Pro Hosting – Details

Unsure about where to host your Penguin Hosting searches out some of the best hosting options available for our clients, purchases bulk space from the suppliers, and then re-packages this hosting to sell to our clients at rates less than the hosting companies can manage. Then, we also manage support for our clients when/if needed. It’s a win/win/win situation and YOU – the client – get great hosting as a result… budget freiendly. 🙂

Pro Package - How are Sites Kept Secure?

WordPress core files are locked down

One of the great things about WordPress is that everything is built around the same core software.  This allows plugin and theme authors to create awesome tools and designs that can be used by anybody running WordPress.

One of the not-so-great things about WordPress is that the same core that makes plugin and theme development easy can also make spreading malware easy.  Hackers love code shared by a large number of people since it allows their malicious changes to one piece of software to then to achieve widespread damage. What better place to make these kinds of changes than in the set of files every WordPress site is guaranteed to have: the WordPress core?

With our Pro Hosting Packages, nobody can overwrite your WordPress core files.

Everything in your WordPress install is locked down tight, aside from your custom content. Does somebody want to edit your wp-config.php file in order to peddle creepy products on your site? Not on our watch!


It is worth noting that locking down core files means users also can’t edit these things. This is a good thing because it’s best practice to leave core files alone as they’ll get swapped out in WordPress updates. You don’t want your hard work getting wiped out every time WordPress is updated (quite often). If there are files like wp-config.php that you’d like to make changes to, just let our team know and we’ll make those for you! Unlike manual edits, these will carry over from update to update.

Automatic WordPress updates

In order to prevent outsiders from meddling with your stuff, we make sure your site is running the latest and greatest version of WordPress. These updates often include security patches, which close any doors and windows that hackers may have found in previous versions.

These updates are automatic and usually happen within a few days of their release.


While we strongly advise that our customers stay on the automatic update cycle, we will allow customers to stay on older major releases of WordPress. We will still provide periodic minor security updates to these older versions as they are released to keep your sites secure. That being said, it is very important to us that sites in our Pro Hosting Package do not fall more than two major releases behind the update schedule. If they do, we may reach out to you work out a strategy for getting back on the update wagon.

Insecure passwords? Not on our watch.

Although it may not seem like a big deal, having hard-to-guess username and passwords really goes a long way on WordPress. Due to the uniform structure of WordPress, a lot of web bots will crawl across websites, simply appending a /wp-admin to the domain name. If the page loads, the bot will start trying username and password combos starting with some of the most common insecure passwords. So if you have a user named admin and a password of password1234, you’re at a pretty high risk of getting hacked.

That’s why our Pro Hosting Package goes to great lengths to ensure that our customers use strong passwords. From our app to WordPress itself, if you try to create a new password that doesn’t make the cut, we’ll let you know.


A secure password doesn’t have to be impossible to remember.  If you’d like to learn about hiding your wp-login page or additional security steps, reach out.

Intelligent IP blocking

Intelligent IP address blocking in our Pro Hosting Package detects intruders and blocks them across all sites on our servers within seconds.
We monitor popular points of entry for hackers and immediately lock out any IP address trying to get through. These points include:

  • Failed SSH Access Attempts
  • Failed WordPress Login Attempts

Flywheel uses a variety of techniques to block traffic starting with preventing known malicious IP addresses from opening a session with the server, which is a very severe and immediate action.

Malware prevention

We pride ourselves on keeping the bad guys out of your site’s files and database through the preventative security measures mentioned above. That being said, malware prevention is an ongoing cat and mouse game where systems have to react and adapt to the ever-changing security gaps introduced by third-party plugins, third-party themes, or weak passwords.

One way we combat this in our Pro Hosting Package is with our Plugin Security Alerts via email to our support team for each site within our Pro Hosting Package. That way, if a vulnerability is found, we can quickly update the plugin and secure your site.

In the event that you do find your site compromised by a plugin or theme vulnerability, our Pro Hosting Package Happiness Engineers can jump in right away and get to work cleaning up the infection. We’ll also notify you of our progress along the way.

Free malware removal

In the rare event of a site getting hacked, our incredible support team of WordPress experts will quickly and carefully remove the malware for you.  For free.

