Trust Security policy
Security is part of how we ship, not a separate department. The practices below apply to every engagement, from a one-week audit to a multi-year retainer.
Most security incidents in WordPress are not zero-day exploits. They are stale credentials, missed updates, plugin conflicts, and shared admin access. The practices below address the failure modes that actually account for incidents we see in the wild.
We also operate WP Vanguard, a WordPress security scanner SaaS we run against our own properties weekly. Customer engagements get the same scanner on request.
What we do
Each practice is documented, audited, and the same across every project. No special-snowflake security policies per client.
01
Every plugin and theme we publish runs through WPCS, PHPStan level 5, and a security-focused code review before release. Customer projects follow the same gate. We ship the WP Vanguard scanner against our own properties weekly.
Security gates run on every commit, not on every release.
02
Per-client password vaults, SSH keys rotated quarterly, no shared credentials between teams. Production access requires multi-factor. WordPress admin access is audited and revoked as soon as the engagement ends.
Engineers never share credentials in chat or tickets.
03
We work with Cloudways, WP Engine, Kinsta, Pressable, SiteGround, and bare-VPS deployments. Every recommended host meets a minimum bar of automated backups, server-level firewalls, daily malware scans, and TLS 1.3.
Hosting recommendations match the security profile of the project.
04
Customer data is encrypted in transit with TLS 1.3 and at rest where we control storage. We do not retain customer data beyond the engagement. PII handling follows GDPR principles by default for every project.
Default-on encryption, default-off retention.
05
Quarterly review of who has access to what across every active engagement. Stale access is removed. Departing engineers are de-provisioned the same day. Production access is the smallest set of people who need it.
Access list never grows quietly.
06
Documented incident response runbook for compromised sites, leaked credentials, and ongoing attacks. WP Vanguard cleanup tooling runs the technical recovery. Communications template covers customer notification, postmortem, and remediation timeline.
Incidents have a playbook, not a panic.
We do not run customer infrastructure. We work with hosting partners that meet a documented minimum standard. For most WordPress projects we recommend Cloudways, Kinsta, WP Engine, or Pressable. For Laravel and Astro projects we deploy on Cloudflare Workers, Render, or Fly.io depending on the workload.
Customer-owned infrastructure works too. We adapt to your hosting choice and document any security gaps before kickoff.
Found a security issue in a Wbcom plugin or theme? Email security at wbcomdesigns dot com. We acknowledge within 24 hours and ship a fix within seven days for critical issues. Disclosure timeline is coordinated with the reporter.
We have completed third-party security audits on three of our published plugins. Audit reports are available under NDA on request. Third-party penetration tests on customer projects are coordinated through your security team and we provide remediation within the agreed window.
Common questions
Yes. Standard GDPR DPA available on request. We sign before any customer PII flows through our systems.
Yes. Coverage details available on request for enterprise engagements that require it.
Yes. We respond to vendor security questionnaires within four business days. Common questionnaires we have completed include SIG, CAIQ, and bespoke enterprise procurement forms.
All copies of customer code and data are removed from our systems within 30 days of project close. Production access tokens are revoked the same day the engagement ends. Documented in writing on request.
Need security documentation now?
Security questionnaires, DPA, sample contracts, audit reports, references. We respond within four business hours.
