Security
Security that’s specific.
Most managed hosts just say “secure.” Here’s the concrete, named stack in front of every site: every layer, on every plan, no security add-on tier.
- Web application firewall
- Rate limiting
- Patchstack vulnerability protection
- ClamAV malware scanning
- Automatic TLS
- Managed security headers
- Password protection & allowlists
- Audit logs
The stack
Eight controls, each one named.
No “enterprise-grade security” hand-waving. Every layer below is a specific, configured component you can audit — included on every plan.
Web application firewall
Filters malicious requests before they reach WordPress.
Rate limiting
Token-bucket limits throttle brute-force and abusive traffic.
Patchstack vulnerability protection
Virtual patches for known plugin/theme CVEs, applied at the edge.
ClamAV malware scanning
Scheduled and on-demand scans with detection and quarantine.
Automatic TLS
Certificates issued and renewed automatically — no manual renewals.
Managed security headers
CSP, HSTS and friends configured to a hardened baseline.
Password protection & allowlists
Lock down environments and restrict access by IP.
Audit logs
A tamper-evident record of every administrative action.
Defense in depth
Follow a request through the pipeline.
One box you tick isn’t security. Real protection comes in layers a request has to pass through. Here’s the path every request takes before it touches your WordPress.
01
Edge firewall
A request hits the edge. The web application firewall inspects it and drops known-malicious patterns before WordPress ever runs a line of PHP.
02
Rate limiting
Token-bucket limits throttle brute-force logins, scrapers, and abusive bursts, so one bad actor can’t exhaust your site.
03
Virtual patching
Patchstack rules block exploits for known plugin and theme CVEs at the edge, even before you’ve had a chance to update.
04
TLS + hardened headers
Everything is served over auto-renewed TLS, with CSP, HSTS, and other hardened response headers (the browser-level rules that block injection and downgrade attacks) applied to every response.
05
Malware scanning
Files are scanned with ClamAV on a schedule and on demand. Detections are surfaced and quarantined, not silently ignored.
06
Audited access
Admin and environment access is gated by RBAC and recorded in a tamper-evident audit log: who did what, where, and when.
Governance
Control who can do what — and prove it.
Blocking attackers is half the job. The other half is knowing exactly who has access, what they changed, and being able to undo it.
- Audit logs — every meaningful action is recorded across the whole team: logins, deploys, plugin changes, member invites.
- Teams & RBAC — organize sites into projects and scope access with role-based permissions, so people see only what they should.
- Password protection — lock down branch and staging environments behind HTTP auth so unfinished work never gets indexed or shared by accident.
- Firewall allowlists — restrict admin and environment access by IP for clients who need it.
- Snapshots & rollback — point-in-time snapshots mean a compromised or broken state is one restore away, not a support ticket.
Compliance
Honest about certifications.
We’d rather show you the technical controls we actually ship than wave a logo around. Here’s where formal attestations stand today.
The security pipeline above is concrete and in production on every plan: a web application firewall, rate limiting, Patchstack virtual patching, ClamAV malware scanning, automatic TLS, hardened security headers, password protection with IP allowlists, and tamper-evident audit logs. Those are the controls that actually protect your site, and you can verify each one.
For formal compliance attestations, we publish status rather than imply more than we’ve earned. If your procurement process needs specifics or a DPA, talk to us directly.
- SOC 2 Type II — {{ status: pending — not yet verified }}
- ISO 27001 — {{ status: pending — not yet verified }}
- GDPR data processing — {{ DPA available on request — confirm }}
- PCI scope — {{ confirm before publishing }}
Specific security, on every plan.
No security add-on tier, no “enterprise” gate. Start a 14-day free trial and put the named pipeline in front of your site at app.managed.dev.