Security
Practical controls Updated January 2026

Security that feels boring—in the best way.

Parameter runs WordPress with a simple goal: no surprises in public. That means disciplined access, safe changes, real monitoring, and recovery you can trust. This page describes the security practices we apply across Pulse, Protect, and Propel—and what we expect from you.

Need a security questionnaire answered or special requirements (HIPAA/PCI/SOC reports)? Contact us and we’ll route it correctly.

Security, at a glance
Always-on Monitored
Real ops. Calm outcomes.
AccessLeast privilege, clean handoffs
ChangesStaged, tested, documented
MonitoringUptime, errors, regressions
RecoveryBackups + restore practice
One important thing: Security is a system, not a plugin. We reduce risk with layers: hosting, operations, and change control.

We limit access.

Most incidents start with access sprawl. We keep it tight, auditable, and reversible.

Least privilegeOnly the access required, only for the time required.
Stronger authEncourage 2FA and modern credential practices wherever possible.
Clean offboardingRemove stale users, keys, and integrations after handoffs.

We make changes safely.

Updates and improvements shouldn’t feel like gambling. We prefer staged, observable change.

Staging-firstTest updates where possible before they hit production.
Change notesWhat changed, why it changed, and what to watch next.
Rollback mindsetWhen something slips, we prioritize restoring service fast.

We watch reality.

Security isn’t “set and forget.” We monitor what matters and respond when it changes.

MonitoringUptime, performance regressions, and error signals.
HardeningReduce common attack surface and risky configurations.
Clear commsWhen something happens, you’ll understand what it is and what’s next.
Controls snapshot

What we do—at a practical level.

Exact details vary by plan + site Protect details Pulse details
AreaWhat Parameter handlesWhat we ask from you
Access & accounts
WordPress, hosting, vendors
We help establish least‑privilege access, remove stale accounts, and keep admin surfaces tight.Use strong unique credentials, approve access requests quickly, and keep your internal logins clean.
Updates
Core, plugins, themes
We plan, test where possible, execute updates, and resolve common compatibility issues.Tell us about business‑critical dates (launches, campaigns) and approve larger change windows if needed.
Backups & recovery
Restore confidence
We ensure backup coverage and a recovery path (scope depends on plan/host). We prioritize restoring service when incidents occur.Keep access to domain/DNS and business email available for urgent verification and changes.
Monitoring
Uptime, performance, errors
We monitor for regressions and issues that hurt users, revenue, or reputation.Let us know what “critical” means for you (checkout, lead forms, memberships, etc.).
Incident response
When something breaks
Triage → contain → restore → document. We focus on getting you back online fast, then preventing repeats.Keep one technical contact available for urgent approvals; share any relevant vendor alerts promptly.
Compliance support
Questionnaires, audits
We can help answer questionnaires and share operational details appropriate to the engagement.Tell us the requirement early so we can align scope, timelines, and documentation expectations.

This page is an overview of our practices. For exact SLAs, coverage, and commitments, see What we cover and your service agreement.

How it maps to modules

Security is layered.

Pulse™

Foundation

Managed hosting is where a lot of security gets won or lost. Pulse focuses on infrastructure, stability, and hygiene.

Transport securityHTTPS/SSL and secure connections (where supported).
Platform hardeningReduce common hosting-level risk and misconfigurations.
Managed upgradesHosting environment updates handled without drama.
Pulse details
Protect™

Always‑on operations

Protect is where security becomes a routine: updates, monitoring, backups, and response—done consistently.

Safe updatesCore/plugin/theme updates, compatibility resolution, and follow-up checks.
Monitoring signalsWatch what users experience (uptime/errors/performance).
ReportingClear notes, priorities, and recommendations.
Protect details
Propel™

Improvements & hardening

Propel is where we handle one-off projects: cleanup, modernization, and the security-related work that needs hands.

Safer customizationsBuild and refactor in ways that reduce fragility over time.
Audit & remediationFind issues, remove risky plugins, reduce surface area.
Change controlStaging/QA and post‑deploy verification on bigger changes.
Propel details
Incident response

When something happens, here’s the rhythm.

We’re optimized for one thing first: restore service. Then we take the time to prevent repeats.

1) TriageConfirm impact and scope. Identify what’s broken and what’s at risk.
2) ContainStop the bleeding (disable risky components, isolate access, block obvious abuse).
3) RestoreBring the site back online quickly—rollback, fix-forward, or recover.
4) DocumentWhat happened, what we changed, and what we recommend next.
Shared responsibility

Security works best as a partnership.

We handle the operational heavy lifting. You keep the business-side guardrails tight.

We ownOperational routines: monitoring, updates, backups/recovery paths, and change discipline.
You ownBusiness decisions: user approvals, vendor accounts, content, and compliance requirements.
TogetherPriorities, critical business flows, and what “urgent” means for your team.
About guarantees Security reduces risk—it can’t eliminate it. We’re transparent about tradeoffs and we improve continuously.
Responsible disclosure

Found a security issue?

If you believe you’ve found a vulnerability affecting a Parameter-managed property, please report it privately. We’ll respond and coordinate next steps.

Email security@parameterllc.com
Contact form

Please avoid public disclosure until we’ve had a chance to investigate.

Quick answers

Common security questions.

Do you support 2FA / MFA?

Yes—where the platform supports it, we encourage and help set up stronger authentication (2FA/MFA) for admin surfaces and critical vendors.

Can you fill out our security questionnaire?

Usually, yes. Send it through Contact or the Support portal and we’ll respond with the details appropriate to your plan and environment.

Do you offer formal compliance (SOC 2 / HIPAA / PCI)?

We’re happy to discuss compliance requirements and align scope. Formal attestations vary by environment and vendors; if you need specific documentation, tell us early so we can plan appropriately.

What should we do if our site is down?

If you’re a customer, use the Support portal for the fastest routing. If you can’t access the portal, email us and include your domain, what changed recently, and screenshots if available.