![]()
Our Security Position
We have a layered approach to security, keenly looking for new information and practical steps.
- Ongoing discussions with colleagues and review of articles.
- Review of security components and implementation.
- Monitoring.
Some aspects of security practices are well known.
What is not well known :
- Old code, unused plugins, industry or software security alerts, weak passwords, and stale or previous 3rd party developer logins expose sites to inevitable hacking, Such breaches are certain given AI developments since 2025.
- Passwords used in emails.
- Configuration files (such as .env or wp-config.php) not protected by strict rules.
- Initial development exposing sites prior to installing SSL.
- Security keys stored in files.
Our security measures include a range of measures.
Logins
- Strong passwords
- Renewal of old password
- Removal of unused user accounts
WordPress
- 2FA if requested.
- Currently maintained plugins – removal of non-current or security risk plugins.
- Theme and plugin updates.
- Repeat failed account logouts.
- Session ID expiration – standard in WordPress.
- Removal of traditional wp-admin and wp-login.
- Use of a 3rd party security plugin.
Linux
- Admin static IP4 SSH terminal shell access.
- NFT Tables – optional configurations such as country blocking, domains, bad actor GET search patterns.
- Improved Nginx/Apache2/PHP with security rules – website and database.
- Rate limiting login attempts.
- Custom URL downloading with expiration.
- Monitoring for unusual downtime events with auto-restarts where able.
- SSL certificate monitoring.
- DNS monitoring.
- Linux package updates.
- No use of Postfix.
AWS Resources
- Secure EC2 instances
- Instance snapshots
- Database and File backups (e.g. WordPress)
- Private S3 Buckets and where required limited policy permissions.
- Attached EC2 IAM Roles to the Linux server, removing any need for credential keys, with limitations on permissions and access.
- Verified SES email domains and email addresses.
- Tightened IAM Roles/Policies and Lambda code.
- Removal of old code (e.g. SDK2 replaced by SDK3).
- Renewal of any Credential Keys or old SMTP credentials.
- Preference for removal of Keys or SMTP where able.
- Optional configurations for SES system generated or WordPress Email
- Optional S3 logging.
- GuardDuty
- Entry level CloudTrail
- CDN standard WAF
Costlier real-time logging and actions are usually preserved for Enterprise solutions.
These is not an exclusive list, but supports our security focus.



