AI ready WordPress infrastructure

security

Security that doesn't depend on getting lucky.

Per-site container isolation, HMAC-signed control plane, encrypted backups, automatic SSL — every claim here maps to a real piece of running infrastructure, not a marketing checklist.

Start free trial Read the DPA

free trial · all security primitives included on every plan

liveYovale Security

yovale.com/en/security

live security signals

Posture you can verify, not infer.

Every site exposes its current security state in the dashboard — TLS state, last successful backup, last security patch, failed login rate, allow-listed AI bots. No mystery, no hidden cron jobs.

TLS expiry

85 days

Last backup

12 min ago

Failed logins / 24h

WP core patched

current

recent security events

live

12:04:22TLS renewal/ acme order completedok
12:03:51Backupr2://yovale-backups/site-87 okok
12:03:18WP coreauto-patch 6.9.2 appliedok
12:02:44Login protectionblocked 12 attempts on wp-loginok
12:02:09WAFCloudflare rule wp-xmlrpc enabledok

Docker container per site, no shared PHP runtime

AES-256

at-rest encryption on backups (Cloudflare R2)

HMAC

signed control plane, per-server secrets

the gap

Shared hosting security is a wishlist.

×SiteGround$15/moshared PHP, plugin malware scanner extra

×Kinsta$30/moshared pool above tier limit, ddos add-on

×WP Engine$25/mooff-site backup is on a higher tier

On most shared WordPress hosts, security means a WAF setting page, an opt-in backup, and a malware-scan plugin you forgot to install. There is no actual isolation between sites — your neighbour's compromised plugin is your problem.

Managed hosts charge $25–$50/month to put a friendlier wrapper around the same architecture, then sell the actually-useful pieces (offsite backups, staging, login protection, malware scanning) as add-ons.

Yovale does not sell security as a feature tier. Container isolation, encrypted backups, login protection, HMAC-signed control plane and the disclosure program are part of every plan from $149/year. The posture below is the same one we ship to every customer.

Start free trial

$149

/year

the posture

Five primitives, all on by default.

Each card here is one piece of running infrastructure, not a roadmap commitment. Where a primitive is operated by a third party (Cloudflare, Let's Encrypt) it is named.

01
01
isolation
One Docker container per site
Each WordPress site runs in its own Docker container with isolated filesystem, dedicated PHP-FPM workers, bound memory and CPU. A compromise in one site does not reach another.
isolated runtime
02
02
edge
Automatic TLS through Traefik
Let's Encrypt certificates issued and renewed automatically by Traefik on every domain you add. HTTP/2 and HTTP/3 on by default. No manual renewal, no expiry surprises.
auto issuance + renewal
03
03
control plane
HMAC-signed control plane
Every call between the dashboard and the per-VPS agent is signed with a per-server HMAC secret stored encrypted in the database. The agent rejects unsigned calls; the dashboard rejects unverified responses.
per-server secrets
04
04
backups
Encrypted offsite backups
Daily site and database backups to Cloudflare R2 with AES-256 at-rest encryption. 30-day retention on Starter, 90 days on Growth, 365 days on Business. One-click restore from any retained point.
AES-256, R2
05
05
wordpress
Login protection and WAF
Brute-force protection on wp-login, automatic blocking of known-bad bots, Cloudflare WAF rules tuned to WordPress threat patterns, and auto-patching of WordPress core security releases.
WP-tuned WAF

side by side

What a secure WordPress host should already ship with.

Typical managed host

Yovale (default)

Site isolation model

×shared PHP pool

1 Docker container per site

TLS handling

×ticket-based, 24h SLA

auto via Traefik + Let's Encrypt

Offsite backups

×add-on or higher tier

included, AES-256 on R2

Control-plane signing

×shared secrets at best

HMAC per server

×plugin add-on

built-in, Cloudflare-backed

Disclosure program

×rare

yes, see Section below

Bottom line

security as upsell

security as default

security stack · how it fits together

Three layers, every site, every plan.