Steps that you can complete prior to cleanup are updating all themes and plugins on the site to their most recent version, uninstalling any plugins or themes that aren’t being used any longer, and updating all admin user passwords to something as strong as possible. Since outdated plugin/theme versions and insecure passwords are overwhelmingly the cause behind WordPress sites becoming infected with malware, taking care of these updates as soon as possible will also help us to ensure the site stays clean while we’re working on it.

Fastly WAF

The WAF detects malicious request traffic sent over HTTP and HTTPS using rules based on Fastly, Trustwave ModSecurity Rules, and the OWASP Top Ten. It helps protect against application-layer (layer 7) attacks such as SQL injection, cross-site scripting, and WordPress specific vulnerabilities.

Blocking is done at the edge, so malicious traffic is never sent down to the Flywheel Cloud Platform.

We have hosting level branded 403 pages which will display request ID’s when a customer hits a blocked rule. This helps support narrow down the issue when troubleshooting.

Pro Package - How can I increase security?

How can I further increase my site’s security?

We take care of general site security for you. However, there are certain added pieces of security that are optional or simply not needed by all sites. Here’s a list of some of those extra ways to enhance your site’s security, starting with the most basic (and essential), working up to the more advanced options that may not be necessary or practical for everyone.


This article is dedicated to site security. For help on other security-related topics, contact us.

1. Always use strong passwords

It seems obvious, but many WordPress users overlook this vital security measure. Your password is to WordPress what locking your front door is to home security – and it doesn’t matter how good your security system is if you leave the door open for anyone to walk through.

It’s not possible to overstate this crucial point:

If your WordPress password is short, if it’s something readable, if you use it on multiple sites, or if somebody who knows you well could potentially guess it, then chances are it should be stronger.

If you have a site with several WordPress users or allow visitors to create their own accounts, you can often add a security plugin to force users keep their passwords beefy.

2.  Keep your themes and plugins updated

This is another obvious one, but themes and plugins can occasionally have security vulnerabilities, which are patched by the developer as soon as they’re discovered. It’s important to update regularly because many malicious bots specifically search for out-of-date plugins and themes with known vulnerabilities.

We take care of WordPress core updates and regular basic updates for you with our included updates service. Ask us about our enhanced updates services.

3. Uninstall inactive plugins and themes

Even deactivated plugins and themes can have vulnerabilities, and for that matter, can still take up your server’s resources, so they can sandbag site performance. It’s best to simply uninstall any plugins or themes that aren’t consistently active. You can always reinstall them later if you need to. 

4. Avoid obvious WordPress user names

This is less important than having a strong password, but it’s still helpful. A generic WordPress username like “admin” will be one of the first things any hacker or bot will try. If somebody could guess your username just by looking at the site, it’s not a bad idea to update.

Unfortunately, WordPress doesn’t allow you to change your username by default, but if you’d like, you can create a new WordPress user and then delete your old one from the ‘Users’ area in the WordPress admin sidebar. (You’ll have to use a new email address to do this, since two WordPress users can’t share the same email address, but you can always change that later.) 

5. Add Captcha

There are several variants of Captcha out there, but the idea is the same between plugins and methods: force any site visitor who tries to fill out a form to first prove they’re human.

While it was once a troublesome and inconvenient option, Captcha has improved greatly in recent years. Plus it protects all kinds of forms on your site, so it does double duty by helping to stop hackers and prevent spam. Google reCaptcha is the least intrusive option, and there are several plugins available to implement it, including Google Captcha (reCAPTCHA).

6. Move your WordPress login screen

Many WordPress hacks come from malicious bots that are programmed to crawl the web looking for WordPress sites. Once they find one, they’ll add “/wp-admin” to the end of the site’s URL to get to the login screen and try to force their way in.

Our Pro Hosting Package already protects against this kind of behavior, but you can add an extra layer of security by making your login screen harder to find in the first place.

The WPS Hide Login plugin allows you to change the location of your login screen from “/wp-admin” to whatever you want. You could use something like “/mysitelogin” or “/open-sesame” or anything else. Whatever you choose, any user who tries to use the old “/wp-admin” link will just see an error message, stopping bots and would-be hackers in their tracks. 


