WP Engine’s Security Environment
Strong security measures enable website protection while running your website at peak performance. Understanding the WP Engine security measures will give you the freedom to develop and operate your website within the scope of our secured environment. This document is designed to give you an overview of these security measures and how they may effect your website.
Disk Write Protection
Malicious code can embed itself into a website by writing to the file-system. This occurs when a vulnerability is present in a theme or plugin that leaves the door open for malicious injection. The WP Engine environment limits the processes that can write to disk. So even if you’re using a theme or a plugin with a vulnerability, it is harder for them to be exploited.
Disk Write Limitations
All attempts to write to the disk are logged so that we can identify both malicious and non-malicious code. For a list of disk write privileges that are allowed vs. blocked, please contact Support directly.
Disallowed Plugins
Some plugins may expose a website to vulnerabilities. Most of the time, this is unintentional, but we still have to draw a line in the sand. Our system scanner searches for these plugins and automatically disables them. Besides disabling plugins for security reasons, plugins can also be disallowed for performance reasons. Our comprehensive list of disallowed plugins (along with explanations as to why they are disallowed) can be found here.
Proprietary Firewall
WP Engine uses a proprietary firewall to automatically direct good, bad and malicious traffic. There are a number of checks in place that allow our system to determine which traffic should be allowed, such as real human traffic or search engine crawlers, and which traffic should not, such as malicious activity or scraping bots.
Additionally, WP Engine automatically prevents certain files, file types and directories from being publicly accessible. This includes: .htaccess
, wp-config.php
and debug.log
files, as well as the. _wpeprivate
directory and PHP files located within the wp-content/uploads
directory.
Further information cannot be provided around our firewall, as this can compromise its secure integrity or lead to abuse. If you find unintended traffic is being blocked, or if you would like to block certain traffic, reach out to WP Engine Support.
User Enumeration
Occasionally bots scrape posts for author ID information. We automatically block this type of request on your behalf. The requests that have been blocked will show in your site’s error log as:
Preventing possible attempt to enumerate users
Security Process FAQs
Do you provide a segregated environment (physically or logically) so that each customer’s data is isolated and protected against any unauthorized access? Please describe.
Yes. We offer dedicated environments for customers of various profiles. Our dedicated and Enterprise solutions are fully dedicated environments (which aren’t shared with other WP Engine customers) that don’t share processing power, memory, local storage or other system resources. This facilitates improved reliability and better positions our customers for growth and success.
Dedicated server environments are particularly valuable for websites with high transaction volume, and we’re happy to offer a service that supports demanding WordPress sites.
We still offer enterprise-level service for customers who don’t require fully dedicated hosting environments. For those customers we offer logically separate environments. Attempts to access data outside of allowed directories are prevented and logged.
We offer fully segregated hosting environments for all of our customers, both shared and dedicated.
Are backups maintained such that each customer’s data is kept logically separate from other customer’s data when it is backed up?
Yes, backups are all separate and stored on a different server than your website.
Do you conduct or arrange in-house vulnerability scanning for all infrastructure, servers, databases and applications? Please describe how vulnerability scanning reports are used by your company and how remediation of vulnerabilities occurs.
Reports are processed internally and remedied quickly. Any customer impacting changes are reported on our public status blog, but only after we’ve made the changes to reduce the chance of exposure.
Does your computing environment undergo external penetration testing by an independent, qualified vendor at least once per year? Please describe how penetration testing reports are used by your company and how remediation of vulnerabilities occurs.
Yes. WP Engine contracts with a third party vendor to perform penetration testing. Penetration testing results are formally communicated to WP Engine and remediation plans developed to address items noted within.
Can we (your customer) perform penetration testing of our WordPress installations hosted in your environment?
Please contact us for further information.
Does your data center environment undergo a SSAE-18 examination at least annually?
Yes.
Is all computing equipment located in a physically secure facility, where electronic access controls are used to prevent unauthorized access to computing facilities?
Yes.
Are firewalls configured based on the principle of least privilege, where firewalls only allow approved applications, protocols, and services required to meet business needs?
Yes.
Are intrusion detection or intrusion prevention systems used to monitor and/or protect your network?
Yes.
Do you encrypt backup media?
Yes.
Is data on WP Engine servers encrypted at rest?
Yes. All data on our servers is encrypted at rest and in transit, by default.
Do you conduct or require background screenings for all personnel (employees and contractors) that have access to critical infrastructure, servers, applications, or data?
Yes.
Do you use documented security baselines to harden and secure IT systems? Please describe how you ensure that security baselines are implemented and working effectively.
Yes. Our security firms establish baselines and ensure we are adhering to them. These change over time as new information and processes are put into place.
Do you maintain reasonable security precautions consistent with industry best practices, similar to those documented in standards such as ISO/IEC 27001 Annex A?
Yes, but we do not specifically obtain ISO ISO/IEC 27002 certification.
If an information protection incident was to occur, are you able to provide audit logs to the customer for our review?
Yes, for certain logs (i.e. access logs). That being said, there are certain logs we are unable to share given the sensitivity of the information within.
We will work with you to help determine the nature of the exposure and remediation plans.
Does WP Engine help log any activity in the wp-admin of my website?
Yes. Certain admin activity on your website is logged, for security purposes. See the WP Engine Security Auditor guide for more information.
NEXT STEP: Learn about WP Engine’s platform settings