Enterprise-grade WordPress security
WordPress VIP offers the highest level of WordPress security. Built with multiple levels of security controls and protection—including edge protection, secure networking, robust access controls, continuous security monitoring, and code scanning—WordPress VIP meets the most exacting security requirements. That’s why it is trusted by customers in industries such as banking, pharmaceuticals, public utilities, and government. It is the only WordPress platform to achieve FedRAMPⓇ Authority to Operate (ATO).
Data centers meet SSAE 18 SOC 1 and SSAE SOC 2 certifications
EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework Compliant
WordPress VIP addresses one of the biggest challenges in WordPress security: keeping all platform code secure and up-to-date. We help manage necessary components and respond to and patch issues.
We monitor regular security patches for WordPress. Because WordPress VIP is managed by active members of the WordPress community, when an issue arises, we immediately patch it ahead of the fix getting pushed to WordPress core code.
We perform regular internal security testing and engage with third parties to perform platform vulnerability assessments.
We continuously test our infrastructure for vulnerabilities and routinely engage independent third parties to run penetration tests against our platform.
Code and plugins scans
We use a bot to scan code, plugins, and themes as part of pull requests created in an application’s GitHub repository. This can help identify potential security concerns before code goes into production.
Logging and auditing
We log activity at the application, web server, load balancer, database, and operating system layers. This allows us to analyze and investigate security issues in real-time.
We enable you to easily filter out spam from user submitted content using our Akismet anti-spam API.
Application code is deployed through Kubernetes to Docker containers from version control onto a read-only file system, ensuring changes are only possible via the developer workflow.
We alert all customers of upcoming WordPress updates and make sure you are on the latest version of the platform.
“We’re really pleased with WordPress VIP’s commitment to cybersecurity and the way [it] stores [its] data and all the various checks and balances to keep somebody from being able to get access to our site.”Lead UX designer
WordPress VIP provides security throughout your network. From edge security to protection of data in transit between components, WordPress VIP ensures secure communications.
We have network-wide DDoS protection features to help you get the performance you need. We continuously monitor web traffic and take active mitigation steps when suspicious activity is detected.
Our platform includes network and host-based firewalls with real-time notification processes designed to prevent unauthorized access attempts.
Secure inter-component communication
Using a dynamic environment firewall we ensure the resources for your environments are secured and available only to legitimate network traffic.
With WordPress VIP, every piece of your infrastructure is your own. Using containerization across each piece of the environment, we protect each customer’s data and reduce the risk of attack.
We maintain separate containerized database infrastructure for every client and application, each with their own unique authentication. This mitigates the risk of unauthorized access between applications.
File system security
We run all web application containers and file systems holding uploaded media in read-only mode. This helps protect applications on the platform against common attacks that allow installation of backdoor shells and other malicious files, delivering the highest level of WordPress security.
We maintain containerized instances of the WordPress application and Node.js applications, each with processes, memory, and file system. This improves the security of both WordPress and Node.js application environments.
Data center security
Our origin data centers meet the International Organization of Standardization (ISO), International Electrotechnical Commission (IEC) 27001 certification, Standards for Attestation Engagements (SSAE) No. 18 (SOC1) and SOC2 Type 2.
Production database backups are taken each hour and maintained for 30 days, stored in an encrypted format to ensure data continuity while maintaining security.
Our platform automates procurement and renewal of TLS certificates from Let’s Encrypt, ensuring certificates are always valid. Customers may also procure their own certificates from any TLS certificate authority.
Access and authentication
WordPress VIP is built on a robust foundation of granular access controls and permissions.
We enable granular access controls to give you the maximum ability to limit permissions and resources to only those employees or contractors that need them.
We fully support multifactor authentication to provide an extra layer of protection in case a password is compromised.
Brute force protection
We automatically detect brute force attacks at the network level, monitoring for unnatural behavior and dynamically applying restrictions.
Customer data access
When we perform operations such as reviewing code or troubleshooting issues, access to customer data is strictly controlled to those employees performing such activities—and internal access is logged for an audit trail.
Our data center equipment is housed in dedicated cages to separate our physical infrastructure from other tenants. Access is limited and is subject to ongoing surveillance reviews.
While WordPress VIP delivers the highest level of WordPress security, in the unlikely event of a breach, we help you quickly recover and get back to business.
Multiple levels of backup
We maintain hourly backups of data both within our origin datacenter and at offsite locations to ensure rapid recovery from any issue.
Disaster recovery procedures
We maintain emergency and contingency plans, including redundant storage and procedures for recovering data. These help reconstruct data in its original or last-replicated state before the moment it was lost.
Security breach procedures
If we discover a security breach involving your site data, we will, except to the extent prohibited by applicable law, notify you of any third-party legal processes received by us relating to the breach, and cooperate with you in investigating and remedying the breach.