Moving your WordPress login screen will mean that you’ll have to share the new login URL with anyone who logs into WordPress on your site, or they won’t be able to access the admin area.

7. Add two-factor authentication

More targeted and secure on login screens than Captcha, two-factor authentication allows you to verify your identity through any number of methods: by scanning something on your smartphone, by receiving a code via text message and entering it on the site, and others.

Whatever the method, two-factor authentication is generally much harder to fake than traditional login credentials – and doing so while also logging in with a password is virtually impossible for a hacker, so this is an extremely powerful security solution.

Popular two-factor authentication plugins include Google Authenticator – Two Factor Authentication (2FA), Duo, and miniOrange Two Factor Authentication. Jetpack by also includes 2FA, among many other useful features.

8. Add an SSL certificate

While this isn’t necessary for all sites, it’s essential for any WordPress site collecting sensitive user information. But even if that’s not the case, an SSL certificate still helps to secure your site’s transmissions. Plus, Google ranks secure sites higher in search engine results, so you get a little SEO boost with a secure site as well!

Even better, our Pro Hosting Package offers free SSL certificates.

9. Track WordPress User Activity

WordPress does not offer an audit trail or log out of the box, so it can be helpful to add a plugin such as Simple History or Activity Log to track changes made to your WordPress site.

From a security standpoint, activity tracking provides a record of newly created users, failed logins to WP Admin, and repeated requests to pages that do not exist. Any of these could indicate malicious activity on your site, in which case our support team would be happy to provide assistance!

Other benefits include tracking plugin activations and post or page updates, which can be especially helpful when debugging problems on a site with multiple admins when “nobody touched anything” :).

One thing to keep in mind, depending on the amount of activity on the site these plugins may consume resources, something to consider as you maintain your site’s performance!

Managed Plugin Updates: Plugin Security Alerts


This information about Plugin Security Alerts concerns our add-on  Managed Plugin Updates (paid upgrade). 

These Plugin Security Alerts from us provide site owners and organization members with critical security information via email when a vulnerable plugin is detected on one or more sites.

Setting plugin update frequency

We do not immediately update vulnerable plugins for sites enrolled in Managed Plugin Updates, since these updates run on a set schedule.

For maximum security, we suggest setting your plugin update frequency to daily, which will ensure any vulnerable plugins are updated within 24 hours. If you’d rather stick with a weekly update frequency, any vulnerable plugins will be updated during the next cycle, within 7 days.

And of course you can always update your plugins manually from the WP admin area.

Email alerts

If a vulnerable plugin is detected on your site(s) during our nightly scans, our support team receives an email that lists the site with the plugin currently installed. Once received, we take the necessary action and inform our clients ONLY if any further issues remain – such as requiring a paid upgrade to a pro version plugin.


Plugin Security Alerts will display the plugin name based on the plugin’s slug (internal name used by WordPress), which may differ from the plugin’s marketing name. For example, WPBakery Page Builder’s slug is js_composer. The slug will often correspond to the plugin directory name.

Viewing vulnerabilities on your hosting dashboard

* This sections information applies only to clients having collaborative access to their dashboards. Please reach out for access to your dashboard if required.

Plugins tab

The Vulnerabilities area of the Plugins tab displays information about outdated and compromised plugins. When a vulnerability is detected, click Vulnerability details to view more comprehensive info from WPScan. Click the Update in WP Admin link to log into your site and run any necessary updates.

Managed Plugin Updates page

For a more holistic view of vulnerable plugins across your sites, head to the Vulnerabilties tab of the Managed Plugin Updates page. Here you’ll see a list of plugins: clicking Details for a particular plugin will reveal which site(s) it’s installed on, and includes links to the WP Admin where the plugin can be updated. 


How often are my sites checked for vulnerabilities?

Sites within our Pro Hosting Package are scanned for plugin vulnerabilities on a nightly basis, every 24 hours.

Since I have the Managed Plugin Updates Add-on, do I need to do anything when I see the vulnerability warnings?

No. We will manually update any vulnerable plugins that may pop up in between your regularly scheduled update cycle.

What do you do when there are active plugin vulnerabilities found?

We simply update the plugin for you as soon as possible.

If you have any questions or concerns about a plugin directly, we’d recommend reaching out to the plugin developer for more information.

