WP Engine’s Security Environment

Strong security measures enable website protection while running your website at peak performance. Understanding the WP Engine security measures will give you the freedom to develop and operate your website within the scope of our secured hosting for WordPress environment. This document is designed to give you an overview of these security measures and how they may effect your website.

NOTE

WP Engine has a SOC2 Type II, SOC3 reports, and an ISO 27001:2013 certification available. Please reach out to your Account Manager or WP Engine Sales for more information.


Disk Write Protection

Malicious code can embed itself into a website by writing to the file-system. This occurs when a vulnerability is present in a theme or plugin that leaves the door open for malicious injection. The WP Engine environment limits the processes that can write to disk. So even if you’re using a theme or a plugin with a vulnerability, it is harder for them to be exploited.


Disk Write Limitations

WP Engine employs technologies which only allow writing to certain directories under specific circumstances. For more details about disk write privileges, please contact Support directly.


Disallowed Plugins

Some plugins may expose a website to vulnerabilities. Most of the time, this is unintentional, but we still have to draw a line in the sand. Our system scanner searches for these plugins and automatically disables them. Besides disabling plugins for security reasons, plugins can also be disallowed for performance reasons. Our comprehensive list of disallowed plugins (along with explanations as to why they are disallowed) can be found here.


Proprietary Firewall

WP Engine uses a proprietary firewall to automatically direct good, bad, and malicious traffic. There are a number of checks in place that allow our system to determine how we handle traffic. Human traffic takes a higher priority over bot traffic. Although we block known malicious bots, new bots/spiders/crawlers pop up everyday. These bots can be an annoyance and we provide site level functionality within our User Portal to block these requests (such as Web Rules). Our support team is also available 24/7 to answer questions or concerns.

Additionally, WP Engine automatically prevents certain files, file types and directories from being publicly accessible. This includes: .htaccess, wp-config.php and debug.log files, as well as the. _wpeprivate directory and PHP files located within the wp-content/uploads directory.

Further information cannot be provided around our firewall, as this can compromise its secure integrity or lead to abuse. If you find unintended traffic is being blocked, or if you would like to block certain traffic, reach out to WP Engine Support.


User Enumeration

Occasionally bots scrape posts for author ID information. We automatically block this type of request on your behalf. The requests that have been blocked will show in your site’s error log as:

Preventing possible attempt to enumerate users

Security Process FAQs

Do you provide a segregated environment (physically or logically) so that each customer’s data is isolated and protected against any unauthorized access? Please describe.

Yes. We offer dedicated environments for customers of various profiles. Our Premium hosting solutions are fully self-contained environments, not shared with other WP Engine customers. Premium accounts only share processing power, memory, local storage or other system resources with websites on the same account.  This facilitates improved reliability and better positions our customers for growth and success.

Dedicated server environments are particularly valuable for websites with high transaction volume, and we’re happy to offer a service that supports demanding WordPress sites.

We still offer enterprise-level service for customers who don’t require fully dedicated hosting environments. For those customers we offer logically separate environments. Attempts to access data outside of allowed directories are prevented and logged.

We offer fully segregated hosting environments for all of our customers, both shared and Premium.

Are backups maintained such that each customer’s data is kept logically separate from other customer’s data when it is backed up?

Yes, backups are all separate and stored on a different server than your website.

Do you conduct or arrange in-house vulnerability scanning for all infrastructure, servers, databases and applications? Please describe how vulnerability scanning reports are used by your company and how remediation of vulnerabilities occurs.

Reports are processed internally and remedied quickly. Any customer impacting changes are reported on our public status blog, but only after we’ve made the changes to reduce the chance of exposure.

Does your computing environment undergo external penetration testing by an independent, qualified vendor at least once per year? Please describe how penetration testing reports are used by your company and how remediation of vulnerabilities occurs.

Yes. WP Engine contracts with a third party vendor to perform penetration testing.  Penetration testing results are formally communicated to WP Engine and remediation plans developed to address items noted within.

Can we (your customer) perform penetration testing of our WordPress installations hosted in your environment?

Please contact us for further information.

Does your data center environment undergo a SSAE-18 examination at least annually?

Yes.

Is all computing equipment located in a physically secure facility, where electronic access controls are used to prevent unauthorized access to computing facilities?

Yes.

Are firewalls configured based on the principle of least privilege, where firewalls only allow approved applications, protocols, and services required to meet business needs?

Yes.

Are intrusion detection or intrusion prevention systems used to monitor and/or protect your network?

Yes.

Do you encrypt backup media?

Yes.

Is data on WP Engine servers encrypted at rest?

Yes. All data on our servers is encrypted at rest and in transit, by default.

Do you conduct or require background screenings for all personnel (employees and contractors) that have access to critical infrastructure, servers, applications, or data?

Yes.

Do you use documented security baselines to harden and secure IT systems? Please describe how you ensure that security baselines are implemented and working effectively.

Yes. Our security firms establish baselines and ensure we are adhering to them. These change over time as new information and processes are put into place.

Do you maintain reasonable security precautions consistent with industry best practices, similar to those documented in standards such as ISO/IEC 27001 Annex A?

Yes, we are ISO 27001:2013 certified.

If an information protection incident was to occur, are you able to provide audit logs to the customer for our review?

Yes, for certain logs (i.e. access logs). That being said, there are certain logs we are unable to share given the sensitivity of the information within.

We will work with you to help determine the nature of the exposure and remediation plans.

Does WP Engine help log any activity in the wp-admin of my website?

Yes. Certain admin activity on your website is logged, for security purposes.


NEXT STEP: Learn about WP Engine’s platform settings

Automatically update plugins

WP Engine's Smart Plugin Manager keeps your site secure by updating plugins for you. It also uses visual regression to automatically revert to a backup if an update causes issues.