Your security when using our website is of the utmost importance to us. We’re committed to making this website, and its email functionality, as secure as we can.
Accordingly, we have developed this Website Security page in order to outline some of the security measures we deploy.
- This website is encrypted, using a modern cipher suite, from your web browser through to our origin web server.
- All passwords we use to administer and maintain this site are unique, complex, non-dictionary, 20+ characters.
- We utilize two-factor authentication on all website, domain name, and DNS administrator accounts.
- This site is powered by WordPress.org software – we trust them to respond to any vulnerabilities discovered, and to patch them quickly – they have an excellent track record in these regards.
- We developed the site using StudioPress’ – Genesis Framework.
- We use a specialist, fully managed, security-focussed, WordPress-only host, WP Engine.
- We only use WordPress themes and plugins from developers we trust.
- We apply all WordPress core, plugin, and theme updates automatically (outdated plugins, themes, and the WordPress core, after vulnerabilities have been discovered, are very common attack/hack vectors).
- We perform daily scans of our servers and site for malware and domain blacklisting.
- We use a specialist, managed DDoS provider’s advanced DDoS protection including protection from attacks that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification, and Layer 7 attacks.
- Our website sits behind a WAF (web application firewall) protecting against SQL injection, cross-site scripting (XSS), WordPress-specific attacks, and we deploy other OWASP ModSecurity Core Rules.
- Our domain name is authenticated and protected by DNSSEC.
- We prevent clickjacking via iFrame by adding the X-Frame-Options header.
- Our website’s transactional email uses SPF and DKIM – emails sent by our website site only come from email@example.com and are digitally signed. We drop all inbound emails sent to this address, please use the form on our secure, encrypted Contact Us page.
- We block FTP connections; we only permit sFTP connections to the web server, and we delete all sFTP credentials, not in use.
- We do not run ads on this site:
1. So they don’t get in the way of your browsing; and,
2. Because they are susceptible to drive-by malware infections on otherwise legitimate websites that may be unaware of their presence. Although we don’t deploy ads, you can prevent other sites from displaying ads using tools such as uBlock.
- We obfuscate our origin web server’s IP address.
- We deploy brute-force login protection.
- We do not develop/test on live production sites – we develop, test, and deploy using separate dev, staging, and production servers and environments. We purge the dev and staging servers once the site is live and in production.
- We deploy other security measures not listed here.
- Despite their claims, no site can be 100% secure if it’s accessible via the Internet. However, we do our absolute best to ensure your security when using our website.
We are committed to conducting our business in accordance with these principles in order to ensure that the security of our website is protected and maintained for your benefit, as well as ours.