Security That Never Sleeps.
WordPress is the most targeted CMS on the internet. WPCloud treats security as infrastructure, not an afterthought. Multiple layers of protection, a dedicated Security Operations Centre, and a commitment: if your site is compromised on our platform, we clean it up within 24 hours at no charge.
DDOS PROTECTION
DDoS Attacks Stopped at the Network Edge.
Every WPCloud server sits behind OVH’s anti-DDoS infrastructure, one of the largest and most proven systems in the hosting industry. This is not a bolt-on service or a third-party add-on. It is built into the network fabric at the data centre level and active on every IP address from the moment your site goes live.
How It Works
OVH’s system operates at three levels. At the network edge, hardware sensors at every point of presence continuously analyse traffic patterns in real time. When a volumetric attack is detected, traffic is automatically redirected through scrubbing centres for deeper analysis. Legitimate traffic passes through to your server. Malicious traffic is dropped.
The scrubbing centres use OVH’s VAC technology, a combination of high-performance hardware filtering and intelligent traffic analysis that can distinguish between a genuine spike in visitor traffic and a coordinated attack. Mitigation activates within seconds of detection, not minutes.
No Limits. No Extra Cost.
Unlike many hosting providers that cap DDoS protection by volume or charge for mitigation, OVH’s system has no duration limits and no volume caps. Whether an attack lasts ten minutes or ten hours, protection stays active for the entire duration. This is included with every WPCloud plan at no additional cost.
Two Layers of Defence
OVH’s network-level protection handles volumetric and protocol-based attacks: the floods, the amplification attacks, the SYN floods that try to overwhelm your server’s connection. WPCloud adds a second layer on top with application-level security through Imunify360 and the web application firewall. This catches the more targeted attacks: SQL injection attempts, brute-force login attacks, cross-site scripting, and exploit payloads that try to compromise WordPress itself.
The result is defence in depth. Network attacks are stopped before they reach the server. Application attacks are stopped before they reach WordPress. Your site stays online.
SECURITY OPERATIONS CENTRE
Around-the-Clock Monitoring by a Dedicated Team.
Automated security tools catch the obvious threats. The subtle ones require human judgment. WPCloud operates a dedicated Security Operations Centre based in North Bay, Ontario, with redundancy in an undisclosed location within Canada. The SOC team monitors the entire WPCloud infrastructure around the clock, investigating alerts, analysing patterns, and responding to incidents before they affect your site.
Isolated by Design and by Distance
The SOC team operates independently from the support and systems administration teams. This separation is deliberate, both organisationally and geographically. The SOC is physically located away from WPCloud’s other operations. This is not an accident. It is a security architecture decision.
The SOC team has its own access controls, its own monitoring infrastructure, and its own escalation procedures. A compromise in one area of the organisation, whether digital or physical, cannot cascade into security operations. This isolation also means the SOC team can make security decisions, such as blocking a suspicious IP range or quarantining an account, without waiting for approval from operations. Speed matters in incident response, and both organisational and geographic separation remove the friction.
What the SOC Team Does
The SOC is not a help desk relabelled. It is a team focused entirely on security operations: monitoring server-level alerts from Imunify360 and the web application firewall, investigating anomalous traffic patterns, coordinating incident response when a threat is confirmed, and maintaining the security rules and configurations that protect every site on the platform.
When an automated system flags something suspicious, the SOC team investigates. When a new WordPress vulnerability is disclosed, the SOC team verifies that firewall rules are in place before the patch is available. When a DDoS attack triggers network-level mitigation, the SOC team monitors the response and escalates if needed.
Why It Matters
Most managed WordPress hosts rely entirely on automated tools. Those tools are necessary, but they are not sufficient. Automated scanners miss context. They generate false positives that need human review. They cannot make judgment calls about whether an unusual traffic pattern is a legitimate marketing campaign or the early stage of an attack.
A dedicated security team that knows the infrastructure, knows the clients, and knows the threat landscape provides a level of protection that automation alone cannot match. The SOC team has been monitoring this infrastructure since it was built. That institutional knowledge is not something you can install from a plugin.
DEFENCE IN DEPTH
Five Layers Between Your Site and a Threat.
Layer 1: DDoS Protection
Every WPCloud server is protected by OVHcloud’s anti-DDoS infrastructure, which combines edge, backbone, and data centre filtering across a network with over 17 Tbps of global capacity. Their proprietary VAC scrubbing technology detects and mitigates volumetric attacks automatically, without requiring any action from you. DDoS protection is included at no extra cost with every WPCloud plan.
Layer 2: Web Application Firewall
Server-level firewall rules block common attack vectors before they reach your WordPress installation: SQL injection, cross-site scripting, brute-force login attempts, and known exploit patterns. Rules are updated continuously by our SOC team as new vulnerabilities emerge. The WAF also enables virtual plugin patching, allowing us to protect your site against disclosed vulnerabilities even before a plugin update is available.
Layer 3: Imunify360
Imunify360 provides real-time malware scanning, proactive defence, and automated threat response at the server level. It catches threats before they reach your WordPress installation, using a combination of local analysis and shared threat intelligence from across its global network. When Imunify360 flags something, our SOC team investigates and resolves it.
Layer 4: Brute Force Protection
All access points to your account are protected against brute-force attacks: WordPress login, sFTP, cPanel, and your support portal. Our multi-layered approach starts with progressive throttling, where each failed login attempt increases the delay before the next attempt is allowed. Persistent attackers are automatically banned. Our SOC team and Imunify360’s network intelligence proactively block known malicious IP addresses across the entire WPCloud infrastructure.
Layer 5: Account Isolation
Every hosting account runs in its own isolated CloudLinux environment with dedicated resource limits and a virtualised file system (CageFS). A compromise on one account cannot spread laterally to another. Your files, database, and processes are sandboxed from every other account on the server.
OUR COMMITMENT
Compromised on WPCloud? We Fix It. Free.
If your site is compromised while hosted on the WPCloud platform, our team will clean and restore it within 24 hours at no extra charge. We stand behind this commitment because we have invested in the infrastructure and the team to prevent it from happening in the first place.
This is not a warranty buried in fine print. It is a promise backed by a dedicated SOC team, multiple layers of automated protection, and over a decade of experience securing WordPress sites.
Every Feature. Every Plan. No Surprises.
Everything on this page is included in every WPCloud hosting plan. See the plans, or talk to our team.