At WP Engine we take security very seriously. We continue to build security measures to ensure our customers are protected against a variety of attack vectors. One large aspect is ensuring our platform, servers, and WordPress versions are up to date and secure. However, security is a hand-in-hand partnership with our customers. Since we leave plugin and theme updates to your discretion, the security of these aspects remains in our customers’ hands.
Security at WP Engine
We have tools and custom processes in-house for vulnerability scanning, both externally and internally. We also partner with well-regarded security firms for auditing and remediation. Reports are processed internally and remedied as fast as possible with assistance from these firms. Any security announcements are reported on our public status blog, but only after we’ve made the necessary changes to reduce any chance of exposure.
Outdated software is the No. 1 cause of malware infections on sites. Most often, if a vulnerability is discovered within a plugin or theme, the developer patches it and releases an update. However, if the update is never performed, your site will remain at-risk to these vulnerabilities. As such it’s very important to keep your site’s plugins and themes up to date, which will ensure they are secure. If a widely-used plugin is discovered to contain vulnerabilities, we will notify our customers via email which will contain the known affected version(s) and which version(s) contain the security update.
Scanning & Cleaning
If your site becomes infected with malware while on the WP Engine platform, you should contact Support through your User Portal (my.wpengine.com). We will then follow our internal security procedures to do a deep level scan, malware cleaning of your site, and report back to you with our results. Keep in mind that these scans take up to 24 hours to complete.
Scope of Support
We understand there are many concerns that come up if one of your sites becomes infected by malware – however, if you have no specific indication that a site has been infected by malware, we will not be able to submit it for a deep level scan and cleaning. If you’re unsure whether your sites have been infected, installing a security plugin such as Sucuri Scanner (https://wordpress.org/plugins/sucuri-scanner/) will help you make this determination.
If a site is migrated to our platform and you are already aware that it has been infected, since this isn’t an infection that happened on our platform, we would not be able to submit the site for a deep level scan or clean. Instead you can install security plugins to help detect and clean malware, or engage a third party service to help scan and clean the site instead. Sucuri, a web leader in security, has a free website check tool here: https://sitecheck.sucuri.net/, and they also provide deep level scans and cleaning through their other services: https://sucuri.net/website-antivirus/signup.