Who will receive these Plugin Security Alerts via email?

Our support team will receive the initial alert email and the site owner or all organization members, if the site is owned by an org., will be updated only if issues remain after updates are completed.

Where do you obtain this plugin vulnerability info?

The information is publicly available from WPScan. We cannot guarantee all vulnerabilities will be detected by the plugin researcher.

Pro Package - Simple SSL?

What is SSL?

SSL stands for Secure Sockets Layer, and is the technology that keeps internet connections secure and safe from prying eyes. It is used on all ranges of sites, but is particularly useful when doing things like online banking, ecommerce, or any type of internet transaction where personal information is shared.

In our Pro Hosting Package, we’re more than happy to help you get an SSL certificate installed and configured on your WordPress site. Whether you’re running an eCommerce site or just want a little extra security, we can help you get up and running.


Our Simple SSL feature is a fully automatic 100% free SSL certificate, installed and activated in minutes! 

Previously, if you wanted to secure your site with SSL, you would have needed to provide your own SSL certificate that you had purchased from a third-party SSL provider. With Simple SSL, we’re able to eliminate that process and make setting up a site encrypted with SSL incredibly fast and easy.

To make this possible, we’ve partnered with Let’s Encrypt™, a free, automated, and open certificate authority brought to you by the non-profit Internet Security Research Group (ISRG). This allows us to generate, install, activate, and renew certificates for your sites automatically and for free.ard!

If you have other questions about Simple SSL, contact us for answers.


Simple SSL cannot generate a wildcard certificate nor an OV/EV (Organization Validated/Extended Validation) certificate. If your site requires one of these special types of SSL certificates, you’ll need to purchase and bring your own to your hosting.
What Plugins are NOT recommended?

There are more than 54,000 plugins for WordPress out in the universe and most of them are going to work splendidly within our Pro Hosting Package. However, there are a few categories of plugins that either duplicate functionality that we already provide within our Pro Hosting Package, or are known performance-killers on sites.

We believe that users shouldn’t have to “fiddle” with their site to get the best performance and security. As a managed WordPress host, our goal is to make sure you’re starting out with a site that just works.


Although they are not disallowed, plugins and themes utilizing ionCube are not compatible with sites on Flywheel running PHP 7.4 or newer. The ionCube Loader module is not available witin our Pro Hosting Package due to the significant performance issues it causes.

Backup plugins

Backups are included in every Pro Hosting Package plan. We back up your sites every 24 hours on external servers, and we allow you to easily restore and download backups as needed from within your hosting dashboard.

Backup plugins, on the other hand, can be incredibly resource-hungry. When running, they can take a big bite out of the resources needed to deliver content to visitors, which could slow your site down at an inopportune time. For larger sites, some of the MySQL queries can even take your site offline. Backup plugins also often create large files which can unnecessarily fill up a site’s allotted disk space.

Examples of unsupported Backup plugins:

If you’d like to keep your own backups in addition to the ones we keep, we recommend requesting a downloaded backup from your hosting dashboard.


If you want to create secondary backups in addition to our Pro Hosting Package nightly backup, try choosing a plugin that allows you to store backups offsite, like VaultPress. Your site’s performance will still take a hit while the process is running, but you can store backups in cloud storage which won’t affect your Pro Hosting Package storage.

Caching/Performance plugins

Our Pro Hosting Package handles caching at the server level, eliminating the need for caching plugins. Server-side caching is significantly more efficient and scalable than any plugin-based caching since it doesn’t rely on PHP. In addition, caching plugins run the risk of interfering with server-side caching, resulting in uncached server requests and degraded performance.

In addition, plugin-based caching solutions tend to cause issues when used in tandem with our Pro Hosting Package features that move or duplicate sites, including site blueprints, cloning, and staging.

Examples of unsupported caching/performance plugins:


Some caching plugins also handle other tasks, like JavaScript and CSS file minification and concatenation. W3 Total Cache is among these, as is WP Rocket. These are tasks that are ideally handled during site development, but if you would prefer to use a plugin, that’s ok too. We just recommend not using the caching features of the plugins and leaving that to our servers instead.

Security plugins

Our Pro Hosting Package servers are configured specifically with WordPress security best practices. We help prevent brute force attacks, lock down core WordPress files (including xmlrpc.php), and take many other security measures for you.

