WP Engine Products

WordPress Hosting

Boost performance while managing less

WooCommerce Hosting

Build faster and sell more with WooCommerce

Headless WordPress

Build, deploy, and manage headless sites

View More Products

Solutions

Small Businesses

Enterprises

Agencies

eCommerce

View More Solutions

Website Tools

Smart Plugin Manager

Website Tester

Website Monitoring

WordPress Themes and Tools

Local WordPress Development

Featured Plugins

Advanced Custom Fields

Build rich, custom content editing experiences

WP Migrate

Migrate WordPress sites with confidence

WP Offload Media

Offload media assets & serve them lightning fast

WP Offload SES

Improve email send reliability with Amazon SES

View More Recommended Plugins

WordPress Resources

WP Engine Resources

Articles and videos for help with WordPress

WP Engine Help Docs

Guides for site setup & troubleshooting

Free Website Migration

Automated migration plugin & support

Find a WordPress Agency

Need help? Search our agency directory

Stay Connected

WP Engine Blog

Builder Community

Headless Developer Community

Torque Magazine

Velocitize Magazine

Thought Leadership

Velocitize Talks

Erik Posthuma of Aleph-labs on Web3, Cryptocurrency, & More

Podcast

Press This, the WordPress Community Podcast

Study

The World’s First Study of the WordPress Economy

Why WP Engine?

Our Platform Technology

Managed WordPress Hosting

Fast WordPress

Secure WordPress

24/7 WordPress Support

About Us

WP Engine Reviews

How You Win with WP Engine

Build faster, protect your brand, and grow your business with the #1 WordPress platform to power remarkable online experiences.

Learn More

Customer Spotlight

Peak Performance With Headless WordPress

Android Authority increases speed 6x by adopting a headless architecture with a WordPress back-end.

All Case Studies

Contact sales

Call Us

+1-512-273-3906 to talk to a sales expert

Request a Quote

Submit a request for a personalized plan recommendation

Let’s Chat

Customer Support

Support Articles

Billing Help

Password Help

Log In for Support
Easiest Migration Ever!

Need Help Choosing a Plan?

We offer solutions for businesses of all sizes. For questions about our plans and products, contact our team of experts. Get in touch

Support Center
Setup A Site
Account & Features
Platform Information
WordPress Help
Troubleshoot
Browse All

WP Engine’s Security Environment

Last updated on September 1st, 2023

Platformsecurity

Strong security measures enable website protection while running your website at peak performance. Understanding the WP Engine security measures will give you the freedom to develop and operate your website within the scope of our secured WordPress hosting environment. This document is designed to give you an overview of these security measures and how they may effect your website.

Contents hide
1 Disk Write Protection
2 Disk Write Limitations
3 Disallowed Plugins
4 Proprietary Firewall
5 User Enumeration
6 Security Process FAQs

Disk Write Protection

Malicious code can embed itself into a website by writing to the file-system. This occurs when a vulnerability is present in a theme or plugin that leaves the door open for malicious injection. The WP Engine environment limits the processes that can write to disk. So even if you’re using a theme or a plugin with a vulnerability, it is harder for them to be exploited.

Disk Write Limitations

WP Engine employs technologies which only allow writing to certain directories under specific circumstances. For a list of disk write privileges that are allowed vs. blocked, please contact Support directly.

Disallowed Plugins

Some plugins may expose a website to vulnerabilities. Most of the time, this is unintentional, but we still have to draw a line in the sand. Our system scanner searches for these plugins and automatically disables them. Besides disabling plugins for security reasons, plugins can also be disallowed for performance reasons. Our comprehensive list of disallowed plugins (along with explanations as to why they are disallowed) can be found here.

Proprietary Firewall

WP Engine uses a proprietary firewall to automatically direct good, bad, and malicious traffic. There are a number of checks in place that allow our system to determine how we handle traffic. Human traffic takes a higher priority over bot traffic. Although we block known malicious bots, new bots/spiders/crawlers pop up everyday. These bots can be an annoyance and we provide site level functionality within our User Portal to block these requests (such as Web Rules). Our support team is also available 24/7 to answer questions or concerns.