The stack below is the same on Starter and Business. The only thing tier-gated is backup retention. Everything else — isolation, TLS, HMAC, login protection, WAF — is the same everywhere.

Edge

Runtime

Control

edge layer

Edge

Cloudflare + Traefik

Cloudflare handles DDoS, WAF and the AI-bot allow list at the global edge. Traefik on each VPS handles TLS termination, HTTP/3 and request routing into per-site containers.

container/site

Runtime

Docker per site

Each site lives in its own Docker container with bounded memory, dedicated PHP-FPM workers, isolated filesystem and its own MariaDB container. WP-CLI, autoupdate hooks and cron run inside this boundary.

HMAC

every call

Control

agent + dashboard

A FastAPI agent on every VPS executes provisioning, backups, SSL and PHP config changes. The dashboard issues HMAC-signed calls; the agent verifies before acting. Secrets are encrypted at rest in the dashboard database.

no shared bearer tokens

pricing

Security isn't a tier. It's the product.

Every plan gets the full posture above. The only thing pricing changes is backup retention length and the number of sites. Add-on security tiers are not how Yovale is sold.

$149

/year

Starter, 2 sites. Full security posture. Backups retained 30 days. Growth and Business extend retention to 90 and 365 days respectively.

Docker isolation per siteAuto TLS via Let's EncryptHMAC-signed control planeEncrypted R2 backupsLogin brute-force protectionWP core auto-patching

Start free trial

internal links

Read the contractual side too.

Data Processing Agreement

GDPR-grade DPA with sub-processor list and security measures.

What personal data Yovale collects and processes.

GDPR

Yovale's GDPR posture, controller and processor roles.

Acceptable Use Policy

What customers must not do with the Service.

Service Level Agreement

Uptime targets and service credit schedule.

related features

Security primitives, page by page.

Container isolation

The isolation model, in product-page detail.

Automated backups

How daily backups, retention tiers and restore work.

SSL security

TLS issuance and renewal through Traefik + Let's Encrypt.

Brute-force defence and bot blocking at wp-login.

DDoS protection

Cloudflare edge protection on every customer site.

questions

Things security-conscious buyers ask first.

How is one site isolated from another on the same VPS?+

Every site has its own Docker container with its own filesystem, its own PHP-FPM pool, its own MariaDB container and its own bounded memory. The Linux kernel boundary is the isolation. There is no shared PHP runtime between sites.

Where are backups stored, and are they encrypted?+

Daily backups land in Cloudflare R2 with AES-256 at-rest encryption. Encryption keys are managed under R2's standard key-management contract. Backup retention is 30 days on Starter, 90 days on Growth, 365 days on Business.

Does Yovale have a vulnerability disclosure program?+

Yes. Send a report to security@yovale.com. We respond to disclosure reports within 5 business days and we do not pursue legal action against good-faith researchers who follow responsible-disclosure practice. Public disclosure timing is coordinated; we credit reporters in the changelog unless they prefer otherwise.

Is two-factor authentication available on the dashboard?+

TOTP-based 2FA is available on every dashboard account and is required for accounts with administrative scope. Add it under Account → Security.

How are control-plane calls authenticated?+

Each VPS has its own HMAC secret, encrypted at rest in the dashboard's Supabase instance. The dashboard signs every call to the agent with that secret; the agent rejects unsigned or unverified calls. There are no shared bearer tokens between servers.

What happens if a CVE is disclosed against WordPress core?+

Security releases of WordPress core are auto-applied across the fleet within hours of disclosure. We do not require customer action for core security patches. Theme and plugin updates remain customer-controlled because they can break sites; we surface available updates in the dashboard.

Where can I read more contractual detail?+

The Data Processing Agreement and the End User License Agreement linked in the footer. The DPA covers sub-processors, security measures, breach notification timing and international transfers.

closing