Security plugins may provide additional features, but in many cases can slow down sites by over-utilizing server resources, interfering with our Pro Hosting Package’s caching, bloating the site’s database, and/or interfering with our native security software.

While we discourage the use of these plugins, we don’t block them – you are able to install any security plugin you like. That said, we have found these plugins, in particular, can degrade performance:


We provide a solid baseline of security for all sites in our Pro Hosting Package. For customers who want to go the extra mile, we always recommend keeping all plugins and themes up to date as older code has had more time to get cracked by the bad guys. Additionally, hiding your WordPress login, requiring a CAPTCHA or single-sign-on, having strong usernames and passwords all will help keep your site safe from the unsavory types on the web.

Related Post Plugins

In general, if you aren’t manually assigning related posts, any plugin that is automatically showing related posts is going to be doing so via a barrage of MySQL queries that happen on each and every page load. The end result is often a devastating hit on your site’s performance and substantial damage to your database.

Examples of unsupported Related Posts plugins:


Since crawling over all your posts and establishing connections automatically requires some a lot of horsepower, we’d recommend one of these external related post services to perform the same function without the performance consequences.



Like some of the other listed plugin categories here, the ongoing jobs run by these plugins can be really taxing on your server and steal resources that your visitors need to view your site in a timely fashion.

Examples of unsupported Link Checker plugins:


For most users, checking broken links is only needed for one-off audits. For this, we recommend an external service like Free Broken Link Checker which will crawl your site for broken links.

Plugins with known issues

  • When SMTP email plugins are installed, in most cases emails will no longer be routed through Flywheel’s mail servers. While most users can manage their own outgoing mail without issue, Flywheel support is not able to troubleshoot SMTP plugins. Ask us for more information on email limitations.
  • Any plugin that specifically modifies .htaccess will not work within our Pro Hosting Package, since .htaccess is an Apache file and we run NGINX.
  • Similarly, any plugin that needs to write to the wp-config.php file will be unable to do so, although in most cases you can contact support and we’ll be happy to work with you to put whatever you need in place.
  • Any plugin that still requires access to xmlrpc.php, since we block that file by default in our Pro Hosting Packages. (XML-RPC is  vulnerable to abuse, and rarely used by most plugins and themes, since it’s generally considered an outdated way of doing things.)
    • Note that the popular WordPress plugin Jetpack does require access to xmlrpc.php; however, we’re not currently aware of any issues Jetpack has with our block. If you run into troubles with your Jetpack plugin or connection and you’ve tried everything else, please let our support team know and we’ll be happy to help.

Other things to watch out for

The TimThumb image resizing script is embedded in lots of older themes and plugins built from about 2000–2014, but it is no longer supported or updated, so it’s a vulnerability. Besides, it tends to break things in our Pro Hosting Packages anyway. 

Along with TimThumb, Sucuri reports that outdated versions of Gravity Forms and RevSlider contribute to a high number of security incidents and vulnerabilities with WordPress sites. This is largely because these plugins are frequently embedded in themes and aren’t updated. As long as your theme is kept up-to-date and you are running the latest versions of these plugins, you shouldn’t have issues, but it’s worth double-checking.

Note that certain plugins run database queries to work, and these interfere with caching, which will slow down a site. These include (but are not limited to) Broken Link Checker (which also doesn’t play well with Staging/cloning) and some “related posts” plugins.


We take this issue very seriously and try our best to strike a balance between freedom, security, and performance. If you have any issues, we’re happy to work with you to figure out the best solution for your site!

This is by no means an exhaustive list, but gives you a sense for the types of plugins that we strongly discourage and/or don’t allow. If you have any questions about a particular plugin and whether it is allowed, don’t hesitate to contact support.

Sending email through your Pro Hosted site?

While our Pro Hosting Packages manage many parts of your website hosting, default E-Mail functionality is limited. Emails such as password resets, will not typically have any issues. However, for robust email functionality, monitoring and scalability, we highly suggest utilizing a 3rd party email host.

This guide will explain email limits, why we impose them, and how to ensure your website can successfully send emails.

