ServerPilot is designed to keep your servers secure and your data safe.
Our team has a strong security background. Security research published by our team members includes identifying vulnerabilities in Linux package managers, designing secure software update systems, and securing browsers against CSRF exploits. If you have security questions or encounter any issues, please contact us.
ServerPilot uses the most advanced security architecture of any control panel to ensure the security of your servers.
All servers managed by ServerPilot are configured to be automatically updated with security updates from the Ubuntu security repositories as well as the ServerPilot repositories. These updates are signed with the Ubuntu and ServerPilot GPG keys, respectively.
All ServerPilot code executed on your servers is signed offline with our GPG key. The signature is checked by your server before any code is executed.
All communication with ServerPilot performed by your servers is done over TLS encrypted connections.
The ServerPilot apt repositories are also served over HTTPS using TLS.
When you set system user passwords or MySQL passwords using ServerPilot, we hash those passwords in the appropriate format and transmit them in hashed format to your server over a TLS encrypted connection.
ServerPilot configures an iptables network firewall on your servers. This firewall only allows TCP ports 22 (SSH), 80 (HTTP), 443 (HTTPS), and UDP port 68 (DHCP).
ServerPilot configures Nginx with OpenSSL as the public-facing web server on your server. OpenSSL is used by the majority of the world's HTTPS websites to perform TLS encryption. Nginx is secure against Slowloris attacks due to its use of an event-driven (asynchronous) model rather than being multi-threaded.
ServerPilot configures the secure postfix mail server on your servers. This mail server is used only for your web applications to send outbound mail. It is not configured to accept mail from outside of your server and the firewall is not opened to allow outside communication with the mail server.
Your servers are configured with SSH/SFTP for you to access your servers. We do not enable insecure FTP on your servers.
Your web applications are only as secure as their code. In the case of WordPress, security is mostly dependent on the plugins and themes you use. You must choose plugins carefully and keep them updated.
ServerPilot encourages using a WordPress firewall plugin. We recommend HeatShield which is developed by us and is the only security plugin to support ModSecurity.
We use best practices combined with decades of server and network administration experience to keep our systems secure. Our team includes sysadmins who helped early Amazon and other large companies grow successfully and securely.
We use enterprise-grade security to isolate and control access to our internal networks.
Your ServerPilot account password is hashed using the industry standard Argon2id. We do not store passwords in plain text.