The following is a list of FAQs about the WP Engine security processes.

Do you provide a segregated environment (physically or logically) so that each customer’s data is isolated and protected against any unauthorized access? Please describe.

Yes. Logical separation is achieved through separate filesystem roots for each customer. Both “chroot” and “apparmor” are used to prevent executable code from one customer to access files of another customer. Each customer has a separate MySQL username/password to isolate database access. Attempts to access data outside the tree are prevented and logged.

We also offer physical separation if you desire. This is of course much more expensive because we’re provisioning an entire hardware cluster just for you, but we’ve done it for other customers in the past so it’s not a problem if you have the budget.

Are backup tapes maintained such that each customer’s data is kept logically separate from other customer’s data when it is backed up?

Yes, backups are all separate. Full backups are stored as tarballs on Amazon S3. Customers do not have access.

Do you conduct or arrange in-house vulnerability scanning for all infrastructure, servers, databases and applications, on at least a quarterly basis? Please describe how vulnerability scanning reports are used by your company and how remediation of vulnerabilities occurs.

Yes, both. We have tools and custom scripts in-house for vulnerability scanning, both externally (i.e. through network connections) and internally (i.e. scanning disk and database for known vectors and exploits).

We also contract with two separate, well-regarded security firms for auditing and remediation: SecTheory and Sucuri.

Reports are processed internally and remedied as fast as possible with the assistance of these firms. Any changes are reported on our public status blog, but only after we’ve made the changes to reduce the chance of exposure.

Does your computing environment undergo external penetration testing by an independent, qualified vendor at least once per year? Please describe how penetration testing reports are used by your company and how remediation of vulnerabilities occurs.

Yes, both SecTheory and Sucuri perform external penetration testing. See previous question for details.

Can we (your customer) perform penetration testing of our WordPress installations hosted in your environment?

Yes. We ask that you coordinate with us so we don’t incorrectly think it’s an attack.

Does your data center environment undergo a SAS 70 Type II examination at least annually?

Yes.

Is all computing equipment located in a physically secure facility, where electronic access controls are used to prevent unauthorized access to computing facilities?

Yes. Neither we nor our customers have physical access. This is controlled completely by our hosting providers.

Are firewalls configured based on the principle of least privilege, where firewalls only allow approved applications, protocols, and services required to meet business needs?

Yes.

Are intrusion detection or intrusion prevention systems used to monitor and/or protect your network?

Yes. They are updated monthly, or as-needed.

Do you encrypt backup media?

Yes. We use Amazon S3 for backups, therefore consult their information about encryption for details.

Do you conduct or require background screenings for all personnel (employees and contractors) that have access to critical infrastructure, servers, applications, or data?

Yes.

Do you use documented security baselines to harden and secure IT systems? Please describe how you ensure that security baselines are implemented and working effectively.

Yes. Our security consultants (SecTheory and Sucuri) establish baselines and ensure we’re adhering to them. These change over time as new information and processes are put into place.

Do you maintain reasonable security precautions consistent with industry best practices, as documented in standards such as ISO/IEC 27002?

Yes, but we do not specifically support ISO ISO/IEC 27002.

Do you maintain detailed audit logs that capture at a minimum a) host name, b) account identifier, c) date and time stamp, d) activity performed, and e) source network address? Are audit logs kept for at least 90 days?

Yes, but audit logs are kept for at most 7 days.

If an information protection incident was to occur, are you able to provide audit logs to the customer for our review?

Yes, for certain logs, especially access logs. There might be some logs which we cannot show you.

We will work with you to help determine the nature of the exposure and what you might want to do to remediate.

Like any web application, WordPress can be hard to scale. Get traffic spike from a successful social media campaign or getting on the Huffington Post and you’ll start to worry that your server might go down due to the load— at exactly the worst time to fail!

That’s why we built EverCache.

EverCache is one of the most scalable WordPress architectures on Earth. The technology behind EverCache is WP Engine’s proprietary system that moves hundreds of millions of hits per day through our system. Even with a significant traffic spike you can be sure that EverCache will handle it like a champ.

Our customers have been featured on 20/20, Dr. Phil, Huffington Post, TechCrunch, Mashable, HackerNews, and never skipped a beat. We’ve seen individual sites surge to 15,000 simultaneous visitors and EverCache served the traffic without any loss in page-load speed.

EverCache is WP Engine’s “secret sauce” that makes every WordPress site we host incredibly fast, and ridiculously scalable.

Part of the secret is our optional, integrated, full-managed CDN that serves your static content from data centers all around the world, each byte delivered by the server closest to the requesting browser.

Another part of the secret sauce is custom code we developed to connect WordPress events to our super-fast front-end Nginx-based systems. What this means is we can be aggressive about caching your site, while still having responsive updating when a new post goes up, or you deploy new code. Translation: WP Engine is faster and more scalable all the time.  We even added protection from bots that like to crawl your site and blast the backend with pointless requests.

What’s more, if you know your site is going to be especially slammed, we have temporary measures we can put in place to make your site even more scalable and distributed. We used these measures to serve more than 100,000,000 requests in less than 12 hours when the highly trafficked music festival Bonnaroo released their lineup this year. With EverCache, Bonaroo saw zero loss in page load times.