Email Limits

We want to focus on what we’re great at; providing our customers with fast and secure premium WordPress hosting. Offloading email campaigns and blasts to an external service will help protect the security and performance of the server your site is using. While it’s possible we could add full email services; we’d rather refer that business to other providers who focus on being great at it.

Our Pro Hosting Package imposes daily email limits to ensure that sites aren’t sending out massive spam campaigns, but are still enough to support site functions such as password resets and form submissions. In order to prevent abuse of this limit, we do not publish the exact amount.

The limit is enough to send a functional amount of emails such as password resets, but will not support a full email campaign. For robust email functionality, monitoring and scalability, we highly suggest customers utilize a 3rd Party email host such as Gmail or MailChimp which have their own email API.

There are several reasons why:

  1. If any emails sent are flagged as spam, this is reflected back on your IP address. Standard emails generated via WordPress are sent from our IP infrastructure (think “password reset”). If those IP addresses ever get blocklisted for spam, it will adversely affect a large number of customers.
  2. When you send an email blast, you also want to ensure deliverability and tracking. An email host specializes in monitoring and logging email transactions on your behalf. Tracking IP addresses to make sure emails reach their destination is part of their business, just like managing the scalability of your high-traffic WordPress sites is ours.
  3. Default WordPress emails are generated by a command-line service. The service generating these emails is generic and doesn’t actually allow us to manage and ensure deliverability. Rather than sending system emails on the server with that basic software, we also use a 3rd party managed SMTP provider. This ensures a high level of deliverability and consistency, even for WordPress system emails. Those little details make a big difference for the sites you choose to host with us.

Our Pro Hosting Package servers are not optimized for sending mail. This means we do not have logs or monitoring available if you experience issues with emails not sending correctly. More robust logging, spam control, and scalability can only come from a true email host.

Recommended Email Hosts

We typically recommend using a 3rd party transactional mail provider such as MailgunGmail, or Sendinblue. These services allow you to send emails from a specialized mail IP and will include a higher level of customization, such as more robust logging.

If you need to send an email blast, you also want to ensure deliverability. Companies like MailChimpMandrillSendinblue, and Constant Contact spend a great deal of time and resources managing their mail IPs. Ensuring email deliverability is one of their top priorities, just like managing your website performance is one of ours.

Email Ports

Our Pro Hosting Package’s infrastructure providers (Google) do not allow mail to be sent over port 25. Any 3rd party provider must support sending emails over alternate ports or via an API.

  • Ports 587 and 465 are allowed
  • Microsoft Office 365 can only use port 587

Spam filtering and email integrity

All outgoing mail from your sites passes through a spam filtering system that looks for key signs of malicious activity before it’s ever sent on to our partner email servers. These include malicious links, spoofed FROM or CC addresses, and more.

Additionally, we set daily email limits for each site to ensure that they aren’t sending out massive spam campaigns. A highly unusual spike in emails in a short period of time will automatically trigger a temporary shutdown on email sending from the site. Our agents will then investigate to see if the outgoing mail is indeed suspicious.

Our Pro Hosting Package’s built-in layers of site security already provide a baseline level of protection as well by preventing many of the popular attack methods employed by malware authors.


If you expect a spike in email, or are having trouble with site emails being sent, be sure to contact Support as soon as possible. We’ll be happy to work with you to make sure things continue running as smoothly as possible.

Recommended security steps

Protect Your Forms

Malware authors love unsecured contact and comment forms. If you’ve set up email notifications on your site for new form entries or comments, it’s possible that some spam links or suspicious data could be headed from your site to your inbox. For that reason, we highly recommend the use of CAPTCHA fields to make submitters prove that they are, in fact, not robots.

Another additional method is employing a hidden honeypot field that automated bots will complete, but actual human traffic will not. Many popular WordPress form-builders offer a honeypot functionality as a core feature or as an add-on service.

Set up an external mail service for your site

If sending a high volume of automated emails from inside WordPress is a core function of your site, you might want to look into dedicated 3rd-party solutions for site mail. Penguin Hosting recommends both Mailchimp (for email campaigns) and Sendgrid for external mail delivery.

An email host dedicated to sending mail for your site will be less susceptible to email blocklists. Additionally, email providers often have a dashboard where various metrics and reporting can be observed, providing insight into your campaigns.