SecureWP Plugin Beta is live — get 50% off any plan while spots last.BETA50Claim 50% Off

Privacy Policy

Effective Date: March 10, 2026

What information do we collect?

We collect information you provide directly when you create an account, including your email address, password (stored as a one-way cryptographic hash), and optionally your name and organization name. If you configure two-factor authentication, we store your authentication settings and recovery code hashes. When you contact us for support or use the chat interface in Expert Services or Managed Services engagements, we collect the content of those communications. Billing is handled by our payment processor; we do not store your credit card number or CVV on our servers, but we do receive and retain transaction records, subscription status, and billing history.

Information collected through the SecureWP plugin

The SecureWP plugin operates locally on your WordPress site and does not transmit data to our servers unless you have activated the Console connection. Once you connect your site to a SecureWP account, the plugin periodically sends site state information to our servers to power your Console dashboard. This includes your site URL, WordPress version, PHP version, plugin version, scan status, most recent scan summary, security configuration state (whether the firewall, hardening, and two-factor authentication are enabled), and your license status. This telemetry is used to keep your Console dashboard current and to deliver commands from the Console to your site. It does not include your site's content, posts, user accounts, or your visitors' personal information. If you have not connected your site to a Console account, no site data is transmitted to SecureWP's servers. If you use the remote website scanner, we collect the target URL, scan timestamp, and scan results. For public scans made without an account, we do not link results to a personal identity but do record the requesting IP address for abuse prevention.

Scan data and file analysis

During malware scanning, the plugin sends file hashes to SecureWP's cloud infrastructure to check against known-good and known-malicious signature databases. File hashes cannot be reversed to reconstruct your files' contents. Files that cannot be verified by hash alone are uploaded to our cloud storage for malware analysis. We analyze those files solely for malware detection and do not use them for any other purpose. Uploaded files are deleted from our storage after analysis is complete, typically within 24 hours. Scan results, including findings and affected file paths, are stored in your account to provide scan history and dashboard features. The central audit log, which records security-relevant events on your WordPress site such as logins, plugin changes, and user account modifications, is available on paid plans only. No audit log data is stored for free plan accounts.

Vulnerability checking

To check for known security vulnerabilities, the plugin sends the names and version numbers of your installed plugins and themes, your WordPress version, and your site's locale to SecureWP's cloud. This information is matched against our vulnerability database and the results are returned to your site and stored in your Console account. No file contents are involved in this process. This check runs automatically on a daily schedule and whenever a plugin or theme is updated on your site. The data sent is used solely to identify vulnerable software and is not used for any other purpose.

Expert Services and Managed Services

When you provide server credentials such as cPanel login details, SSH keys, or FTP access for an Expert Services or Managed Services engagement, those credentials are encrypted on your device before they are transmitted to us. We store only the encrypted form and it is accessible only to the assigned security expert during active work on your engagement. Credentials are deleted upon job completion or within 7 days of cancellation. Chat logs from Expert Services and Managed Services engagements are retained for 12 months after completion to support the post-engagement support period.

What do we use your information for?

We use the information we collect to operate and deliver the Service, including scanning, firewall protection, hardening, and monitoring features; to manage your account, licenses, and subscriptions; to send you security alerts, vulnerability warnings, and transactional notifications about your account and orders; to perform Expert Services and Managed Services engagements; to investigate security incidents or abuse of the Service; and to comply with legal obligations. We may also send you product-related information and offers by email if you have opted in to receive them, for example by selecting the relevant option on the license activation screen. You can unsubscribe from these communications at any time using the link in any such email. We may use aggregated and anonymized detection patterns across our customer base to improve the accuracy of our malware detection and vulnerability databases, but we never use the actual contents of your files for this purpose. We do not sell your personal data to third parties and we do not use your data for advertising.

Notifications and webhook integrations

If you configure Slack or Discord webhook integrations, the Service sends event notifications to the URLs you provide. These notifications include event metadata such as your site URL, event type, issue counts, and, for security events such as firewall blocks or new logins, the associated IP address, timestamp, and device information. You are responsible for securing the webhook endpoints you configure and for compliance with the privacy policies of any platforms you integrate.

Do we disclose any information to outside parties?

