In 2025, cyber security and resilience is on everybody’s minds, from the enhanced threat environment from global conflicts, to incoming legislation with the Cyber Resilience Act. With WordPress powering over 40% of the web, it remains a common target on the public web.
At Altis, we’re committed to advancing WordPress security to meet the exacting standards of the enterprise. We already have the most secure WordPress platform for enterprise, with an immutable W^X filesystem, a battle-tested web application firewall (WAF) as standard, and hardware-backed encryption for your most sensitive data like secrets.
But we’re never comfortable standing still.
That’s why for Altis v23, we’re making four big security announcements.
Altis is now SOC2 Type II certified
We’re elated to announce that we now have full SOC2 Type II certification for Altis.
As an AWS Partner, we already build on top of one of the most secure cloud providers, and our underlying cloud environment has long been SOC2, ISO27001, and ISO27017 certified. AWS operates one of the most vigilant logical and physical security environments, far exceeding the security offered by competitors with their own self-managed data centers.
Altis has already met and exceeded the requirements of the Association of Banks of Singapore OSPAR standard, the AWS Well-Architected Framework, and the CIS Security Benchmarks, so we figured it was time that we back it up with a third-party certification.
Plus, we recently completed our annual penetration testing with flying colors – a testament to our secure engineering approach.
Everyone gets Vulnerability Scanning, powered by Patchstack
Enterprise sites on the web can be a big target for potential hackers, so ensuring a high level of security is critical. Altis is built from the ground up for security-by-design of the platform, but we’re always working hard to help improve customer security on the platform too.
We’re excited to announce we’ve partnered with Patchstack to bring the power of the largest WordPress vulnerability database to all of our customers. Patchstack are the gold standard in security intelligence and vulnerability mitigation, as the world’s largest CVE Numbering Authority (CNA).
We’re bringing vulnerability scanning directly into the Dashboard, allowing customers to see at a glance whether there are any known-vulnerabilities in any third-party plugins they’re using.
Vulnerability scanning is now available for every customer, today, at no extra charge. Scanning will be active after your next maintenance update. Simply open the Dashboard, browse to your environment, and check the new Packages page.
Altis Advanced Security, powered by Patchstack
Knowing you have vulnerabilities is an important step, but mitigating those vulnerabilities can be difficult in a large organization. Updating the codebase often requires using the full Software Development Lifecycle (SDLC) process, including change requests and full testing on lower environments, such as User Acceptance Testing (UAT) and other Quality Assurance (QA) processes. These processes provide useful structure for functional improvements, but with security mitigation, time is often of the essence.
Our new Altis Advanced Security add-on provides real-time mitigation for detected threats, through Patchstack’s industry-leading vPatch web application firewall (WAF) system. vPatching works just like endpoint security tools, with dynamically-deployed rulesets, based on the installed packages. Unlike similar security tools, vPatches target only the vulnerable packages you actually have installed, minimising performance impact.
Altis Advanced Security seamlessly combines Patchstack vPatching with our included CDN-level WAF, combining to tackle attacks at Layers 3, 4, and 7 with precise strikes.
We’re working to bring even more functionality to Altis Advanced Security as well, including automatic anti-virus scanning for all uploaded assets.
Altis Advanced Security is a paid add-on for Altis. For more information, contact your Account Manager for details.
Driving forward the industry, by leading WordPress security
At the fundamental heart of every Altis site is WordPress, the world’s leading CMS. WordPress has long been a leading target for hackers, with its wide deployment on 43% of the web, as well as the powerful extensibility framework.
We designed Altis from the ground up for security, incorporating WordPress best practices and inventing new ones to deliver the most secure WordPress platform in existence.
Since September, we’ve been directly leading the WordPress security team, by sponsoring John Blackbourn as our Director of WordPress Security to work directly on driving security forward.
WordPress 6.8 (included in Altis 23) incorporates one of the first major efforts in this regard, bringing bcrypt hashing to everyone. Altis has included bcrypt hashing since Altis v3, building on the excellent work by the Roots team, and we’re excited to have brought this to everyone in WordPress core.
We’re also working with our partners and friends across the WordPress world to drive more investment into core and ecosystem security – watch this space!
Altis Developer Experience Enhancements
Altis v23 introduces new tools and enhancements to boost flexibility and extensibility in local development environments:
Reporting improvements
We’ve heard from customers that they want deeper insights into their monthly usage. The monthly Altis reports now feature a breakdown of daily traffic by client type, response code, and top URLs.
This is super handy for determining where traffic is coming from, particularly with the rise in traffic from AI user agents.
Self-Service PHP Upgrades
Gone are the days of waiting for support tickets just to update PHP. With Altis v23, you can now:
- Upgrade PHP versions on your environments directly from the Dashboard
- Deploy with confidence and less delay
- Coordinate your PHP version updates alongside Composer-managed WP versions
This feature gives you control, speed, and predictability — ideal for fast-moving teams and CI/CD workflows. Self-service PHP upgrades will be available after your next maintenance update. Simply head to the Settings page for your environment.
Extensible Docker Compose Support
Developers can now define additional docker compose configurations through Composer packages. These configurations will be automatically merged into the final Docker setup, enabling:
- Cleaner environment-specific customizations
- Custom services or overrides per package
- More granular and reusable environment setups
With Altis v23, we’re pushing the forefront of WordPress security further forward, both for our customers and for the industry as a whole.
Our commitment to security never rests – that’s why banks and financial institutions, news organizations under threat, and Fortune 500 companies choose Altis to power their enterprise WordPress platforms.