Getting Started
Deployment- Steps to Minimise or Avoid Downtime When Taking a Website Live
- Automate Permalink Structure with Custom Deployment Script
- Integrating Git for whole site environment
- Create Site (WordPress environment)
- How to clone an existing site on Staq
- How to create a staging site
- How to sync a staging site to production
- How to take a website live (GoLive)
- Go Live with a subdomain
- Switch an existing Staq site to a brand new Staq site
- Customizing Deployment with CLI Commands
- Images broken in Slider Revolution after migration or CDN deployment
- Smart Slider images are broken after taking my website live
- Do you support Multi-Sites?
- Can I migrate a site to Staq using a third-party plugin?
- How to export a website from Staq to your own hosting environment
- Accessing the Old Website or Server Using the Hosts File
- How to migrate a site to Staq
- When a migration fails
- How to create a staging site
- How to sync a staging site to production
- Transitioning Changes from Staging to Live: A Guide to Synced Modifications
- Putting a Live Site back into Dev Mode
Site Management
Backups- Creating Backups
- Restoring a backup
- How to download your backup files
- Why Don’t I See Backups for a Particular Day?
- How our backup system works (comprehensive guide)
- How to setup Client PDF Reports
- Managing Overage Costs and Alerts on Staq
- Organizing Websites with Labels in Staq
- How to Bulk Reset Website Credentials
- Resetting Password Inside Staq Doesn’t Work
- How to Reset Your Password Inside Staq Panel
- One-Click WordPress Login Feature
- Enabling Popups for 1-Click WordPress Access in Supported Browsers
- How to Deactivate or Delete a Plugin Across Multiple Sites
- Update Plugins/Themes: 1-Click to update everything
- Enable automatic plugin and theme updates with regression testing and auto rollback
- How to manually update Plugins/Themes faster using Staq Plugin Manager
- How to install or update Plugins/Themes across all sites (globally)
- How to use Global Plugins to manage plugins at scale
- Convert plugins into Global Plugins with a single click
- How to enable Maintenance Mode
- Installing a plugin on multiple websites at once
- Plugin/Theme Update Status via Email Notification
- Troubleshooting “Update Failed: Download Failed” Error
- Why some plugins may not automatically update
- My Plugins are not updating inside WordPress
- I cannot access the backend of WordPress
- How to Fix “Briefly Unavailable for Scheduled Maintenance” Issue After Site Update
- Failed to Parse the Package Metadata: How to Fix
- How to diagnose when a Global Plugin isn’t updating across your sites
- The uploaded file exceeds the upload_max_filesize directive in php.ini
- Force deactivation of plugin/theme
- How to edit plugins/themes using a file manager editor
- How does regression testing work with Plugin/Theme updates?
- How to install plugin dependencies via Composer?
- Failed to Parse the Package Metadata: How to Fix
- How to setup Bitbucket with Staq (plugin/theme only)
- How to setup Github with Staq (plugin/theme only)
- How to replace “Staq Hosting” plugin inside WordPress with my brand
- Custom SMTP to send automated emails from Staq
Caching & Performance
Caching- Enable/Disable Automatic Cache Clearing
- How to clear the cache for a selected number of pages regularly
- Disable Optimizer tool for certain pages
- How the Staq Cache Preload works
- How to cache a URL with a query string
- Staq Cache – Caching Dynamic Information
- Configure Staq Cache
- How to clear cache of all sites in Staq
- Why Staq cache is the most optimal caching solution to use
- CLI commands for Staq cache
- Disable Staq Cache
- Issues migrating to Staq because of LiteSpeed Cache
- My website design/layout is broken
- How to know when a page is cached and how to diagnose it if it isn’t
- Nonce and Cache TTL
- Fixing “Media Error: Format(s) Not Supported or Source(s) Not Found” on Videos
- How to Optimize Autoloaded Options in WordPress for Better Performance
- Setup Speed Optimization
- How to change the image compression settings
- Disable Optimizer tool for certain pages
- Enhancing Core Web Vitals: What web development processes to change
- Elementor: Maximise PageSpeed Insight scores with these settings
- How to Scale a WordPress Website with Staq
- How to Speed Up the Backend of WordPress & AJAX requests
- How to Increase PHP Workers
- Cost Optimization Strategies
- Assessing Memory and PHP Worker Resources
Security
Security- SendGrid IP Access Management
- Unblocking WordPress REST API Access
- Enabling 2FA for WordPress Sites
- Staq’s Multi-Layer Security Architecture
- Content Security Policy Error: Causes and Solutions
- Enable Multi-Factor Authentication (MFA) on Staq
- How to Change the WP Login URL
- How to enable XML-RPC
- Staq enforces HSTS by default
- How Staq Firewall Blocks Bots Attacking Contact Forms
- How to block a country in the firewall
- Cloudflare 520 or 521 error
- How to stop DDoS attacks
- How to configure the Max Login Attempts (Firewall)
- How we block malicious comments submitted by bots
- Staq’s Multi-Layer Security Architecture
- Service Unavailable / 503 Error code and how to fix
- How to whitelist an IP address
- Staq is blocking my SEO tools with 502 or 503 server errors
- How the Staq Firewall system works
- My website uptime monitoring is showing the website is down but it’s up when I check?
