All /

Security

We understand that security is just as important as performance and usability. That’s why we’ve built the plugin to follow WordPress best practices at every level – from how user data is handled to how cookies and AJAX requests are managed.

Below is an overview of the measures we’ve implemented to keep your site and your data safe.

Input Sanitization

Every piece of input that enters the plugin is cleaned before it’s processed:

  • WordPress-native sanitization functions are used (sanitize_text_field(), sanitize_email(), esc_url_raw()).
  • All POST and GET data is sanitized before saving.
  • wp_unslash() is applied to account for WordPress’s automatic slashing.

This ensures that malicious input never makes it into your database or output.

Capability Checks

Only the right users can perform the right actions. AB Split Test respects WordPress’s role-based permissions:

  • manage_options for admin settings.
  • edit_posts for experiment creation.
  • delete_posts for variation deletion.
  • update_core for managing admin notices.

This keeps sensitive actions in the hands of the appropriate users.

Nonce Verification

To prevent cross-site request forgery (CSRF), the plugin uses nonce verification across all key operations:

  • wp_verify_nonce() checks on form submissions.
  • Nonces for license activation and AJAX requests.
  • Proper nonce generation and validation across the board.

Cookie Security

Cookies are handled carefully with fallbacks for reliability:

  • Supports multi-part TLDs (like .co.uk, .com.au).
  • Protocol-aware SameSite attributes (None for HTTPS, Lax for HTTP).
  • LocalStorage backup when cookies fail.
  • Fallback strategies ensure functionality across browsers.

CORS Handling

AJAX requests are protected from interference:

  • CORS headers are only sent when experiment data is present.
  • Other AJAX calls remain unaffected.

Output Escaping

To prevent cross-site scripting (XSS), all output is escaped properly:

  • esc_html() for admin notices.
  • HTML entities decoded safely to avoid double-encoding.

Database Security

Only the right data is exposed:

  • Experiments are retrieved only if they are in a safe status (publish or complete).
  • Draft or incomplete experiments are never shown to site visitors.

Error Handling

The plugin is built to fail safely:

  • try-catch blocks isolate errors.
  • Global variable checks prevent crashes.
  • Clear, descriptive error messages assist with troubleshooting.

You can feel confident knowing that AB Split Test is not only focused on boosting conversions, but also on keeping your WordPress environment safe.

SOC 2 compliance – Security & Data Handling Statement

Company: Faster Forward Inc
Product: AB Split Test
Contact: support@absplittest.com
Last updated: December 2025

1. Product Architecture Overview

AB Split Test is a primarily self-hosted WordPress plugin.
All split testing data, analytics, and optional behavioral features run entirely within the customer’s own WordPress environment.

Certain limited functions (AI suggestions, licensing, updates) communicate with AB Split Test–managed infrastructure. This document explains exactly what data is transmitted, stored, and protected.

2. Data Transmitted to AB Split Test Servers

2.1 AI Suggestion Requests

When the AI suggestion feature is used, the following public, non-personal data is transmitted:

  • Public website URL
  • Publicly rendered HTML content
  • Publicly visible page screenshots
  • A website summary generated by ChatGPT based solely on the same public website content

Only content already visible to any visitor loading the website is transmitted.

No private source code, unpublished content, admin-only data, or server-side logic is included.

2.2 Licensing, Updates, and Version Checks

For licensing validation, updates, and version checks, the plugin transmits:

  • Website URL
  • License key

No additional environment data (such as plugin lists, database contents, visitor data, or configuration details) is transmitted.

3. Data Explicitly Not Collected or Transmitted

AB Split Test does not transmit:

  • Visitor behavior data
  • Analytics or tracking data
  • Heatmap or session replay data
  • IP addresses of site visitors
  • Cookies or browser identifiers
  • Admin names, emails, usernames, or credentials
  • Payment or billing data
  • Customer databases or internal business data

Any features that could process personal data are disabled by default and operate entirely within the customer’s own WordPress installation when enabled.

4. Data Storage & Retention

4.1 Stored Data

The AB Split Test server stores access logs only, containing:

  • License key
  • Standard request metadata required for service operation

4.2 Retention Policy

  • Access logs are retained for 60 days
  • Logs are automatically deleted after the retention period
  • No website content, HTML, screenshots, or AI request payloads are stored long-term

5. Infrastructure & Security Controls

  • Hosting Provider: Vultr
  • Region: Seattle, USA
  • Transport Security: All connections use HTTPS with TLS encryption
  • Infrastructure Scope: Dedicated solely to AB Split Test
  • Access Control: Restricted to internal team members
  • Authentication: Multi-factor authentication (MFA) enforced

6. AI Model Provider

  • Provider: OpenAI
  • Models: OpenAI GPT models

Requests sent to OpenAI contain only the public website content described above.
OpenAI states that API data submitted via its API is not used for training and is not retained long-term.

AB Split Test uses its own API keys when communicating with OpenAI.
Customer API keys are not forwarded to OpenAI.

7. Data Processing Roles

  • AB Split Test does not act as a data processor or data controller for customer visitor data.
  • Customers retain full control over all data within their own WordPress environment.
  • AB Split Test infrastructure does not process or store personal data under normal operation.

8. SOC 2 Applicability

AB Split Test is not a hosted SaaS platform and does not store or process customer or visitor data.

Because AB Split Test infrastructure handles only:

  • Public website content
  • Licensing metadata
  • Short-term access logs

SOC 2 certification is not applicable to this product architecture.

9. Customer Responsibility

Customers are responsible for:

  • Security of their WordPress hosting environment
  • Compliance obligations related to any optional features they enable
  • Ensuring website content complies with applicable laws and regulations

10. Contact

For security or data handling questions:

Email: support@absplittest.com
Company: Faster Forward Inc

August 28, 2025 / Tom /

Leave a Comment

You must be logged in to post a comment.