Security & Roles
Whoopix gives you full infrastructure ownership with granular role-based access control. This guide covers user management, permissions, security best practices, and compliance considerations.
Infrastructure ownership
Unlike SaaS CMS platforms where your data lives on vendor servers, Whoopix runs on your infrastructure:
- Your database — full MySQL access, direct exports, no vendor lock-in
- Your files — templates, assets, and uploads on your server or storage
- Your SSL — certificates managed on your domain
- Your backups — backup strategy controlled by your team
This model is central to the Security feature page and Architecture positioning.
User roles & permissions
The Members module manages team access with role-based permissions:
Members module — invite users, assign roles, and manage access.
Super Admin
Full access to all modules, settings, integrations, and user management.
Editor
Create, edit, and publish content. No access to system settings or integrations.
SEO Manager
Full SEO module access — SERP, tasks, metadata. Content read access.
Additional roles can be configured with granular permissions:
- Per-module access (pages, articles, products, SEO, settings)
- Per-language access for multi-language teams
- Publish vs. draft-only permissions
- Read-only access for stakeholders and clients
Authentication
- HTTPS required — admin panel enforces SSL for all sessions
- Password policy — minimum complexity requirements configurable
- Session management — automatic timeout after inactivity period
- Login monitoring — failed attempt tracking and optional IP restrictions
- Two-factor authentication — available for admin accounts
Data security
Because you own the infrastructure, data security is a shared responsibility with strong defaults:
- SQL injection protection via parameterized queries throughout the core
- XSS prevention with output encoding in templates
- CSRF tokens on all admin form submissions
- File upload validation — type, size, and path restrictions
- API key authentication with rate limiting for external access
Whoopix prioritizes long-term infrastructure stability and ownership over convenience features that compromise security.
Backups & recovery
- Configure automated daily database backups (mysqldump or managed backup service)
- Include file uploads and template directories in backup scope
- Store backups off-site (S3, Google Cloud Storage, or separate server)
- Test restore procedure quarterly — a backup you cannot restore is not a backup
- Document recovery runbook for your team
Whoopix does not restrict backup access — your team controls the entire backup and recovery process.
Cloudflare & edge security
Cloudflare integration provides edge-level protection:
- DDoS mitigation at the CDN layer
- Web Application Firewall (WAF) rules
- Bot management and challenge pages
- SSL/TLS encryption from edge to origin
- Rate limiting on API endpoints
Configure Cloudflare in Settings > Integrations and reference the Performance guide for cache rules.
