe Browsing that would normally warn users about suspicious websites won’t know to alert visitors to the danger of the phishing page hosted on your site.

Hosting Spam Pages and Injecting Spammy Links

Your site is legitimate, so search engines like Google assume that your content, including outbound links, is also legitimate. Attackers love to plant SEO spam in the form of pages and links on your site, boosting SEO rankings for their malicious businesses. A great example of this is the supply chain attack  discovered in September 2017 that spanned 4.5 years and impacted 9 WordPress plugins. In Wordfence’s blog post about this SEO spam campaign, we exposed how someone purchased the plugins and then used them to embed spammy links in the sites that were running them. The attacker used these links to improve search engine rankings for websites offering payday loans, escort services and other shady things. It’s important to remember that while your site alone isn’t capable of boosting an attacker’s SEO results, thousands of compromised sites can.

Sending Spam Email

Getting spam email past spam filters is a difficult endeavor. Email clients and hosting companies such as Pixel Perfect use myriad techniques to identify and block spam. Almost all spam filters rely on IPblacklists to block everything from IPs known to send spam. That’s where your web server comes in. Not only does your server have all of the hardware and software spammers need, but the reputation of your IP is likely perfect. By hacking your website or email address and using to send spam from your web server, cybercriminals have a much better chance of getting their spam delivered. Eventually, spam filters pick up on what is happening and blacklist your IP as well, so the attacker simply moves on to the next victim, leaving the reputation of your IP address in ruins.

Attacking Other Sites

Sometimes attackers will compromise WordPress sites to attack additional sites. We saw hackers use this approach in the cryptocurrency mining attack we discussed earlier in this article, where an attacker was controlling a botnet made up of thousands of other people’s WordPress sites that were simultaneously mining for cryptocurrency and attacking other websites. Your website is an attractive attack platform because your IP address is likely not on any blacklists.

Hosting Malicious Content

Hackers will sometimes use your web server to host malicious files that they can call from other servers. They are essentially using your hosting account as a file server.

Leveraging Your Site Traffic

Malicious Redirects

One very common thing attackers do with hacked websites is add redirects to their content. Visitors to your site don’t even have to click on a hyperlink to visit the spam site: the redirect will just take them there directly. In some cases, attackers will go so far as to redirect all of your traffic to malicious sites. But in most cases, they employ measures to avoid detection, only redirecting traffic to specific URLs or for specific browsers or device types. For example malicious JavaScript code may be injected into websites which then redirects visitors to pages that host spam and malicious browser plugins.

Defacements

In some cases, the attacker just wants to get their message out. By taking over your website, they are able reach your website visitors, at least until you figure out what they’ve done. Attacks of this nature often represent a political movement or are just looking for “street cred” in the hacker community.

Distributing Malware

One especially nefarious way attackers monetize hacked websites is to use them to spread malware. They install website malware that installs malware on your visitors’ computers or devices when they visit your site. As a site owner, this is especially scary, as not only do you risk having your site flagged as malicious by search engines and other blacklists, but your visitors are not going to be happy with you. Your reputation, both online and with your site visitors, could be damaged for a long time. In addition, a hacked website can have a long-term negative impact on your search engine rankings.

Stealing Data
Even if you don’t accept credit cards on your site, an attacker may still find valuable data to steal. For example, if you capture other data via forms on your site, there might be something there worth taking. Additionally, attackers can use stolen username and password pairs to try to log in to other sites.
Ransomware

Ransomware is malicious software that an attacker installs on your computer or on your server. They use an exploit to gain access to your system, and then the ransomware executes, usually automatically. Ransomware encrypts all your files using strong unbreakable encryption. The attackers then ask you to pay them to decrypt your files. Usually payment is via bitcoin. Bitcoin gives the attackers a way to create an anonymous wallet into which the ransom can be paid.

How to secure your website

Regardless of the size of your website audience or the cost of your hosting plan, criminals will happily find a way to monetize it if they can break in. Luckily, you don’t need to be a security expert to keep your site safe. Use products such as Secure Website Firewall and security plugins such Wordfence (for WordPress sites) to protect your website.


Malicious or unwanted traffic to your website can be blocked by adding a snippet of code to the .htaccess file within your site content. It’s possible to block traffic from specific IP’s or a range of IP’s from visiting your website. Even traffic from entire countries can be blocked.
Note:  Secure Website Firewall, the security service offered by Pixel Perfect, provides a dashboard to easily block IP’s or countries.
No coding or experience is required – just follow the steps below.
Block IP’s using .htaccess
The .htaccess file is located in the public_html directory of your website content. If you only want to block access to certain parts of your site, you can create a new .htaccess file and upload it to the relevant subdirectory. This file can be accessed and edited in various ways, including FTP and SSH. Here we will access it via the konsoleH File Manager:
  1. Browse to konsoleH and log in (Admin or Domain level)
  2. If Admin level: Select or search for a domain name in the Hosting Services tab
  3. Click Manage Services from the left-hand menu
  4. Select File Manager. The files within the public_html folder are immediately visible – these are website files and includes the .htacess file that governs your whole site.
  5. Click .htaccess in your file list, then click Edit from the right hand menu.
  6. Insert the following code snippet at the top or bottom of any other code that is already in the text file, replacing the sample IP’s with those that you want blocked.  Any number of IP’s can be listed. Click Save changes
order allow,deny
deny from 123.456.789.01
deny from 12.123.456.78
deny from 234.56.789.123
allow from all
Block entire country IP’s

You want to block all IPs originating from particular countries. This is useful if there is no reason for people in those countries to visit your website and your security application indicates unwanted traffic from those countries.

  1. Find the relevant country code(s) here
  2. Insert the following code snippet in your .htaccess file, replacing the XX with the country codes:
GeoIPEnable On
# Put countries to deny here      
SetEnvIf GEOIP_COUNTRY_CODE XX DenyCountry  
SetEnvIf GEOIP_COUNTRY_CODE XX DenyCountry   
SetEnvIf GEOIP_COUNTRY_CODE  DenyCountry
  
Allow from all  
Deny from env=DenyCountry