I contacted Clouways in regards to this report to bring this to their attention so that perhaps they could build this in to their deployment since it is basic configuration and not add ons. They replied with the following:
Thanks for your kind update. The recommendations from the security report you have shared are all possible. I will share the details and the solutions one by one:
1- For Recaptcha, It’s definitely a tool that protects the server from any spamming and other main vulnerabilities and for this you can install a Magento extension to validate your Contact form. Sharing an extension link which you can use:
Magento 2 Google reCaptcha - Invisible reCAPTCHA for Magento 2 – Mageplaza2- The Brute force is specifically mentioned for the /admin page which is usually common for a Magento website. You can definitely update the /admin to some other random name so that it could be saved from any brute force attacks. Sharing a link for your reference:
How to Change a Default Base Magento 2 Admin URL | Get Base Admin URL | Magento Administration | Store Url Not Working3- For Magento to use /pub as a webroot. This is also possible and easy to set up for the Magento store. Sharing a link for your reference:
How to Change the Web Root of an Application | Cloudways Help Center - Before this, you might need some configurations to be done from the perspective of the application, this has to be updated in the config file:
magento2 - Setting the webroot to the pub/ - Magento Stack Exchange4- To restrict application to use a higher TLS version. You can follow this guide:
How to Update the TLS Version | Cloudways Help CenterLet us know if you have any further concerns in this case.
Kind Regards,
Shahzaib Khan
They replied with this information within hours of providing the .pdf with the report. That is very good to know that their response time on something slightly more serious and likely less inquired upon is good.
Just a matter of minutes and I changed admin url and the TLS versions. Rescanned and those are gone. I don’t want to install any modules right now, so I’ll leave the recaptca alone and I’m not too concerned about the webroot thing right now. If I end up going with couldways then I’ll resolve both of those issues.