Security & Governance Guide

Audience: Tenant admin and team members  |  Goal: Understand Guardian Hub's security features and best practices for keeping your WordPress sites safe.

1. Site Health Monitoring

Guardian Hub continuously monitors the health of your connected WordPress sites. The Sites page (/sites) and Site Score page (/score) give you an at-a-glance overview.

Health Status Indicators

Each site card displays a color-coded health dot:

ColorStatusMeaning
GreenHealthyAll checks passed. Site responding normally.
YellowWarningMinor issues detected: slow response, outdated plugins, non-critical vulnerabilities.
RedCriticalSerious problems: site down, security breach detected, critical vulnerabilities found.
GrayUnknownHealth check has not yet run or the site is pending pairing.

What Gets Checked

Monitored Items
  • WordPress core version and available updates
  • PHP version and server environment
  • All installed plugins: version, active/inactive status, available updates
  • All installed themes: version and available updates
  • Server limits: memory, max execution time, upload size
  • Database status and table sizes
Check Frequency

Health checks run hourly via WordPress cron. A full inventory sync runs daily. Both require the site to be paired with the Hub or to have a valid license.

2. File Integrity Monitoring

File integrity monitoring detects changes to files on your WordPress installation and reports them to the Hub. This helps identify unauthorized modifications, malware injections, or unexpected changes.

Requirement

File monitoring requires a valid license and an active Hub connection. It is not available in standalone or free mode.

What Is Monitored

  • Plugin and theme installations, updates, activations, and deactivations
  • Theme switches
  • File uploads and attachment edits
  • File deletions
  • Post/page content saves (to detect injected malicious code)

How It Works

Detection Methods
  • Real-time hooks — Changes are captured immediately via WordPress actions (e.g. upgrader_process_complete, activated_plugin, switch_theme).
  • Batch notifications — Changes are queued and sent to the Hub every 60 seconds (max 50 per batch).
  • Full filesystem scan — A periodic scan runs at a configurable interval (default: every 15 minutes) to catch any changes missed by hooks.

Understanding File Change Alerts

When file changes are detected, they appear in your Alerts page. Each alert includes:

  • The type of change (created, modified, deleted)
  • The file path affected
  • A timestamp of when the change was detected
  • Whether the change was triggered by a known action (e.g. a plugin update) or is unexpected
Tip

Not all file changes are dangerous. Plugin updates, theme customizations, and media uploads are normal. Focus on unexpected changes to core files, unknown new files in sensitive directories, and modifications to wp-config.php or .htaccess.

3. Security Alerts and Notifications

Guardian Hub alerts you through multiple channels when security-relevant events occur.

Alert Sources

  • Health check failures — Site goes down or critical issues detected.
  • File integrity changes — Unexpected file modifications.
  • Vulnerability scans — Known CVEs found in installed plugins or themes.
  • Autopilot findings — Security spokes detect issues during their cycle.

Notification Channels

ChannelHow It Works
In-AppBell icon in the top-right corner. Unread count badge. Refreshes every 30 seconds.
Web PushBrowser push notifications, even when the Hub tab is in the background. Auto-registered on login.
EmailEmail notifications for critical alerts, ticket updates, and approval requests.
Important

Always allow browser notifications when prompted. Critical security alerts are time-sensitive, and push notifications ensure you are informed immediately even when you are not actively using the Hub.

4. Incident Response: What to Do When You Get an Alert

When a security alert fires, follow this structured response process.

Response Steps
  1. Assess the severity. Check the alert details in Alerts (/alerts). Is it a warning or a critical issue?
  2. Check the Timeline. Go to Timeline (/timeline) to see what happened before and after the alert. Look for related events.
  3. Review file changes. If the alert is file-related, check which files were modified and whether the change correlates with a known action (e.g. a recent plugin update).
  4. Take immediate action if critical. For suspected breaches:
    • Change all WordPress admin passwords immediately.
    • Use the Emergency Admin feature (if available on your plan) to create a temporary admin account for investigation.
    • Consider temporarily disabling the compromised site.
  5. Restore if needed. If files have been tampered with, use the Backups panel to restore from a known-good snapshot.
  6. Create a ticket. Document the incident by creating a support ticket with all relevant details.
  7. Review and harden. After resolving the issue, review your security settings and apply any recommended hardening measures.
Warning

Do not ignore critical alerts. A "Red" health status or unexpected file changes in core directories could indicate an active compromise. The faster you respond, the less damage can occur.

5. Backup and Restore Basics

Guardian Hub manages backups centrally through the Backups panel available on each site card.

Viewing Backups

Steps
  1. Go to Sites and select the site.
  2. Expand the Backups panel.
  3. View the backup history with timestamps and sizes.

