WP Engine Support Garage

WP Engine’s Security Environment

Thank you for telling us this article wasn't helpful. So that we may improve and help others in the future, what content should have been included?

Your Comment or Question *

Your Email

captcha

Please Enter The Characters Above *

Strong security measures ensure your website is protected from exploits while your website keeps running at peak performance. Understanding the WP Engine security measures will give you the freedom to develop and operate your website within the scope of our secured environment. This document is designed to give you an overview of these security measures and how they may effect your website.

DISK WRITE PROTECTION:
Malicious code can embed itself into a website by writing to the file-system. This occurs when a vulnerability that leaves the door open for malicious injection is present in a theme or a plugin. The WP Engine environment limits the processes that can write to the disk. So even if you’re using a theme or a plugin with a vulnerability, it is extremely hard for them to be exploited.

DISK WRITE LIMITATIONS:
All attempts to write to the disk are logged so that we can identify both malicious and non-malicious code. If necessary, we can make additional site-by-site allowances for special cases. Should you feel that you require one of the allowances, please contact our support for review.

Disk write privileges are limited to the following things:

  • If you are logged into the WordPress Dashboard, you are able to perform all standard WordPress functions such as writing posts & pages, editing themes, plugins & style sheets and activating & disabling plugins.
  • CAPTCHA plugins and image editing plugins are allowed to write to disk.
  • SFTP users can add, edit, and delete files via a dedicated SFTP client.

DISK WRITE PRIVILEGES:
Disk write privileges are blocked for the following things:

  • Generic PHP code and anything else in that process space that has not been given write privileges.

SCRIPT PROTECTION:
Some frequently used scripts are known to contain vulnerabilities. Our system scans the files structure to identify these scripts. Scripts that are insecure will be disallowed, and ones with an available update will be automatically patched.

  • TimThumb — Older versions of TimThumb are known to contain vulnerabilities. When our system scan identifies an older version, it will automatically update the script. After the upgrade has been completed, the system will notify you by email.
  • Uploadify — Access to this script is blocked due to known security threats. The reasoning behind this was largely informed by this blog post from our partners at Sucuri.

DISALLOWED PLUGINS:
Some plugins expose a website to vulnerabilities. 99.9% of the time, this is unintentional. But we still have to draw a line in the sand. Our system scanner searches for these plugins and automatically disables them. Besides disabling plugins for security reasons, plugins can also be disallowed for performance reasons. Our comprehensive list of disallowed plugins (along with their reasons) can be found here.


The following is a list of FAQs about our security processes.

Do you provide a segregated environment (physically or logically) so that each customer’s data is isolated and protected against any unauthorized access? Please describe.

Yes. Logical separation is achieved through separate filesystem roots for each customer. Both “chroot” and “apparmor” are used to prevent executable code from one customer to access files of another customer. Each customer has a separate MySQL username/password to isolate database access. Attempts to access data outside the tree are prevented and logged.

We also offer physical separation if you desire. This is of course much more expensive because we’re provisioning an entire hardware cluster just for you, but we’ve done it for other customers in the past so it’s not a problem if you have the budget.

Are backup tapes maintained such that each customer’s data is kept logically separate from other customer’s data when it is backed up?

Yes, backups are all separate. Full backups are stored as tarballs on Amazon S3. Customers do not have access.

Do you conduct or arrange in-house vulnerability scanning for all infrastructure, servers, databases and applications, on at least a quarterly basis? Please describe how vulnerability scanning reports are used by your company and how remediation of vulnerabilities occurs.

Yes, both. We have tools and custom scripts in-house for vulnerability scanning, both externally (i.e. through network connections) and internally (i.e. scanning disk and database for known vectors and exploits).

We also contract with well-regarded security firms for auditing and remediation; including Sucuri.

Reports are processed internally and remedied as fast as possible with the assistance of these firms. Any changes are reported on our public status blog, but only after we’ve made the changes to reduce the chance of exposure.

Does your computing environment undergo external penetration testing by an independent, qualified vendor at least once per year? Please describe how penetration testing reports are used by your company and how remediation of vulnerabilities occurs.

Yes, security firms perform external penetration testing. See previous question for details.

Can we (your customer) perform penetration testing of our WordPress installations hosted in your environment?

Please contact us for further information.

Does your data center environment undergo a SAS 70 Type II examination at least annually?

Yes.

Is all computing equipment located in a physically secure facility, where electronic access controls are used to prevent unauthorized access to computing facilities?

Yes. Neither we nor our customers have physical access. This is controlled completely by our hosting providers.

Are firewalls configured based on the principle of least privilege, where firewalls only allow approved applications, protocols, and services required to meet business needs?

Yes.

Are intrusion detection or intrusion prevention systems used to monitor and/or protect your network?

Yes. They are updated monthly, or as-needed.

Do you encrypt backup media?

Yes. We use Amazon S3 for backups, therefore consult their information about encryption for details.

Do you conduct or require background screenings for all personnel (employees and contractors) that have access to critical infrastructure, servers, applications, or data?

Yes.

Do you use documented security baselines to harden and secure IT systems? Please describe how you ensure that security baselines are implemented and working effectively.

Yes. Our security firms establish baselines and ensure we’re adhering to them. These change over time as new information and processes are put into place.

Do you maintain reasonable security precautions consistent with industry best practices, as documented in standards such as ISO/IEC 27002?

Yes, but we do not specifically support ISO ISO/IEC 27002.

Do you maintain detailed audit logs that capture at a minimum a) host name, b) account identifier, c) date and time stamp, d) activity performed, and e) source network address? Are audit logs kept for at least 90 days?

Yes, but audit logs are kept for at most 7 days.

If an information protection incident was to occur, are you able to provide audit logs to the customer for our review?

Yes, for certain logs, especially access logs. There might be some logs which we cannot show you.

We will work with you to help determine the nature of the exposure and what you might want to do to remediate.