Enterprise-Grade Website Security

Pantheon protects your Drupal and WordPress websites with secure infrastructure, carefully configured access to resources, and best practices around data safety and retention.



Website Security & Features

Pantheon's unique infrastructure and security capabilities give our customers the peace of mind they need to deliver awesome online experiences.

Integration cloud

Container-based infrastructure

Pantheon is built on a container-based cloud architecture
. Unlike deployment of clusters or virtual private servers, containers allow lightweight partitioning of an operating system into isolated spaces where applications can safely run.

See Container-Based Cloud Architecture

Automated, One-Click Core Updates

Update Drupal and WordPress core with a single click. Pantheon’s built-in dev, test, and live environments allow developers to push updates to production safely and quickly.

See Dev, Test, Live Workflows

Denial of Service Protection

Pantheon’s Global CDN provides industry-leading DDoS protections. By filtering ongoing attacks and isolating traffic streams for each site and environment, Pantheon provides dedicated resources in times of need and prevents impact between customer websites.

Open Source CMS as a Service

Immutable Code

Drupal and WordPress core—as well as module and plugin code—are write-protected in Test and Live environments. This feature guards against unauthorized updates that can result in compromise.


Automated Site Monitoring

Pantheon runs over a million checks a day to proactively monitor network, server, and application resources. Our status page shows a transparent, aggregated report of current and historical uptime across all Pantheon sites.

See Platform Status
Website Management

Managed HTTPS

Keep your site and your visitors secure with fully managed, and dedicated HTTPS certificates. We obtain and manage high-grade encryption with TLS 1.3 for all of your sites and deploy it worldwide with Pantheon's Global CDN.

See Global CDN Options


Pantheon supports SAML integration, enabling additional security features like multi-factor authentication and single sign-on. Customers who enforce SAML authentication can also enforce settings like minimum password strengths or authentication audit logs.

Role-Based Access Control

Role-Based Access

Pantheon’s change management feature allows site owners to manage organization-wide settings and selectively grant or deny developer access to deploy to production. Role-based access lets team members work on what they need to without introducing risk to other sites or infrastructure components.

Disaster Recovery

Automated Backup and Retention

Automated/manual backups store customer data, sent compressed to cloud storage. Data encrypted in transit/at-rest using 256-bit AES cipher modes. Private keys, backup data on separate servers. Users test restore via dashboard, to existing/new site on Pantheon or elsewhere.

Compliance & Information Security

Pantheon is regularly reviewed by third parties to verify platform security, privacy, and compliance—and we are constantly working to widen this coverage. Learn more about Pantheon’s conformity with the following information security policies and certifications:

SOC 2 Type 2

SOC 2 compliance provides third party assurance to our customers about the adequacy of Pantheon’s information security system. Our SOC 2 Type 2 compliance covers the Security and Availability Trust Services Criteria.




GDPR logo


The General Data Protection Regulation (GDPR) is a data privacy law that defines a framework for how companies use and protect personal information about European Union citizens. Pantheon complies with all applicable data privacy laws including GDPR.


The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. While customers are responsible for designing their application correctly to meet FERPA standards, Pantheon's security policies and infrastructure allow customers to be FERPA compliant.


FERPA logo

Platform Security

Our stack is secure by design—engineered and maintained using rigorous security best practices.


Resource Isolation

Pantheon ensures process and memory-level isolation using control groups for memory, disk, CPU. Valhalla's encrypted distributed file system employs client-server authentication. Customer files are secured by Linux permissions, while system and customer logs remain isolated.



Pantheon maintains full redundancy for core components: API, edge routing, DNS, and file storage. Automated tools aid recovery. Services tolerate process/server failure. Multi-datacenter presence facilitates restoration. Redundant upstream providers enhance reliability.



Pantheon relies on trusted repos, validates packages, and audits changes on Linux servers. User software runs in isolated containers, preventing direct execution of uploaded files. ClamAV antivirus with updated databases is provided for customer use.


Datacenter Security

Pantheon’s primary data centers are managed by Google and feature a layered security model. This includes safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors & biometrics, and laser beam intrusion detection.


Employee Administrative Access

Pantheon grants access according to least privilege. Employees can interact with servers via a secure API without actual server access—when they do need it, SSH-key based authentication is used and activity is recorded in a central log.

Automated Updates

Patches and Updates

Pantheon updates container hosts with latest kernel, OS, packages. Seamless migration to new instances, zero downtime. CMS updates and patches are internally tested and deployed via one-click workflow for customers.


Incident Response

Pantheon's agility swiftly addresses vulnerabilities (Heartbleed, Shellshock, Drupalgeddon, GHOST). Fresh layers prevent exposure. Post-incident reviews enhance future responses. Significant disruptions updates can be found at https://status.pantheon.io/ and @pantheonstatus

Publish Content

Customer Content Durability

Pantheon uses on-disk storage with hardware RAID, multiple disks. Automated backups offer further protection. Backups, over 99.99% durable, encrypted, stored in multiple datacenters, ensure availability.


Network Security / Intrusion Prevention

Pantheon uses x.509-based authentication, encryption for network security. Edge routers tunnel traffic, prevent bypass. Host intrusion prevention for user-pw services, server layer stops unauthorized access. Centralized security logs retained for a year.

Need additional security measures?

How Secure Is Your Data in Drupal? (And 5 Essential Security Tips)

Luke Probasco
Reading estimate: 4 minutes

Multizone Failover

Maintain 99.99% uptime and minimize loss in the event of a total data center failure.

Managed Updates for WordPress and Drupal

Seamlessly update your WordPress or Drupal website with features like regular detection, visual regression testing, and supervised deployment