Security

Infrastructure

MagicWP runs on enterprise-grade cloud infrastructure operated by providers whose data centers maintain industry-recognized certifications such as SOC 2, ISO 27001, and PCI DSS. We design our platform to inherit those controls and to layer additional safeguards on top.

• Network isolation — each customer site runs inside an isolated container with strict network and filesystem boundaries
• DDoS protection — traffic enters through our edge layer which absorbs and filters volumetric and application-layer attacks
• Encrypted transport — all public traffic is served over TLS 1.2+ with modern cipher suites and HSTS
• Encryption at rest — site data, backups, and database snapshots are encrypted on disk

Application security

• Managed WordPress core, plugin, and theme updates with staged rollouts and rollback on failure
• Web application firewall (WAF) with rules tuned for WordPress-specific attack patterns
• Malware scanning on uploads and scheduled scans of the filesystem and database
• Brute-force protection on wp-login.php and the REST API, including rate limiting and bot detection
• PHP isolation — each site runs in its own PHP-FPM pool with strict resource and capability limits

Data protection

Backups

We take automated daily backups of files and databases, retained for the period defined in your plan. Backups are stored in a separate region and encrypted at rest. You can restore from any retained backup with one click from the dashboard.

Data residency

You can choose the region your site is hosted in at provisioning time. Backups are stored in a paired region within the same legal jurisdiction where possible.

Data deletion

When a subscription is cancelled, site data is retained for a short grace period (described in the dashboard) and then permanently deleted, including all backups. See the Privacy Policy for full details.

Access control

• MFA for staff — all MagicWP employees access production systems through MFA-protected SSO
• Least-privilege access — production access is scoped to job function and audited
• Audit logging — administrative actions on customer accounts are logged for review
• Customer MFA — we strongly recommend enabling MFA on your account; it is available in dashboard settings

Operational security

• Code review and CI — production changes are reviewed and gated by automated tests and security checks
• Dependency scanning — we monitor third-party packages for known vulnerabilities and patch on a defined SLA
• Incident response — we maintain an internal incident response plan with defined severities, roles, and communication channels
• Vendor review — we assess the security posture of subprocessors before granting them access to customer data

Compliance posture

We design our security program to align with industry frameworks including SOC 2 and ISO 27001. Where formal certification exists for MagicWP or our subprocessors, current attestations are available on request to enterprise customers under NDA. Contact security@magicwp.io.

Responsible disclosure

We welcome reports from the security community. If you believe you have found a security vulnerability in MagicWP, please report it to security@magicwp.io. Include a clear description, reproduction steps, and any proof-of-concept material.

Please give us a reasonable window to investigate and remediate before public disclosure. We commit to:

• Acknowledge your report within 3 business days
• Provide an initial triage assessment within 10 business days
• Coordinate a disclosure timeline with you
• Credit you publicly if you would like recognition

Good-faith research conducted under this policy will not result in legal action from MagicWP. Do not access data that is not yours, do not degrade service for other customers, and do not perform social engineering or physical attacks against MagicWP staff or facilities.

Contact

General security questions: security@magicwp.io. For account-specific support, use the dashboard or contact page.