How We Think About Security at EasWrk

Security in web hosting gets described a lot of different ways. Some providers lead with certifications. Some list firewall names. Some mention backup windows as selling points. We want to be direct about what we have actually built, how it works, and what it does not cover.

What every EasWrk account includes by default

Every hosting plan includes a web application firewall, DDoS protection, 30-day rolling backups, free SSL certificates via Let's Encrypt, and login rate limiting on WordPress endpoints. These are part of the base configuration. They are not add-ons or premium tiers.

The WAF is tuned to WordPress and WooCommerce attack patterns. It blocks requests matching known exploit signatures, rejects unauthorized file upload attempts to common WordPress paths, and applies rate limiting to wp-login.php and xmlrpc.php by default. It does not catch everything. A novel attack that does not match any existing signature will not be blocked at the WAF level. But it substantially reduces the automated attack traffic that reaches your application.

The 30-day backup window is intentional. The realistic window between when something gets compromised and when a store owner actually notices is often longer than a day. A piece of malware that sits dormant for a week before activating, or a database change from a plugin exploit that you only catch after a customer complaint, requires more than a 24-hour recovery window to address properly. Thirty days gives you room.

What WrkPilot adds to the security picture

WrkPilot, EasWrk's management assistant built into every account, adds a different kind of security capability: visibility and auditability.

Most store owners on shared or managed WordPress hosting have limited visibility into what is actually happening in their environment. Checking error logs means navigating a file manager and reading raw log output. Verifying what plugins are installed means logging into WordPress. Reviewing database contents means knowing SQL and finding phpMyAdmin.

WrkPilot makes these checks accessible in plain language. You can ask it what your error log shows, ask it to confirm what plugins are active, or ask it to pull specific data from your WooCommerce database. When you do those checks regularly, you catch problems earlier.

Where the limits are

We are not going to claim that every account is impenetrable. WordPress is one of the most targeted platforms on the internet, plugin vulnerabilities emerge constantly, and sophisticated attackers with genuine zero-days operate in a space that no managed host can fully neutralize.

What we can say is that the layers we have built reduce your practical attack surface significantly compared to a stock WordPress install on a host without these configurations. The WAF handles the known attack patterns. Rate limiting discourages automated credential attacks. Backups limit the impact when something does succeed. WrkPilot makes ongoing monitoring accessible without requiring you to hire a developer every time you want to look at your environment.

What we are building toward

We are developing scheduled task support for WrkPilot. The goal is to let you define routine security and maintenance checks that run automatically: periodic error log reviews, plugin version audits, file directory checks. You set them up once, they run on a schedule in the background.

That feature is not available yet. We are building the infrastructure for it now. When it ships, it will give small business owners the kind of proactive, ongoing security management that currently requires either a developer on retainer or a dedicated security monitoring service.

Security at this level is a continuing process, not a one-time configuration. We are committed to keeping the tooling up to date and extending what EasWrk can do for stores that cannot run a full-time IT function.