PowerSEC is built for the unglamorous reality of running other people’s WordPress sites: signed actions, scoped keys, encrypted transport, and backups you can actually restore.
Every action PowerSEC sends to a connected site is HMAC-signed with a per-site key. Requests carry a timestamp and a one-time nonce, and are rejected outside a short validity window — so a captured request can’t be replayed. Each action is recorded in the site’s audit log.
Sites authenticate with their own keys, separated by scope: a telemetry key for read/report traffic and a remote key for privileged actions. Compromising one site’s key never grants access to another, and keys can be rotated or revoked from Central.
All traffic between your sites, the dashboard, and Central runs over TLS. Per-site keys are scoped, rotatable, and revocable from Central; billing and third-party integration tokens are encrypted at rest.
Backups travel over encrypted (TLS) connections and are kept in secure cloud storage, encrypted at rest by the provider. Each upload is SHA-256-verified and re-checked for integrity in storage — downloaded only through short-lived, signed URLs, never from a public, guessable location.
Dashboard access is JWT-based with role separation (owner, team, support, admin). Plan and feature gates are enforced on the server, not just hidden in the UI, so the API is the source of truth for who can do what.
Found a vulnerability? We want to hear about it. Email security@powersec.io and we’ll acknowledge and work with you on a fix. We don’t pursue good-faith researchers who follow responsible disclosure.
The PowerSEC dashboard and API run on managed cloud infrastructure with TLS everywhere — connections between your sites and Central are required to be encrypted (HTTPS). Backups and uploaded files are kept in secure cloud storage and accessed only through short-lived signed URLs. We store the minimum we need to monitor and protect your fleet — security findings, backup metadata, and the settings you configure.
We do not sell your data. See our Privacy Policy and Terms for how data is handled, retained, and deleted.
Responsible disclosure is welcome. Email security@powersec.io — we aim to acknowledge reports within 3 business days and will keep you updated on the fix. We won’t pursue good-faith researchers who follow responsible disclosure and avoid privacy violations, data destruction, or service disruption. See security.txt.