We’ve built Altis Cloud from the ground up to provide the advanced security that enterprises need, taking WordPress security to the next level.
That’s why banks, news organizations, and Fortune 500 companies trust us to run secure WordPress in the cloud.
Read-only filesystem and segregated uploads
Every production server has a read-only filesystem, so only the files you deploy can be on the server. When you deploy your codebase, we build it into an unalterable container, and the only way to change your codebase is to create a new build; even we can’t edit it!
Uploaded assets (like images, videos, and documents) are stored on a completely separate filesystem, which can’t store or run executable PHP scripts.
This eliminates Unrestricted File Upload and Remote Code Execution security issues. While other WordPress hosts only implement scanning and firewall mitigations, Altis Cloud tackles these at the source.
With a web application firewall (WAF) integrated into our CDN as standard, you’re protected.
Our managed firewall rules protect against known attacks, as well as providing the first line of defence against Distributed Denial of Service (DDoS) attacks.
And trust us, we’ve tested it. Our firewall has stood up against DDoS attacks peaking at 1 million requests per second.
Encryption in transit and at rest
Your data is safe on Altis Cloud, with both encryption in transit and encryption at rest.
Data is encrypted with per-customer keys backed by hardware security modules (HSMs), the gold standard. We ensure data is encrypted in transit and at rest.
We encrypt connections between your users and your site with automatically issued SSL certificates and HTTP Strict Transport Security (HSTS) — plus, you can bring your own certificate to meet internal requirements.
Transit data between your application server and your database is unencrypted by default for performance reasons – this can be enabled upon request.
Integrated browser protection
We automatically send security headers to ensure browsers use the most secure connection possible. A modern SSL/TLS cypher suite combines with HTTP Strict Transport Security (HSTS) to ensure secure connections.
Altis deeply integrates into WordPress to automatically generate Content Security Policy (CSP) directives and subresource integrity (SRI) hashes, preventing cross-site scripting (XSS) and script injection attacks. Our developer APIs allow these to be tuned to reduce your attack surface even further.
We also include sensible defaults to disable content-type sniffing and prevent clickjacking attacks, and we’re always on the lookout for further protections.
Follow the trail
Our integrated audit log tracks every action inside WordPress, including user log-ins, editorial actions, and destructive changes. Developer actions are also logged for full traceability.
Plans including our Advanced Audit Log store records in a completely separate, append-only immutable database.
Because every Altis environment is tied to a GitHub repository, only code you control can be deployed.
Bring your own repository, and enforce your workflow rules like mandatory code review or required status checks to ensure codebase integrity.
We implement NIST 800-63 guidelines for authentication, including multi-factor authentication, and enforced minimum password strength.
Controls can be enforced across your project, or even specifically to certain roles, minimizing user disruption while maximizing safety.
Through our account suspension functionality users can be temporarily or permanently disabled without needing to fully delete them.
WordPress is designed to work on every hosting service, limiting the available security controls to the lowest common denominator.
Altis enhances and replaces parts of WordPress, as well as disabling infrequently-used features to minimize the attack surface.
This includes replacing the legacy password hashing system with a modern cryptographic replacement. That’s right: no more iterated MD5.
Recover from the worst
Integrated disaster recovery systems ensure that no data is ever lost, even if users are compromised.
We take continuous backups of your database, allowing point-in-time restores to the exact second before data loss, as well as redundant backups for 35 days (with custom retention available). Uploaded assets like images are stored on a versioned file system, allowing restoration or reversion of files.
All plans come with high availability as standard. Our autoscaling infrastructure allows automatic recovery from hardware failures, while our manual RTO and RPO provide peace-of-mind even if the worst happens.
Every Altis environment is isolated from the others, with fully dedicated infrastructure for each customer.
We implement AWS best practices for network controls, including the AWS Well-Architected Framework.
Our development workflow enforces security standards, including checks against the OWASP Top Ten.
Test, test, and test again
We perform yearly penetration tests across our infrastructure, management tools, and an out-of-the-box Altis installation (including WordPress).
Our business continuity plan and disaster recovery processes are tested on a quarterly basis.
Reports available upon customer request.
We are currently working with an independent third-party auditor on specific attestation for our banking customers. We aim to achieve ISO 27001 certification in the near future, and have developed compatible internal controls. Further details available upon request.
Ready to get started with Altis Cloud?
Check out our plans or get your own tailored recommendation with one of our experts.