Skip to content

Security overview

Security on managed.dev is a concrete pipeline, not a checkbox. Every request to every site — production, staging, and preview alike — passes through the same layered controls, and every site gets all of them on every plan. This page is the map: what each layer does and where to configure it.

The controls run in order, from the edge inward:

  1. WAF + rate limiting inspect and throttle traffic before it reaches PHP.
  2. Patchstack virtual patching blocks known plugin and theme exploits at the edge.
  3. ClamAV malware scanning finds and quarantines malicious files on disk.
  4. Automatic TLS terminates HTTPS with certificates issued and renewed for you.
  5. Managed security headers harden every response (CSP, HSTS, and friends).
  6. Password protection + IP allowlists gate who can reach an environment at all.
  7. Audit logs record every meaningful action your team takes.

A request to your site is filtered at the edge first, then again at the site runtime, before any of your code runs. Everything a control blocks is attributed and surfaced in Security → Blocks.

A left-to-right request-path diagram: client → edge load balancer (TLS termination, CrowdSec IP reputation, rate limiting) → site runtime (Coraza WAF, Patchstack virtual patching, security headers, password / IP gate) → FrankenPHP application. A side branch shows ClamAV scanning files on disk out of band, and every blocked request feeding the Blocks view.

WAF & rate limiting

A Coraza web application firewall plus token-bucket rate limiting in front of every site. Read more →

Patchstack protection

Known plugin and theme CVEs are virtually patched at the edge before they can be exploited. Read more →

Malware scanning

ClamAV scans on a schedule and on demand, with detect → quarantine → restore. Read more →

Headers & allowlists

Managed CSP/HSTS, password protection, firewall IP allowlists, and login lockout. Read more →

Every site and every environment gets HTTPS automatically. Certificates are issued and renewed for you — per-node wildcard certificates via DNS-01 — so preview URLs and custom domains are encrypted without a manual step. See TLS for how certificates are issued and the cert.renewed lifecycle.

Every meaningful action — a deploy, a role change, a key mint, a restore — is recorded in your team’s audit log. Combined with the Blocks view and observability, you can answer both “what did my team do?” and “what did the platform stop?”.