Skip to main content
OpenAIAnthropicGooglePerplexityMetaMicrosoftAmazonCohere
AI ready WordPress infrastructure
security

Security that doesn't depend on getting lucky.

Per-site container isolation, HMAC-signed control plane, encrypted backups, automatic SSL — every claim here maps to a real piece of running infrastructure, not a marketing checklist.

free trial · all security primitives included on every plan

liveYovale Security
yovale.com/en/security
live security signals

Posture you can verify, not infer.

Every site exposes its current security state in the dashboard — TLS state, last successful backup, last security patch, failed login rate, allow-listed AI bots. No mystery, no hidden cron jobs.

TLS expiry
85 days
Last backup
12 min ago
Failed logins / 24h
0
WP core patched
current
recent security events
live
  • 12:04:22TLS renewal/ acme order completedok
  • 12:03:51Backupr2://yovale-backups/site-87 okok
  • 12:03:18WP coreauto-patch 6.9.2 appliedok
  • 12:02:44Login protectionblocked 12 attempts on wp-loginok
  • 12:02:09WAFCloudflare rule wp-xmlrpc enabledok
1
Docker container per site, no shared PHP runtime
AES-256
at-rest encryption on backups (Cloudflare R2)
HMAC
signed control plane, per-server secrets
the gap

Shared hosting security is a wishlist.

×SiteGround$15/moshared PHP, plugin malware scanner extra
×Kinsta$30/moshared pool above tier limit, ddos add-on
×WP Engine$25/mooff-site backup is on a higher tier

On most shared WordPress hosts, security means a WAF setting page, an opt-in backup, and a malware-scan plugin you forgot to install. There is no actual isolation between sites — your neighbour's compromised plugin is your problem.

Managed hosts charge $25–$50/month to put a friendlier wrapper around the same architecture, then sell the actually-useful pieces (offsite backups, staging, login protection, malware scanning) as add-ons.

Yovale does not sell security as a feature tier. Container isolation, encrypted backups, login protection, HMAC-signed control plane and the disclosure program are part of every plan from $149/year. The posture below is the same one we ship to every customer.

the posture

Five primitives, all on by default.

Each card here is one piece of running infrastructure, not a roadmap commitment. Where a primitive is operated by a third party (Cloudflare, Let's Encrypt) it is named.

  • 01
    01
    isolation

    One Docker container per site

    Each WordPress site runs in its own Docker container with isolated filesystem, dedicated PHP-FPM workers, bound memory and CPU. A compromise in one site does not reach another.

    isolated runtime
  • 02
    02
    edge

    Automatic TLS through Traefik

    Let's Encrypt certificates issued and renewed automatically by Traefik on every domain you add. HTTP/2 and HTTP/3 on by default. No manual renewal, no expiry surprises.

    auto issuance + renewal
  • 03
    03
    control plane

    HMAC-signed control plane

    Every call between the dashboard and the per-VPS agent is signed with a per-server HMAC secret stored encrypted in the database. The agent rejects unsigned calls; the dashboard rejects unverified responses.

    per-server secrets
  • 04
    04
    backups

    Encrypted offsite backups

    Daily site and database backups to Cloudflare R2 with AES-256 at-rest encryption. 30-day retention on Starter, 90 days on Growth, 365 days on Business. One-click restore from any retained point.

    AES-256, R2
  • 05
    05
    wordpress

    Login protection and WAF

    Brute-force protection on wp-login, automatic blocking of known-bad bots, Cloudflare WAF rules tuned to WordPress threat patterns, and auto-patching of WordPress core security releases.

    WP-tuned WAF
side by side

What a secure WordPress host should already ship with.

Typical managed host

Site isolation model
shared PHP pool
TLS handling
ticket-based, 24h SLA
Offsite backups
add-on or higher tier
Control-plane signing
shared secrets at best
Login brute-force protection
plugin add-on
Disclosure program
rare
Resultsecurity as upsell

Yovale (default)

Site isolation model
1 Docker container per site
TLS handling
auto via Traefik + Let's Encrypt
Offsite backups
included, AES-256 on R2
Control-plane signing
HMAC per server
Login brute-force protection
built-in, Cloudflare-backed
Disclosure program
yes, see Section below
Resultsecurity as default

security stack · how it fits together

Three layers, every site, every plan.

The stack below is the same on Starter and Business. The only thing tier-gated is backup retention. Everything else — isolation, TLS, HMAC, login protection, WAF — is the same everywhere.

Edge
Runtime
Control
1
edge layer
Edge
Cloudflare + Traefik

Cloudflare handles DDoS, WAF and the AI-bot allow list at the global edge. Traefik on each VPS handles TLS termination, HTTP/3 and request routing into per-site containers.

1
container/site
Runtime
Docker per site

Each site lives in its own Docker container with bounded memory, dedicated PHP-FPM workers, isolated filesystem and its own MariaDB container. WP-CLI, autoupdate hooks and cron run inside this boundary.

HMAC
every call
Control
agent + dashboard

A FastAPI agent on every VPS executes provisioning, backups, SSL and PHP config changes. The dashboard issues HMAC-signed calls; the agent verifies before acting. Secrets are encrypted at rest in the dashboard database.

no shared bearer tokens
pricing

Security isn't a tier. It's the product.

Every plan gets the full posture above. The only thing pricing changes is backup retention length and the number of sites. Add-on security tiers are not how Yovale is sold.

$149
/year

Starter, 2 sites. Full security posture. Backups retained 30 days. Growth and Business extend retention to 90 and 365 days respectively.

Docker isolation per siteAuto TLS via Let's EncryptHMAC-signed control planeEncrypted R2 backupsLogin brute-force protectionWP core auto-patching
Start free trial
questions

Things security-conscious buyers ask first.

How is one site isolated from another on the same VPS?+

Every site has its own Docker container with its own filesystem, its own PHP-FPM pool, its own MariaDB container and its own bounded memory. The Linux kernel boundary is the isolation. There is no shared PHP runtime between sites.

Where are backups stored, and are they encrypted?+

Daily backups land in Cloudflare R2 with AES-256 at-rest encryption. Encryption keys are managed under R2's standard key-management contract. Backup retention is 30 days on Starter, 90 days on Growth, 365 days on Business.

Does Yovale have a vulnerability disclosure program?+

Yes. Send a report to security@yovale.com. We respond to disclosure reports within 5 business days and we do not pursue legal action against good-faith researchers who follow responsible-disclosure practice. Public disclosure timing is coordinated; we credit reporters in the changelog unless they prefer otherwise.

Is two-factor authentication available on the dashboard?+

TOTP-based 2FA is available on every dashboard account and is required for accounts with administrative scope. Add it under Account → Security.

How are control-plane calls authenticated?+

Each VPS has its own HMAC secret, encrypted at rest in the dashboard's Supabase instance. The dashboard signs every call to the agent with that secret; the agent rejects unsigned or unverified calls. There are no shared bearer tokens between servers.

What happens if a CVE is disclosed against WordPress core?+

Security releases of WordPress core are auto-applied across the fleet within hours of disclosure. We do not require customer action for core security patches. Theme and plugin updates remain customer-controlled because they can break sites; we surface available updates in the dashboard.

Where can I read more contractual detail?+

The Data Processing Agreement and the End User License Agreement linked in the footer. The DPA covers sub-processors, security measures, breach notification timing and international transfers.

closing

Move a site over and see the posture for yourself.

Seven minute migration, free trial. Every primitive on this page is active on the first site you provision — nothing to enable, nothing to upsell.

Start free trial
free trial · all security primitives included on every plan