What are the details of WP Engine security processes?
The following is a list of FAQs about our security processes.
Do you provide a segregated environment (physically or logically) so that each customer’s data is isolated and protected against any unauthorized access? Please describe.
Yes. Logical separation is achieved through separate filesystem roots for each customer. Both “chroot” and “apparmor” are used to prevent executable code from one customer to access files of another customer. Each customer has a separate MySQL username/password to isolate database access. Attempts to access data outside the tree are prevented and logged.
We also offer physical separation if you desire. This is of course much more expensive because we’re provisioning an entire hardware cluster just for you, but we’ve done it for other customers in the past so it’s not a problem if you have the budget.
Are backup tapes maintained such that each customer’s data is kept logically separate from other customer’s data when it is backed up?
Yes, backups are all separate. Full backups are stored as tarballs on Amazon S3. Customers do not have access.
Do you conduct or arrange in-house vulnerability scanning for all infrastructure, servers, databases and applications, on at least a quarterly basis? Please describe how vulnerability scanning reports are used by your company and how remediation of vulnerabilities occurs.
Yes, both. We have tools and custom scripts in-house for vulnerability scanning, both externally (i.e. through network connections) and internally (i.e. scanning disk and database for known vectors and exploits).
We also contract with two separate, well-regarded security firms for auditing and remediation: SecTheory and Sucuri.
Reports are processed internally and remedied as fast as possible with the assistance of these firms. Any changes are reported on our public status blog, but only after we’ve made the changes to reduce the chance of exposure.
Does your computing environment undergo external penetration testing by an independent, qualified vendor at least once per year? Please describe how penetration testing reports are used by your company and how remediation of vulnerabilities occurs.
Yes, both SecTheory and Sucuri perform external penetration testing. See previous question for details.
Can we (your customer) perform penetration testing of our WordPress installations hosted in your environment?
Yes. We ask that you coordinate with us so we don’t incorrectly think it’s an attack.
Does your data center environment undergo a SAS 70 Type II examination at least annually?
Is all computing equipment located in a physically secure facility, where electronic access controls are used to prevent unauthorized access to computing facilities?
Yes. Neither we nor our customers have physical access. This is controlled completely by our hosting providers.
Are firewalls configured based on the principle of least privilege, where firewalls only allow approved applications, protocols, and services required to meet business needs?
Are intrusion detection or intrusion prevention systems used to monitor and/or protect your network?
Yes. They are updated monthly, or as-needed.
Do you encrypt backup media?
Yes. We use Amazon S3 for backups, therefore consult their information about encryption for details.
Do you conduct or require background screenings for all personnel (employees and contractors) that have access to critical infrastructure, servers, applications, or data?
Do you use documented security baselines to harden and secure IT systems? Please describe how you ensure that security baselines are implemented and working effectively.
Yes. Our security consultants (SecTheory and Sucuri) establish baselines and ensure we’re adhering to them. These change over time as new information and processes are put into place.
Do you maintain reasonable security precautions consistent with industry best practices, as documented in standards such as ISO/IEC 27002?
Yes, but we do not specifically support ISO ISO/IEC 27002.
Do you maintain detailed audit logs that capture at a minimum a) host name, b) account identifier, c) date and time stamp, d) activity performed, and e) source network address? Are audit logs kept for at least 90 days?
Yes, but audit logs are kept for at most 7 days.
If an information protection incident was to occur, are you able to provide audit logs to the customer for our review?
Yes, for certain logs, especially access logs. There might be some logs which we cannot show you.
We will work with you to help determine the nature of the exposure and what you might want to do to remediate.