← ServerPilot Docs

ServerPilot Security

ServerPilot is designed to keep your servers secure and your data safe.

Our team has a strong security background. Security research published by our team members includes identifying vulnerabilities in Linux package managers, designing secure software update systems, and securing browsers against CSRF exploits. If you have security questions or encounter any issues, please contact us.

Your Servers

ServerPilot uses the most advanced security architecture of any control panel to ensure the security of your servers.

Software Updates

All servers managed by ServerPilot are configured to be automatically updated with security updates from the Ubuntu security repositories as well as the ServerPilot repositories. These updates are signed with the Ubuntu and ServerPilot GPG keys, respectively.

Code Signing

All ServerPilot code executed on your servers is signed offline with our GPG key. The signature is checked by your server before any code is executed.

Communications

All communication with ServerPilot performed by your servers is done over TLS encrypted connections.

The ServerPilot apt repositories are also served over HTTPS using TLS.

Password

When you set system user passwords or MySQL passwords using ServerPilot, we hash those passwords in the appropriate format and transmit them in hashed format to your server over a TLS encrypted connection.

Firewalls

ServerPilot configures an iptables network firewall on your servers. This firewall only allows TCP ports 22 (SSH), 80 (HTTP), 443 (HTTPS), and UDP port 68 (DHCP).

Public-Facing Web Server

ServerPilot configures Nginx with OpenSSL as the public-facing web server on your server. OpenSSL is used by the majority of the world's HTTPS websites to perform TLS encryption. Nginx is secure against Slowloris attacks due to its use of an event-driven (asynchronous) model rather than being multi-threaded.

Mail

ServerPilot configures the secure postfix mail server on your servers. This mail server is used only for your web applications to send outbound mail. It is not configured to accept mail from outside of your server and the firewall is not opened to allow outside communication with the mail server.

Secure Shell and File Transfer

Your servers are configured with SSH/SFTP for you to access your servers. We do not enable insecure FTP on your servers.

Your Apps and WordPress Sites

Your web applications are only as secure as their code. In the case of WordPress, security is mostly dependent on the plugins and themes you use. You must choose plugins carefully and keep them updated.

Our Systems

We use best practices combined with decades of server and network administration experience to keep our systems secure. Our team includes sysadmins who helped early Amazon and other large companies grow successfully and securely.

Access Control

We use enterprise-grade security to isolate and control access to our internal networks.

Passwords

Your ServerPilot account password is hashed using the industry standard Argon2id. We do not store passwords in plain text.

Credit Cards

We use Stripe and PayPal for credit card and payment processing. Credit card numbers are never transmitted to or stored on our servers.

Launch your first site in 5 minutes