- Why was an IP address blocked by Staq Firewall?
- How to ban an IP Address using Staq Firewall
SMTP, CDN & DNS
SMTP- How to setup SMTP?
- Installing “WP Mail SMTP Pro”
- How to use Gmail as an SMTP service in WordPress
- Diagnosing SMTP / Email Connection, Receiving Emails
- Override Specific SMTP Global Settings
- SendGrid Integration
- Custom SMTP to send automated emails from Staq
- How to setup Staq Traditional CDN
- Enable Next-Gen CDN Instructions
- Increase CDN CloudFront invalidations daily limit
- How to remove the AWS S3 URLs
- Images do not show when I’m logged out
- Exclude Paths from Next-Gen CDN Cache
- Staq Next-Gen CDN vs Traditional CDN vs Cloudflare
- Integrating Cloudflare with Staq
- How to enable Cloudflare CDN on Staq
- Staq Next-Gen CDN vs Traditional CDN vs Cloudflare
- How to disable Cloudflare
- How to stop DDoS attacks
- How to use Cloudflare Proxy with a Staq hosted site
- CDN cache not clearing after changes to plugin/theme
- Is my site loading from AWS CloudFront?
- Staq Next-Gen CDN: One or more CNAME already associated with resource
- CDN issue and how to diagnose and rectify
- ERR_SSL_VERSION_OR_CIPHER_MISMATCH with Cloudflare
- Traditional CDN Failed to Deploy Due to SSL Validation (CAA Error)
- Does Staq sell and manage domain names?
- DNS location and how to add a DNS entry
- Steps to Minimise or Avoid Downtime When Taking a Website Live
- How to Add NS Records for Subdomains on Staq
- DNS is not resolving
- Where you access the A record or NS Record
- How to add Google or Office365 MX records to Staq DNS
- Resolving Localized Issues Caused by Hardcoded IP Addresses in the Hosts File
- TXT record in DNS – CharacterStringTooLong
- How to move the DNS across to Staq when the site is already hosted on Staq
- How to enable instant DNS Propogation
- Switching DNS back to Staq and now the site doesn’t load
- IT company says they want to move DNS away from Staq. What should I say?
Server & Tools
Analytics & Logs- How to track a site’s activity history
- Someone installed/deactivated a plugin. What logs are there?
- Server Logs
- Why Staq Shows More “Human Visitors” Than Google Analytics
- How to check if CRON jobs are working
- How to clear the cache for a selected number of pages regularly
- How to setup a Cron job in Staq
- Resolving the “Missed Schedule” Issue in WordPress
- Import a third-party SQL database over an existing website
- Running SQL queries inside Staq Panel
- How to use Staq Query Tool to diagnose database queries
- Access to phpMyAdmin / database
- SQL query to delete entire WooCommerce products in one hit
- Images broken in Slider Revolution after migration or CDN deployment
- How to do a Search & Replace
- How to download your backup files
- How to debug an issue
- My Website is Slow – How to Debug
- Troubleshooting Import Process Errors in WordPress
- How to Use Staq Debug for Troubleshooting Issues
- Integrating Git for whole site environment
- How to setup Bitbucket with Staq (plugin/theme only)
- How to setup Github with Staq (plugin/theme only)
- How to Increase PHP Workers
- Increasing Server Memory
- How to Increase PHP Max Input Vars Limit
- Increase Max File Upload limit
- The server cannot process the image
- Increase Max Request Timeout
- Does Staq support both PHP 7.4?
