Website isolation
Each website runs in its own isolated container. Resources are protected, and an infection on one site can't spread to another.
Defence at every layer, not bolted on as a plugin.
The platform ships with the security layers most sites bolt on as plugins. They're tuned for WordPress, they run on the infrastructure, and they don't slow you down.
- A secure foundation
- Automated threat prevention
- Managed maintenance and response
Why it matters
WordPress runs 43% of the web. Attackers know.
Brute-force login attempts, plugin-exploit scans, and bots looking for vulnerable XML-RPC endpoints hit every WordPress site, every day. Most hosts give you the server and leave the defence to a stack of security plugins that fight each other and slow your site down.
When a site does get compromised, the cost arrives in waves — Google flags you as deceptive, your customers stop trusting you, your inbox fills with abuse complaints from people receiving spam from your domain, and the clean-up takes weeks.
We built the platform so defence lives in the infrastructure, not in plugins you have to maintain.
What's in the box
Twenty-plus lines of defence, included.
Web Application Firewall (WAF)
A modified OWASP and Comodo ruleset, plus custom tweaks for maximum compatibility. Blocks web attacks with minimal false positives.
Proxy-aware WAF
Our Layer 7 WAF is proxy-aware and IPv6 compatible. It identifies real client IPs and blocks malicious traffic even when attackers hide behind Cloudflare, Akamai, or Fastly.
File integrity monitoring
Periodic integrity checks verify WordPress core files against official checksums, catching unauthorised changes early.
Integrity auto-repair
Compromised core files are quarantined and replaced with a fresh copy from WordPress.org. Self-healing core, by default.
WordPress hardening
We block sensitive WordPress core files and PHP execution in /wp-includes, /uploads and /wp-content, with carefully scoped exceptions for page builders and essential plugins.
Malicious plugin detection
We detect plugins that try to hide from the WordPress admin or sneak in a backdoor, notify our team, and take immediate action to secure the site.
Malicious cron job detection
Attackers often add hidden cron jobs. Our system detects them, notifies us, and takes automated remediation steps where it can.
Bot protection
We automatically identify and block bad bots, preserving site integrity and keeping resources for real visitors.
DDoS protection
IPs exceeding 100 concurrent connections are blocked automatically. Temporary bans escalate to permanent ones via IPDB for repeat offenders.
IPDB and IP/country blocking
A comprehensive database of abusive IPs, spammers, and scanners, with full IPv6 whitelist/blacklist support and reputation checks.
Resource monitoring
Round-the-clock process monitoring kills slow queries from blacklisted users and applies automatic resource limits to prevent load spikes.
Database scanning
Proactive scans for malicious code in your WordPress database. Integrated cleanup tools fix what they find, saving hours of manual work.
Two-factor authentication
Enable 2FA on your Kiravo account in a couple of clicks to add a critical layer against unauthorised access.
Uptime monitoring
Most providers only monitor their own servers. We go further and monitor your sites' uptime, with Slack alerts so we can act fast.
Real-time malware protection
A lightweight antivirus scanner using hourly-updated signatures against 14M+ known threats. Detection and quarantine within minutes of a match.
Rootkit scanner
Detects rootkits, abusive users, and high-load processes with automated blocking.
IP reputation check
We continuously monitor our server IP reputation to detect blacklisting before it becomes a deliverability or access problem.
Mod Security
Mod Security runs by default for broad protection. You can disable it on a per-domain basis from the control panel if a specific app needs it off.
Login lockdown
Detects and blocks brute-force attempts on the WordPress login page automatically.
Free SSL certificates
Free, automated certificates from Let's Encrypt, renewed before they expire. Want to use your own SSL? Install it from the control panel.
How it works
Five layers an attack has to get past.
No single defence catches everything. The point of layered security is that an attacker has to defeat every layer to do real damage — and most never make it past the first two.
-
Edge — Web Application Firewall
ModSecurity ruleset + proxy-aware traffic inspection. Sees the real client IP even through Cloudflare or Fastly. IPv6-capable.
-
Network — rate limiting & brute-force shielding
Per-IP rate limits, automated bans on repeated login failures, and an aggregated attacker IP database fed by activity across the platform.
-
Server — isolation & hardening
Every site runs in its own isolated environment so a compromise on one cannot pivot to another. System hardened with mandatory access control and least-privilege defaults.
-
Application — vulnerability & malware scanning
Plugins and themes are checked against the WPScan vulnerability database. A real-time malware scanner watches every file write; suspicious files are quarantined and you get notified.
-
Access — 2FA, SSL, encrypted backups
Two-factor authentication on the control panel, free Let's Encrypt SSL on every site, and off-site backups stored encrypted so a server compromise doesn't expose your data.
Proof in production
Stability is what security looks like from outside.
“I've worked with this web hosting company for a while and I can say without exaggerating that they're among the few where I don't wake up in the morning to another "let's see what happened" ticket. Ticket responses are extremely prompt and clear — no "let's guess what the customer wants." In an industry where you sometimes get answered as if you're trying to fix something with written words, here they reply fast and to the point. Their servers are very well configured, optimised especially for WordPress but they handle other workloads fine. Performance is consistent — no annoying load spikes when you least expect them. Uptime is stable, and the control panel is intuitive enough not to slow you down every day. In short: fast and competent support, WP-optimised servers, stable performance — an option I recommend without making excuses.”
The other pillars
Security is one of four.
A secure site still loses visitors when it's slow, becomes a chore without a good panel, and stays broken when something does go wrong without good support. Here's the rest of the platform.
Frequently asked
Security questions, answered.
-
What happens if my site gets hacked anyway?
We restore from the most recent clean backup, run a full malware scan to make sure the entry point is closed, then help harden whatever let the attacker in. No extra charge — it's part of being on a managed platform.
-
Do you scan plugins for known vulnerabilities?
Yes. Every site is checked against the WPScan vulnerability database. When a plugin or theme on your site has a published CVE, you see it in the panel and we notify you so you can update or replace before it becomes a problem.
-
Is two-factor authentication enforced?
It's available on every control panel account and we strongly recommend it. We support TOTP apps (Authy, 1Password, Google Authenticator) and U2F security keys.
-
Do you support custom SSL certificates?
Free Let's Encrypt certificates renew automatically on every site. If you need to bring your own — an EV cert, a wildcard from a specific CA — you can install it from the panel without contacting support.
-
How do you handle DDoS attacks?
The WAF and rate limiter absorb small and medium attacks at our edge. For volumetric attacks, every site can be put behind Cloudflare in a few clicks — we'll help you wire it up if you'd like.