WP Engine Platform Security
WP Engine provides enterprise-grade security at the hosting infrastructure level, complementing the application-level security from WP Simple Firewall.
SSL / TLS
- All traffic is served over HTTPS only
- SSL certificates are managed by WP Engine (Let's Encrypt, auto-renewed)
- HSTS (HTTP Strict Transport Security) headers are set to enforce HTTPS
WP Engine Firewall
- Proprietary WAF at the network edge blocks common web attacks before they reach PHP/WordPress
- Rules updated regularly by WP Engine's security team
DDoS Protection
- Distributed denial of service mitigation built into WP Engine's infrastructure
- No additional configuration required
Malware Scanning
- Automated scanning of WordPress files for malware signatures
- Alerts sent to the registered account email
- Infected files can be quarantined or restored from backup via the WP Engine portal
Backups & Recovery
- Daily automated backups retained for 30 days
- Backups include files and database
- Point-in-time restore available from the WP Engine portal
- Manual on-demand backups before major deployments: WP Engine portal → Backup Points → Create Backup
User Access Control
- Limit WP Engine portal access to authorised team members only
- Use 2FA on the WP Engine portal for admin users
- Review SSH/SFTP user access periodically
Recommended Security Checklist
- 2FA enabled on WP Engine portal accounts
- WordPress admin accounts use strong passwords + 2FA (via Shield Security)
- Plugin and theme updates reviewed monthly
- Database user has minimum required privileges
-
wp-config.phpnot accessible from the web (deny from allin.htaccessor Nginx) - Debug mode (
WP_DEBUG) isfalsein production - File editor disabled in production (
define('DISALLOW_FILE_EDIT', true))