Additionally, WP Engine automatically prevents certain files, file types and directories from being publicly accessible. This includes: .htaccess, wp-config.php and debug.log files, as well as the. _wpeprivate directory and PHP files located within the wp-content/uploads directory.

Further information cannot be provided around our firewall, as this can compromise its secure integrity or lead to abuse. If you find unintended traffic is being blocked, or if you would like to block certain traffic, reach out to WP Engine Support.

User Enumeration

Occasionally bots scrape posts for author ID information. We automatically block this type of request on your behalf. The requests that have been blocked will show in your site’s error log as:

Preventing possible attempt to enumerate users

Security Process FAQs

Do you provide a segregated environment (physically or logically) so that each customer’s data is isolated and protected against any unauthorized access? Please describe.

Yes. We offer dedicated environments for customers of various profiles. Our Premium hosting solutions are fully self-contained environments, not shared with other WP Engine customers. Premium accounts only share processing power, memory, local storage or other system resources with websites on the same account.  This facilitates improved reliability and better positions our customers for growth and success.

Dedicated server environments are particularly valuable for websites with high transaction volume, and we’re happy to offer a service that supports demanding WordPress sites.

We still offer enterprise-level service for customers who don’t require fully dedicated hosting environments. For those customers we offer logically separate environments. Attempts to access data outside of allowed directories are prevented and logged.

We offer fully segregated hosting environments for all of our customers, both shared and Premium.

Are backups maintained such that each customer’s data is kept logically separate from other customer’s data when it is backed up?

Yes, backups are all separate and stored on a different server than your website.

Do you conduct or arrange in-house vulnerability scanning for all infrastructure, servers, databases and applications? Please describe how vulnerability scanning reports are used by your company and how remediation of vulnerabilities occurs.

Reports are processed internally and remedied quickly. Any customer impacting changes are reported on our public status blog, but only after we’ve made the changes to reduce the chance of exposure.

Does your computing environment undergo external penetration testing by an independent, qualified vendor at least once per year? Please describe how penetration testing reports are used by your company and how remediation of vulnerabilities occurs.

Yes. WP Engine contracts with a third party vendor to perform penetration testing.  Penetration testing results are formally communicated to WP Engine and remediation plans developed to address items noted within.

Can we (your customer) perform penetration testing of our WordPress installations hosted in your environment?

Please contact us for further information.

Does your data center environment undergo a SSAE-18 examination at least annually?

Yes.

Is all computing equipment located in a physically secure facility, where electronic access controls are used to prevent unauthorized access to computing facilities?

Yes.

Are firewalls configured based on the principle of least privilege, where firewalls only allow approved applications, protocols, and services required to meet business needs?

Yes.

Are intrusion detection or intrusion prevention systems used to monitor and/or protect your network?

Yes.

Do you encrypt backup media?

Yes.

Is data on WP Engine servers encrypted at rest?

Yes. All data on our servers is encrypted at rest and in transit, by default.

Do you conduct or require background screenings for all personnel (employees and contractors) that have access to critical infrastructure, servers, applications, or data?

Yes.

Do you use documented security baselines to harden and secure IT systems? Please describe how you ensure that security baselines are implemented and working effectively.

Yes. Our security firms establish baselines and ensure we are adhering to them. These change over time as new information and processes are put into place.

Do you maintain reasonable security precautions consistent with industry best practices, similar to those documented in standards such as ISO/IEC 27001 Annex A?

Yes, we are ISO 27001:2013 certified.

If an information protection incident was to occur, are you able to provide audit logs to the customer for our review?

Yes, for certain logs (i.e. access logs). That being said, there are certain logs we are unable to share given the sensitivity of the information within.

We will work with you to help determine the nature of the exposure and remediation plans.

Does WP Engine help log any activity in the wp-admin of my website?

Yes. Certain admin activity on your website is logged, for security purposes.

NEXT STEP: Learn about WP Engine’s platform settings

Automatically update plugins

WP Engine's Smart Plugin Manager keeps your site secure by updating plugins for you. It also uses visual regression to automatically revert to a backup if an update causes issues.

Learn more

Talk to a specialist