We do not sell, rent, or trade your personally identifiable information to outside parties for their own commercial purposes. We share information with trusted service providers who help us operate the Service, including our cloud infrastructure provider (Amazon Web Services), our payment processor (LemonSqueezy), and email delivery services for transactional notifications. These providers are contractually required to keep your information confidential and use it only as instructed. To check domain and IP reputation as part of the malware scanning process, we query third-party services including Spamhaus, SpamCop, Google Safe Browsing, McAfee WebAdvisor, Norton Safe Web, and SURBL, which receive the domain name or IP address being checked. If you connect the Service to Cloudflare, Slack, or Discord, relevant event data is shared with those platforms to deliver the integration. We may also disclose information when required by law, court order, or to protect the rights, property, or safety of SecureWP, our users, or the public.

How we protect your information

We implement appropriate technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. All communication between the plugin, the Console, and our cloud infrastructure is encrypted in transit using TLS. Sensitive data is encrypted at rest using industry-standard encryption. Credentials submitted for Expert Services and Managed Services engagements are encrypted on your device before transmission and are stored only in encrypted form. Plugin-to-cloud communication uses signed requests with nonce-based replay protection, and scan verdicts are cryptographically signed to prevent tampering. Access to customer data is restricted to authorized employees and contractors through role-based access controls, and our infrastructure is monitored for unauthorized access and anomalous activity. Despite these measures, no security system is perfect. If we become aware of a security breach affecting your personal data, we will notify you and the relevant supervisory authority within the timeframes required by applicable law.

Web browser cookies

The SecureWP Console uses cookies and local storage to maintain your authenticated session, remember your preferences, and protect against cross-site request forgery. We do not use third-party advertising cookies or behavioral tracking cookies. Some parts of the Console may not function correctly if cookies are disabled in your browser.

Your rights and choices

Depending on your location, you may have the right to access the personal data we hold about you, correct inaccurate information, request deletion of your data, and receive a portable copy of certain data. To delete your account, go to Account Settings in the Console or contact support@securewp.net. You can export your audit log at any time in CSV format from the Console (paid plans). For a copy of other personal data we hold about your account, contact privacy@securewp.net and we will provide it in a machine-readable format. If you are located in the European Economic Area or the United Kingdom, you may also have the right to object to or restrict certain processing, and you have the right to lodge a complaint with your local data protection authority if you believe we have not handled your data in accordance with applicable law. To exercise any of these rights, contact us at privacy@securewp.net. We will respond within 30 days and may need to verify your identity before fulfilling a request.

California privacy rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties we share it with. You may request deletion or correction of your personal information. You also have the right to opt out of the sale or sharing of your personal information for cross-context behavioral advertising. We do not sell or share personal information for advertising purposes, so no opt-out is required, but you may contact us at privacy@securewp.net to confirm this. We will not discriminate against you for exercising your rights. To submit a California privacy rights request, contact privacy@securewp.net. We will respond within 45 days.

International data transfers

SecureWP's infrastructure is hosted primarily in the United States. If you are located outside the United States, your data will be transferred to and processed in the United States. For transfers from the European Economic Area or the United Kingdom, we use Standard Contractual Clauses approved by the European Commission as the legal mechanism for transfer. To request a copy of applicable Standard Contractual Clauses, contact privacy@securewp.net.

Children's privacy

The Service is not directed at minors. In the European Economic Area and the United Kingdom, we do not knowingly collect personal information from individuals under 16. In other regions, we do not knowingly collect personal information from individuals under 13. If you believe a minor has provided us with personal information, contact privacy@securewp.net and we will delete it promptly.

Changes to our Privacy Policy

We may update this policy from time to time. For material changes, we will notify you via email or an in-Console notification at least 30 days before the changes take effect. The current version of this policy is always available at securewp.net/privacy. Your continued use of the Service after the effective date of an updated policy constitutes your acceptance of those changes.

Your acceptance of these terms

By using the Service, you signify your acceptance of this policy and our Terms of Service. If you do not agree to this policy, please do not use the Service. Your continued use of the Service following the posting of changes to this policy will be deemed your acceptance of those changes.

Contacting us

Any questions about this Privacy Policy or your personal data should be addressed to privacy@securewp.net. For general support inquiries, use our contact form or email support@securewp.net.