- How to downgrade or upgrade to PHP version
- Setup Domain Redirects
- Server Redirects
- SEO 301 Redirect
- How to Handle Regex Redirects with Query Parameters in WordPress
- How to Serve Static HTML Files Alongside Your WordPress Site
- Staq is blocking my SEO tools with 502 or 503 server errors
- Robots.txt file – managing the default file
- Fixing CORS Errors
- 502 Gateway error
- Fixing MIME-Type Errors Preventing Styles and Fonts from Loading
- Service Unavailable / 503 Error code and how to fix
- Server 500 error in browser. How to fix
- 403 Server Error
- Too Many Requests with Error Code 429
- How to fix Access-Control-Allow-Origin issue
- Cloudflare 520 or 521 error
- Troubleshooting Import Process Errors in WordPress
- 504 Gateway Time-out error
- Error 1000 on Cloudflare
- SSL Is Not Generating
- 403 Server Error
- How to add a custom SSL
- ERR_SSL_VERSION_OR_CIPHER_MISMATCH with Cloudflare
- Steps to Minimise or Avoid Downtime When Taking a Website Live
- Error 1000 on Cloudflare
- How SSL Certificates Work on Staq
- How to create a custom SSL certificate
Staq Billing
Staq Billing > Account- How to view invoices (Agency Invoice)
- How to update your credit card (Agency account holder only)
- Invoice breakdown and viewing excess charges
- How to add/update client’s credit card
- How to Resolve “A User with the Specified Email Already Exists” Error
- How to view historical client invoices
- How to create a client and request for credit card details
- Assigning a Client to your agency custom plan
- Amending Your Client’s Details on File
- How to Determine the Reason for a Client’s Payment Failure
- Customise automated emails to your clients
- Adding a custom terms and conditions for your clients (digital agency POV)
- Changing currency when using Staq Billing to charge clients
- Step-by-step instructions in setting up your automated billing to charge your clients hosting fees
Media
Media- How to remove the AWS S3 URLs
- How Images are Served from AWS on Staq
- The server cannot process the image
- Sorry, you are not allowed to upload this file type
- Images broken in Slider Revolution after migration or CDN deployment
- Images do not show when I’m logged out
- Images or PDFs Showing a “404 Not Found” Error
- Troubleshooting Broken WebP Images on Your Staq Hosted Site
- How to disable lazyload
- Image Compression
- How to change the image compression settings
- How to enable automatic WebP image conversion?
- How to regenerate Media Library thumbnails in WordPress
Accounts & Billing
Accounts & Billing- How to unsubscribe or delete or cancel a site in Staq
- Client Transfer
- Does Staq offer annual billing?
- Pricing: How Does Staq Charge?
- Enable Multi-Factor Authentication (MFA) on Staq
- Renaming Your Website in Staq
- Canceling an existing site subscription and assigning it to a new user
- Custom SMTP to send automated emails from Staq
- User Access to Staq Platform
- Cost Optimization Strategies
- Changing the timezone throughout the Staq dashboard
- How to see when dev sites will incur charges
- Enabling Popups for 1-Click WordPress Access in Supported Browsers
- Putting a Live Site back into Dev Mode
General
WordPress Hosting- Do we offer email hosting?
- Is Sage/Roots compatible with Staq?
- Do You Provide Web Hosting to Any Platform or Just WordPress?
- Do You Provide SSH Access?
- Can I run 2 separate WP installs on the same domain?
- How to enable XML-RPC
- Hosted elsewhere (Site no longer hosted on Staq) Message
- Robots.txt file – managing the default file
- Staq Infrastructure Overview
- How to edit the wp-config.php file on Staq
- Do you support Multi-Sites?
