Security Policy
Responsible Disclosure
We build WPMgr to be secure by design: open source, minimal footprint, signed releases, and privacy-first defaults. If you find a vulnerability, we want to hear from you.
How to report a vulnerability
If you believe you have found a security vulnerability in WPMgr, please report it responsibly by emailing security@wpmgr.app. Do not open a public GitHub issue for security vulnerabilities.
Please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, including any proof-of-concept code if applicable.
- The component affected (control plane, dashboard, agent, hosted service, or a specific API endpoint).
- Whether you have already disclosed this to any third party.
What to expect
We aim to acknowledge reports within two business days. For confirmed vulnerabilities:
- We will work with you to understand the scope and validate the issue.
- We will aim to release a fix within 30 days for critical or high-severity issues. Complex issues may take longer; we will communicate the expected timeline.
- We will credit you in the release notes and changelog if you would like public attribution.
- We ask that you do not publicly disclose the vulnerability until a fix has been released, or until we have agreed on a coordinated disclosure date.
Scope
In scope for this policy:
- The WPMgr control plane (Go backend, source at github.com/mosamlife/wpmgr)
- The WPMgr dashboard (TypeScript/React frontend)
- The WordPress agent (PHP, MIT-licensed)
- The hosted service at manage.wpmgr.app
- The API surface documented at manage.wpmgr.app/docs/
Out of scope: social engineering, physical attacks, denial-of-service attacks, vulnerabilities in third-party services integrated with WPMgr (report those to the relevant vendor), and issues in WordPress sites managed by WPMgr that are not caused by WPMgr itself.
Security posture
WPMgr is designed with security as a first-class concern. Key design decisions:
Ed25519-signed agent
Every WPMgr agent release is signed with an Ed25519 key. The control plane verifies the signature on every auto-update before applying it, so a compromised distribution channel cannot silently push malicious code to your sites.
Redacted diagnostics
Agent diagnostics (sent to the control plane on enrollment and on schedule) never include passwords, secret keys, or user data. The redaction logic is open-source and auditable.
Client-side-encrypted backups
Backup data is encrypted on the agent before it leaves the site. The encryption key is derived from a per-site secret managed by the control plane and never stored in plaintext on the backup destination.
Minimal footprint
The MIT-licensed agent has no persistent database connections, no always-on daemons, and scales to zero. It activates for a scheduled task or a signed control-plane command and then exits.
Open-source and auditable
Both the AGPL-3.0 control plane and the MIT agent are publicly available on GitHub. You can read, audit, fork, and run every line of code on your infrastructure.
Tenant isolation
Every tenant's data is isolated at the database level with row-level security policies. Queries are parameterized throughout. No cross-tenant data leakage by design.
Dashboard account security
The WPMgr dashboard is the single front door to every site you manage. Operator accounts are protected with:
- Two-factor authentication: TOTP (authenticator app) and WebAuthn/FIDO2 (passkeys and hardware security keys).
- Recovery codes: one-time codes generated at 2FA setup, stored hashed and single-use.
- Trusted devices: remember-this-device token, revocable per device, cleared on password change.
- Rate-limited login: failed attempts are counted and locked out per account and per IP.
- Tamper-evident audit log: every session, login, and security event is written to a hash-chained audit log that cannot be silently modified.
Agent security
The MIT-licensed WordPress agent that runs on each managed site is designed to be auditable, minimal, and safe to run on production servers:
- All agent-to-control-plane communication is over HTTPS with certificate pinning on the control-plane side.
- Control-plane commands to the agent are signed. The agent verifies the signature before executing any command.
- Autologin tokens are single-use and expire. They are signed by the control plane and verified by the agent without a round trip.
- The agent does not write mu-plugin helpers unless you explicitly enable a feature that requires them. A freshly activated agent writes nothing outside its own plugin folder.
- Auto-updates verify the Ed25519 signature of the update package before applying it.
Data privacy
WPMgr is privacy-first and off-by-default:
- Diagnostic data sent to the control plane never includes passwords, secret keys, customer email addresses, order data, or other personal information. The redaction logic is in the open-source agent.
- Real User Monitoring (Core Web Vitals) collects only performance metrics, no personally identifiable information. No session replay, no visitor fingerprinting.
- Backup data is encrypted on the agent before leaving the site. The control plane stores a per-site encryption key reference; the backup destination stores only ciphertext.
- Email logs record metadata (from, to domain, subject, status) but not message bodies. Body storage is configurable and off by default.
Found something?
Report it privately to security@wpmgr.app. We investigate all credible reports.