Restoring from a Backup

Steps
  1. In the Backups panel, find the snapshot you want to restore from.
  2. Choose what to restore:
    • Full snapshot — Restores the entire site (files + database).
    • Individual file — Restore a specific file.
    • Directory — Restore an entire directory.
    • Database table — Restore a specific table.
  3. Confirm the restore action.
  4. Wait for the restore to complete and verify the site is functioning correctly.
Warning

A full restore will overwrite current data. Make sure you have a current backup before restoring an older snapshot. Consider restoring to a staging environment first if available.

Tip

You can trigger a manual backup at any time from the Backups panel. Do this before making significant changes to your site, such as major plugin updates or theme switches.

6. Access Control: Team Roles

Guardian Hub uses a role-based access control system for team members. The tenant admin assigns roles per site.

Available Roles

RolePermissions
ViewerRead-only access. Can view site data, health status, backups, alerts, and timeline. Cannot make changes.
ManagerEverything a Viewer can do, plus: trigger backups, approve or reject Autopilot actions, manage day-to-day operations.
AdminEverything a Manager can do, plus: manage site members, configure Emergency Admin, manage Git panel.
Managing Team Access
  1. Go to Sites and select the site.
  2. Expand the Members panel.
  3. To add a member: enter their email and select a role, then click Add.
  4. To remove a member: click the remove button next to their name and confirm.
Principle of Least Privilege

Assign the minimum role needed for each team member's responsibilities. Use Viewer for people who only need to monitor, Manager for those who handle day-to-day tasks, and Admin only for trusted individuals who need full control.

Note

Team members only see sites where they have been explicitly granted access. Billing, White Label, and overall tenant management are reserved for the tenant admin (owner) only.

7. Two-Factor Authentication Setup

Protect your Guardian Hub account with two-factor authentication (2FA).

Steps
  1. Go to Settings from the sidebar.
  2. Find the Authentication or Security section.
  3. Click Enable Two-Factor Authentication.
  4. Scan the QR code with your authenticator app (Google Authenticator, Authy, etc.).
  5. Enter the 6-digit verification code to confirm setup.
  6. Save your recovery codes in a secure location.
Strongly Recommended

Enable 2FA for all accounts, especially tenant admins. A compromised admin account could lead to unauthorized access to all your sites and data.

Social Login

You can also link your Guardian Hub account with Google or GitHub for social login. This leverages the identity provider's own security mechanisms (including their 2FA) for an additional layer of protection.

8. Creating Tickets for Security Issues

When you encounter a security issue that requires support assistance, create a dedicated ticket.

Steps
  1. Click New Ticket in the sidebar.
  2. Set the Subject to clearly describe the security issue.
  3. In the Description, include:
    • The site affected (name and URL)
    • What you observed (alerts, file changes, unexpected behavior)
    • When the issue was first detected
    • Any steps you have already taken
  4. Set Category to Technical or Support.
  5. Set Priority to High or Urgent for active security incidents.
  6. Attach any relevant screenshots or log excerpts (max 10 MB per file).
  7. Click Submit.
Tip

For active security incidents, set the priority to Urgent and mention it in the first line of the description. If your plan includes partner or priority support, the ticket will be routed accordingly for faster response.

9. Security Best Practices Checklist

Follow this checklist to keep your Guardian Hub environment and WordPress sites secure.

Account Security

  • Enable two-factor authentication on all Hub accounts.
  • Use strong, unique passwords for every account.
  • Review team member access regularly and remove inactive users.
  • Follow the principle of least privilege when assigning roles.

Site Security

  • Keep WordPress core, plugins, and themes up to date (let Autopilot handle this).
  • Enable file integrity monitoring on all production sites.
  • Remove unused plugins and themes from your WordPress installations.
  • Use HTTPS on all sites and ensure SSL certificates are valid.
  • Set Autopilot to at least Semi-Auto mode for security spokes.

Monitoring and Response

  • Enable all notification channels (in-app, push, email).
  • Check the Alerts page daily for new security findings.
  • Review the Site Score weekly for trends.
  • Act on approval queue items promptly before they expire.
  • Create backups before major changes.

Operational Hygiene

  • Verify site pairing is active and health checks are running.
  • Ensure server clocks are accurate (NTP synced) for API signature verification.
  • Review Autopilot exclusions periodically to ensure they are still relevant.
  • Document your incident response procedures for your team.
  • Test backup restores periodically to confirm they work.
Need Help?

If you need assistance with any security configuration or have questions about best practices, create a support ticket from New Ticket in the sidebar. Our team can help you build a security posture tailored to your needs.

End of Security & Governance Guide