Strong security measures ensure your website is protected from exploits while your website keeps running at peak performance. Understanding the WP Engine security measures will give you the freedom to develop and operate your website within the scope of our secured environment. This document is designed to give you an overview of these security measures and how they may effect your website.
DISK WRITE PROTECTION:
Malicious code can embed itself into a website by writing to the file-system. This occurs when a vulnerability that leaves the door open for malicious injection is present in a theme or a plugin. The WP Engine environment limits the processes that can write to the disk. So even if you’re using a theme or a plugin with a vulnerability, it is extremely hard for them to be exploited.
DISK WRITE LIMITATIONS:
All attempts to write to the disk are logged so that we can identify both malicious and non-malicious code. If necessary, we can make additional site-by-site allowances for special cases. Should you feel that you require one of the allowances, please contact our support for review.
Disk write privileges are limited to the following things:
- If you are logged into the WordPress Dashboard, you are able to perform all standard WordPress functions such as writing posts & pages, editing themes, plugins & style sheets and activating & disabling plugins.
- CAPTCHA plugins and image editing plugins are allowed to write to disk.
- SFTP users can add, edit, and delete files via a dedicated SFTP client.
DISK WRITE PRIVILEGES:
Disk write privileges are blocked for the following things:
- Generic PHP code and anything else in that process space that has not been given write privileges.
Some frequently used scripts are known to contain vulnerabilities. Our system scans the files structure to identify these scripts. Scripts that are insecure will be disallowed, and ones with an available update will be automatically patched.
- TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.
- Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from our partners at Sucuri.
Some plugins expose a website to vulnerabilities. 99.9% of the time, this is unintentional. But we still have to draw a line in the sand. Our system scanner searches for these plugins and automatically disables them. Besides disabling plugins for security reasons, plugins can also be disallowed for performance reasons. Our comprehensive list of disallowed plugins (along with their reasons) can be found here.