WP-Safety
Privacy Policy

Privacy Policy

How WP-Safety.org collects, uses, and protects your information.

Effective date: March 26, 2026

1. Overview

WP-Safety.org ("WP-Safety", "we", "us", or "our") operates the WP-Safety website at wp-safety.org and the WP-Safety WordPress plugin. This privacy policy explains what data we collect, why we collect it, and how we handle it.

2. Data we collect

2.1 Account information

When you register for an account, we collect your name, email address, and password. Your password is hashed using bcrypt before storage and is never stored in plain text.

2.2 WordPress plugin data

When you install and activate the WP-Safety plugin on your WordPress site, it transmits the following data to our servers:

  • Site administrator email address (used to provision your account)
  • Site domain / URL
  • Site name
  • Installed plugin slugs and their versions

The plugin does not transmit page content, user data, database information, credentials, or any other data from your WordPress installation.

2.3 Site audit data

When you use the site audit feature, we fetch publicly accessible information from the domain you provide, including the WordPress version, active theme, detected plugins, and hosting provider. This data is stored in your account to display audit results and security scores.

2.4 Monitored sites

If you add sites to your dashboard for monitoring, we store the domain, your label for the site, detected plugins, theme information, security score, vulnerability count, and audit results. This data is associated with your account and used to provide ongoing security monitoring.

2.5 Payment information

Payments for security reports are processed entirely by Stripe. We do not store your credit card number or full payment details. We retain only the Stripe session identifiers, payment amount, currency, and payment status necessary to fulfill and record your purchase.

2.6 Analytics

We use Google Analytics 4 to understand how visitors use our website. Google Analytics collects information such as pages visited, time on page, browser type, and referring URLs. This data is aggregated and does not personally identify you. For more information, see Google's Privacy Policy.

2.7 Cookies

We use a session cookie (wps_session) to keep you logged in. This cookie is HTTP-only, has a 30-day expiry, and is set to Secure in production. Google Analytics may also set its own cookies. We do not use cookies for advertising or tracking beyond basic analytics.

3. How we use your data

We use the data we collect to:

  • Provide and maintain the WP-Safety service, including security scores and vulnerability reports
  • Authenticate your account and manage sessions
  • Process payments for purchased reports
  • Display audit results and monitored site status on your dashboard
  • Provision accounts automatically when the WP-Safety plugin is activated
  • Improve our service through aggregated, non-identifying analytics

We do not sell your personal data to third parties. We do not use your data for advertising.

4. Data sharing and third-party services

We share data with the following third-party services only as necessary to operate WP-Safety:

Stripe — processes payments. Receives your email address and payment details during checkout.

Google Analytics — receives anonymized usage data (page views, browser info, referrer) for website analytics.

Oxylabs — used as a web proxy to fetch publicly accessible pages during site audits. Receives the target URL only.

We do not share your personal information with any other third parties except when required by law.

5. Data storage and security

Your data is stored in server-side databases. We implement the following security measures:

  • Passwords are hashed with bcrypt (cost factor 12)
  • API tokens use cryptographically strong random generation (24-byte hex)
  • Session tokens use 32-byte random hex values
  • Session cookies are HTTP-only with Secure and SameSite attributes
  • Stripe webhook signatures are validated on all payment events
  • API endpoints are rate-limited to prevent abuse

6. Data retention

We retain your account data for as long as your account is active. Session data expires automatically after 30 days. Audit results and monitored site data are retained as long as the site remains in your dashboard. Purchased report data is retained indefinitely so you can access your reports at any time.

7. API tokens and plugin connections

When the WP-Safety plugin connects to our service, an API token is generated and stored on your WordPress site. This token authenticates requests from your site to our API. API tokens can be revoked at any time, which will disconnect your site from the WP-Safety service. Free-tier accounts are rate-limited to 60 API requests per minute.

8. Publicly available data

WP-Safety aggregates publicly available data from sources including the WordPress.org plugin and theme directories, the National Vulnerability Database (NVD), Wordfence Intelligence, and Common Crawl. This data relates to WordPress plugins, themes, and vulnerabilities — not to individual users. Security scores and vulnerability information displayed on our site are derived from these public sources.

9. Your rights

You have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your account and associated data
  • Revoke API tokens to disconnect WordPress sites from the service
  • Object to data processing where we rely on legitimate interests

To exercise any of these rights, contact us at the email address listed below.

10. Children's privacy

WP-Safety is not directed at children under 16. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will take steps to delete it.

11. Changes to this policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated effective date. We encourage you to review this page periodically.

12. Contact

If you have questions about this privacy policy or your personal data, please contact us at privacy@wp-safety.org.