- My website design/layout is broken
- Website is down
- How to use Staq Query Tool to diagnose database queries
- How to use Query Monitor plugin
Staq’s Multi-Layer Security Architecture
On this page
Understanding Staq’s Multi-Layer Security Architecture
At Staq, every WordPress site runs on a secure, multi-layered architecture designed to protect your websites from network attacks, malware injections, spam, brute-force attempts, and automated bots.
Security isn’t just a plugin or feature — it’s integrated into every layer of our platform, from the server level down to your WordPress application.
1. AWS Infrastructure Security
All Staq servers are hosted on Amazon Web Services (AWS) inside a Virtual Private Cloud (VPC).
This ensures all components — EC2 servers, RDS databases, Redis ElastiCache, and internal services — operate within a private, isolated network protected by strict Security Group rules.
Key highlights:
- Only required ports (HTTP, HTTPS, Redis, SFTP, etc.) are open.
- Ports like 22 (SSH) and 21 (FTP) are blocked by default at the AWS level.
- SSH and SFTP are only accessible through randomly generated, private ports unique to each server — making them nearly impossible to guess.
- Outbound traffic is tightly controlled, and only trusted communication within the VPC is allowed.
This VPC-based isolation forms the foundation of Staq’s secure environment.
2. Iptables – Operating System-Level Firewall
Every server runs a hardened Linux firewall using iptables, which is the first layer of defense when a request reaches the server.
It filters traffic before it even touches Nginx or PHP, blocking common attack patterns like null packets, XMAS scans, and SYN floods.
Only allowed ports (e.g. HTTP, HTTPS, Redis, SFTP) are accepted — everything else is rejected.
This guarantees that any unauthorized or malformed network traffic is immediately dropped before reaching Nginx.
3. Nginx – Application Gateway Protection
Once a request passes iptables, it reaches Nginx — our web gateway that performs a second layer of filtering.
3.1 Nginx ModSecurity
We use ModSecurity rules to identify and block known web attack signatures such as SQL injection, cross-site scripting (XSS), and request smuggling attempts.
3.2 Bad Bot and Referrer Blocking
After ModSecurity, requests are checked against a dynamic list of bad bots and malicious referrers sourced from the open-source project:
nginx-ultimate-bad-bot-blocker
- This list updates daily.
- Offending requests receive an immediate HTTP 444 response (Nginx silently drops them).
- Known SEO crawlers (e.g. Semrush) are blocked by default, but users can allow them via the “Allow Known SEO Bots” option at either the account or site level by following this guide to enable SEO bots on Staq.
- If an IP is banned by the application firewall (see below), Nginx can also block it directly for efficiency.
Additional Nginx optimizations:
- SSL protocols: TLS 1.2 and TLS 1.3
- Hidden version headers for both Nginx and PHP
- PHP execution disabled inside
wp-content/uploads/ - Blocked access to
wp-login.php(default) to stop brute-force attacks (accessible via/wp-admin) - Optional bot rate limiting to restrict excessive hits from non-verified bots
- Built-in static cache that serves HTML directly from disk, greatly reducing server load during DDoS spikes
4. Staq WAF – PHP-Level Application Firewall
Before WordPress even loads, Staq automatically injects a lightweight, high-performance Web Application Firewall (WAF) at the PHP layer using auto_prepend_file.
This allows us to inspect and block malicious traffic before PHP or WordPress resources are consumed — unlike plugin-based firewalls that run too late.
4.1 Real-Time Rules
Each request is evaluated against multiple rule sets:
- SpoofingRule: Detects IP or header spoofing attempts
- DisallowedURIRule: Blocks access to disallowed URLs or offensive content
- IPBlacklistRule: Checks against an offline CleanTalk database (premium license that Staq subscribes and pays for)
- ServiceBlacklistRule: Blocks known cloud scrapers (e.g. Alibaba, Tencent)
- PageEnumerationRule / UserEnumerationRule: Limits page or user probing activity
4.2 POST Request Scanning
For non-logged-in users submitting forms or comments, the WAF scans the request payload for spam or malicious content:
- FormSpamRule: Filters spam and adult content
- CommentSpamRule: Detects abusive comment submissions
- EmailBlacklistRule: Checks sender emails against the CleanTalk database
All lookups are cached for efficiency, minimizing false positives and overhead.
