Login

Security

Your website is a business asset, not just a pretty brochure. We treat it that way. Our security approach covers people, processes, and infrastructure.

Access & Identity

The most fallible part of any security system is the human element. We start here:

  • Least privilege — users get only the access they absolutely need.
  • Limited admin access — only authorised people can touch critical systems, DNS, or servers.
  • Unique strong passwords — required for all accounts, generated with a password manager.
  • MFA enabled everywhere — authenticator apps preferred; SMS/email only when necessary.
  • No account sharing — every person, client, and contractor gets their own identity.

 

WordPress Application Security

Most breaches come from outdated or poorly coded plugins and themes. We lock that down:

  • Weekly updates for WordPress core, themes, and plugins.
  • Security updates applied immediately when available.
  • Threat monitoring against known vulnerability databases.
  • Automatic virtual patches for high-risk issues, with vulnerable components replaced before they’re exploited.
  • AI-assisted visual checks after every update — if a layout shifts more than 3%, we review it manually before it stays live.


Server Hardening

We secure the server layer so there’s less for WordPress to defend:

  • SSL certificates with HTTPS enforced across every site.
  • Weekly Ubuntu and NGINX updates — patched and tested.
  • Secure PHP versions configured by default.
  • Strong usernames and passwords on all service accounts.
  • Directory browsing disabled — curious eyes can’t map your files.
  • PHP execution disabled in uploads and theme directories.
  • Secure wp-config.php permissions and placement.
  • Security headers applied at the server level.
  • SFTP and SSH only — plain FTP is dead.
  • Nginx rate limiting to slow brute-force attempts.
  • Default WordPress login page disabled — replaced with a safer custom entry point.

We also protect against the common WordPress-specific attacks: HTTP Response Splitting, XSS, Cache Poisoning, SQL/PHP/Code Injection, and File Inclusion.


Backups

Good backups are like insurance that covers everything, costs almost nothing, and always pays out. We take them seriously.

  • 14-day retention on all plans by default.
  • Tiered schedules — local backups for speed, remote backups for safety.
  • Remote destinations include Wasabi, AWS S3, and Google Drive.
  • Higher tiers add hourly backups and physical-drive archives for enterprise clients.
  • Optional client-owned destinations (OneDrive, Dropbox, pCloud, DigitalOcean Spaces) so you always hold a key.


Monitoring & Logging

Knowing what happened is half the battle. We log activity across both the hosting environment and client sites so every action is traceable back to a user or service worker.

  • Uptime monitoring with Better Uptime.
  • Server performance tracking with NetData.
  • Ongoing reliability checks with Hexometer and Hexowatch.
  • Centralised activity logs for audit, forensics, and compliance.