Site security on Flywheel

Updated on February 9th, 2024

Looking for the Site Health Checker? Check out this help doc. For best practices to improve your site’s security check out this help doc.


Secure Site - WordPress Core

WordPress core files are locked down

One of the great things about WordPress is that everything is built around the same core software.  This allows plugin and theme authors to create awesome tools and designs that can be used by anybody running WordPress.

One of the not-so-great things about WordPress is that the same core that makes plugin and theme development easy can also make spreading malware easy.  Hackers love code shared by a large number of people since it allows their malicious changes to one piece of software to then to achieve wide-spread damage. What better place to make these kinds of changes than in the set of files every WordPress site is guaranteed to have: the WordPress core?

On Flywheel, nobody can overwrite your WordPress core files.

Everything in your WordPress install is locked down tight, aside from your custom content. Does somebody want to edit your wp-config.php file in order to peddle creepy products on your site? Not on our watch!


It is worth noting that locking down core files means users also can’t edit these things. This is a good thing because it’s best practice to leave core files alone as they’ll get swapped out in WordPress updates. You don’t want your hard work getting wiped out every time WordPress is updated (quite often). If there are files like wp-config.php that you’d like to make changes to, just let our team know and we’ll make those for you! Unlike manual edits, these will carry over from update to update.

Shield - WordPress up to date

Automatic WordPress updates

In order to prevent outsiders meddling with your stuff, we make sure your site is running the latest and greatest version of WordPress. These updates often include security patches, which close any doors and windows that hackers may have found in previous versions.

On Flywheel, these updates are automatic and usually happen within a few days of their release.


While we strongly advise that our customers stay on the automatic update cycle, we will allow customers to stay on older major releases of WordPress. We will still provide periodic minor security updates to these older versions as they are released to keep your sites secure. That being said, it is very important to us that sites on Flywheel do not fall more than two major releases behind the update schedule. If they do, we may reach out to you work out a strategy for getting back on the update wagon.

Insecure passwords? Not on our watch.

Although it may not seem like a big deal, having hard-to-guess username and passwords really goes a long way on WordPress. Due to the uniform structure of WordPress, a lot of web bots will crawl across websites, simply appending a /wp-admin to the domain name. If the page loads, the bot will start trying username and password combos starting with some of the most common insecure passwords. So if you have a user named admin and a password of password1234, you’re at a pretty high risk of getting hacked.

That’s why Flywheel goes to great lengths to ensure that our customers use strong passwords. From our app to WordPress itself, if you try to create a new password that doesn’t make the cut, we’ll let you know.


A secure password doesn’t have to be impossible to remember. Randall over at xkcd has a comic to help you come up with a super-secure password that you won’t forget. If you’d like to learn about hiding your wp-login page or additional security steps, check out our article here.

Intelligent IP Ban

Intelligent IP blocking

Intelligent IP address blocking on Flywheel detects intruders and blocks them across all sites on our servers within seconds.
We monitor popular points of entry for hackers and immediately lock out any IP address trying to get through. These points include:

  • Failed SSH Access Attempts
  • Failed WordPress Login Attempts

Flywheel uses a variety of techniques to block traffic starting with preventing known malicious IP addresses from opening a session with the server, which is a very severe and immediate action.

Proactive Malware Scan

Malware prevention

We pride ourselves on keeping the bad guys out of your site’s files and database through the preventative security measures mentioned above. That being said, malware prevention is an ongoing cat and mouse game where systems have to react and adapt to the ever-changing security gaps introduced by third-party plugins, third-party themes, or weak passwords.

One way we combat this on Flywheel is by providing Plugin Security Alerts via email for each of your sites. That way, if a vulnerability is found, you can quickly update the plugin and secure your site.

In the event that you do find your site compromised by a plugin or theme vulnerability, Flywheel’s Happiness Engineers can jump in right away and get to work cleaning up the infection. We’ll also notify you of our progress along the way.

Free Malware Removal

If your site becomes infected with malware while on the Flywheel platform please reach out to our Happiness Engineers here. We will then follow our internal security procedures to scan the site, clean any malware found (if any), and report back to you with the results. Keep in mind that a security scan and cleaning can take up to 24 hours to complete and may require changes to your website. Our processes include creating a backup checkpoint prior to cleaning should anything break.


To avoid reinfection and to ensure your sites stay protected from malware, we require that all critical plugin and theme updates be remedied before we move forward with clean up.

When reaching out for assistance triaging a potential security issue please include any screenshots, logs or areas where the issue can be replicated. Replicating in these ways helps us resolve the issue far more quickly.

We understand there are many concerns that come up if one of your sites becomes infected by malware – however, if you have no specific indication that a site has been infected by malware, we will not be able to submit it for a deep level scan and cleaning.

Some examples of free security scan services:
Sucuri Site Check
WordPress Security Scan by HackerTarget

There are also a variety of security plugins that include malware scanning functionality:

Fastly WAF

The WAF detects malicious request traffic sent over HTTP and HTTPS using rules based on Fastly, Trustwave ModSecurity Rules, and the OWASP Top Ten. It helps protect against application-layer (layer 7) attacks such as SQL injection, cross-site scripting, and WordPress specific vulnerabilities.

Blocking is done at the edge, so malicious traffic is never sent down to the Flywheel Cloud Platform.

We have Flywheel branded 403 pages which will display request ID’s when a customer hits a blocked rule. This helps support narrow down the issue when troubleshooting.

Need help?

If you have any questions our Happiness Engineers are here to help!

Was this article helpful?

Getting Started

New to Flywheel? Start here, we've got all the information you'll need to get started and launch your first site!

View all

Account Management

Learn all about managing your Flywheel user account, Teams and integrations.

View all


Everything about billing, invoices and payments can be found here.

View all


Flywheel hosting plans include a ton of great features. Learn about how to get a free SSL certificate, set up a staging site, and more!

View all

Platform Info

All the server and setting info you'll need to help you get the most out of your Flywheel hosting plan!

View all

Site Management

Tips and tricks for managing your sites on Flywheel, including going live, troubleshooting issues and migrating or cloning sites.

View all

Developer Hub

Learn how to connect, deploy, and more with SSH on Flywheel's platform.

View all

Growth Suite

Learn more about Growth Suite, our all-in-one solution for freelancers and agencies to grow more quickly and predictably.

View all

Managed Plugin Updates

Learn more about Managed Plugin Updates, and how you can keep your sites up to date, and extra safe.

View all


Flywheel help

Help is just a click away! Log into Flywheel dashboard to instantly chat with an expert, respond to a ticket, or follow along with in-depth documentation. We happily offer support 24 hours a day, 7 days a week, 365 days a year!

Log in

Try Flywheel today

Launch your next WordPress site in minutes.

 Free migrations  24/7/365 support  14 day demo sites