4.3 Adaptive Intelligence and Rate Limiting
The WAF continuously adapts based on IP history and behavior:
- Known editors/admins or verified bots (e.g. Googlebot) are exempted before being banned.
- If an IP is borderline suspicious, the system may present a reCAPTCHA challenge before enforcing a ban.
- A background process analyses logs every minute to detect patterns such as:
- Repeated requests to sensitive files (
/.env,/wp-config.php, etc.) - High 404 error ratios
- DDoS-like behavior or geographic anomalies (e.g. stricter limits for non-local regions)
- Repeated requests to sensitive files (
When a permanent ban is applied:
- The IP is logged and synced to the Staq dashboard (so you can view, whitelist, or unblock it).
- If required, it is also pushed to iptables for operating-system-level blocking — saving server resources for legitimate users.
- Ban data is securely cached under a hidden folder inside the WordPress app (not publicly visible).
5. WordPress Firewall Rules (MU Plugin)
Beyond the automatic protection, Staq gives users full control at the WordPress level via our MU Plugin.
From the WordPress Admin, users can:
- Ban traffic by IP, IP range, User-Agent, Country, or Hostname
- Define rate limits (e.g. max requests per defined interval)
- Choose whether the ban is strict (server-level block) or soft (user can solve a CAPTCHA to unblock)
- Exclude certain logged-in roles (e.g. allow “Editors” but restrict “Customers”)
Other built-in protections include:
- Login rate limiting with automatic lockouts
- Hidden login pages (renamed from
wp-login.phpby default) - No disclosure of whether a username exists during failed logins
- Disabled XML-RPC and RSS version leaks
- Enforced REST API authentication (with exceptions for public endpoints)
6. Additional Security Enhancements
- SSL Certificates: All sites include free Let’s Encrypt SSL. Certificates are generated automatically as soon as DNS points to the correct IP. Users can also upload custom SSL certificates.
- Secure One-Click Login: From the Staq Dashboard, users can log in to WordPress securely without sharing or remembering passwords.
- Custom Login URL: Users can rename both
wp-login.phpandwp-adminfor additional obfuscation, without needing a separate plugin. - Whitelist IP Addresses accessing login page: You can even whitelist IP addresses that can access the login page only.
- Bot-aware Caching: Static caching synced with Nginx ensures DDoS spikes and invalid bot traffic minimally reach PHP or the database.
7. Server Firewalls Summary
Staq’s multi-layered security stack provides defense in depth — each layer independently reinforces the next:
| Layer | Component | Purpose |
|---|---|---|
| 1 | AWS Security Groups | Isolates services within a private VPC |
| 2 | iptables | Filters bad traffic at the OS level |
| 3 | Nginx + ModSecurity | Blocks known attack patterns and bad bots |
| 4 | Staq WAF (PHP) | Early PHP firewall with intelligent behavioral rules |
| 5 | WordPress Firewall Manager | User-configurable rules and rate limits |
Each site benefits from an adaptive, continuously updated, and performance-focused protection system that stops attacks long before they can reach WordPress.
8. CDN-Level Protection
On top of all server and application security layers, Staq offers built-in CDN integration with both CloudFront (AWS) and Cloudflare.
You can enable and configure these directly from the Staq Dashboard — no technical setup required.
This adds an additional global security layer that filters and absorbs threats before they even reach your Staq server:
- DDoS Mitigation: Large-scale traffic attacks are absorbed by Cloudflare and AWS CloudFront’s edge network.
- WAF at the Edge: Known malicious IPs and attack signatures are blocked automatically at the CDN layer.
- Bot and Spam Protection: Cloudflare’s bot management filters abusive crawlers and scripts.
- Global Anycast Network: Requests are served from the closest location, improving both performance and security.
- Integrated SSL: End-to-end encryption from CDN → Staq → WordPress, ensuring traffic is secure across all layers.
By combining Staq’s firewalls with CDN-level protection, users benefit from a comprehensive, multi-tier defense — from the cloud edge to the application core.
Security White Paper
You can download and share our security white paper.
Need some help?
We all do sometimes. Please reach out to our support team by dropping us a support ticket. We will respond fast.
