This page sets out our security policy and steps we have taken to secure this site and your data.
This website is hosted on its own private server with no other websites (as it is isolated it eliminates the possibility of cross-infection from others websites on the same server). The server is fully managed with 24 hours a day support, security patching, tuning, and monitoring.
The entire site is secured using an SSL security certificate which encrypts all web pages. This ensures that all information passed between the web server and your browser remain private. We also use the Cloudflare service which is a first line of defence in preventing known hackers reaching our site. We monitor site access and we use scanning services to test for any suspicious activity on our site.
The server has a server firewall and a web application firewall (Mod Security) and uses intrusion prevention software (Fail2Ban) for banning abusive IP addresses. The server password policy is set to ‘very strong’ so all passwords must be over 16 characters and complex.
The site contents are backed up every 6 hours to a server on the same network and backed-up daily to an offsite EU location. On-site backups are kept for 7 days and off-site backups are kept for 30 days. Off-site backups are encrypted with a password.
We use two-factor authentication for all administrator access to the website administration system. All logins and activity are recorded (in addition to the server logs). This site uses the WordPress content-management system and follows WordPress security best practices, including:
- Using Git for version controlling the codebase
- Using bcrypt to encrypt passwords (instead of the default MD5 which is weaker)
- Keeping WordPress core and plugins up-to-date
- Using virus and malware scanners on any computers with access to the administration system
- Using SSH and FTPS for server access
- Removing WordPress version details
- Restricting administration area access to limited roles
- Using strong passwords for database users and access
- Using trusted well-regarded plugins that are actively developed
- Using a firewall plugin
- Enabling logging for user activity
- Storing last login times and IP addresses
- Preventing username enumeration (unless required for forums etc)
- Disabling the REST API
- Disabling XML-RPC
- Disabling PHP execution in the uploads directory
- Disabling file and directory browsing
- Disabling the plugin and theme file editor
- Preventing direct access to important files such as wp-config.php
User submitted data that includes personally identifiable information requires explicit consent from the user before processing.
All data is stored on servers in the UK as described in the general information above.
The server is hosted in UK datacenter with the following failsafes in place:
- Self-healing network with a 99.95% uptime guarantee
- Uninterruptible Power Supply (UPS) systems
- On-site backup generator(s) with on-site fuel and priority refuelling contracts in place to power the facility in the event of utility power outage
- HVAC maintains temperature and humidity levels for reliable and efficient server operation
- Diverse fibre access to the building
- Fully manned 24/7/365 security
- Multi-stage security access restrictions including biometric and card access with remotely manned human verification stages
- Internal and external CCTV
- Advanced smoke and fire detection and suppression systems
- No customer access to enclosed, lockable racks, cages or suites