Security, Backups and Monitoring

Our systems are very secure. Please review all of the ways we keep your content safe and secure.

Secure Web Servers 

Our platform uses a "push publish" technique, meaning that most of the public facing web pages are served statically on physically remote servers. This approach also makes our websites very fast, reducing the time to first byte (TTFB).

SSL Certificates

SSL certificates are provided free on all standard hosting plans and above. SSL certificates are provided by Lets Encrypt. SSL certificates keep customer interactions with your website safe from third party snoopers. 

TLS Versions

Our web servers only support the latest TLS versions. We do not use the SSL v2 nor v3 versions, nor TLS 1.0. These higher levels of security ensure the highest security level of communication protocol between the web browser and the web server. It should be noted that this high level of security may cause very old computers to be unable to view websites. TLS1.1 is currently in review, but has continued to be offered to ensure more people on old devices can view your websites.

Secure File Storage

Private member files, provided during member registration or form posts, are stored in a secure file repository. These files can only be accessed by secured users, or via special links with hashing codes.

Secure Database

Our database runs in a multi A-Z environment, ensuring your data is safe. Should one server fail, the other backup server will automatically continue service. This feature is well tested, as the servers pass over to each other on a regular basis during server upgrades. We run the latest security patches on our database. Our database access is also secured, such that it can only be accessed by our specified IP addresses.

Backups

We use an incremental timed backup, such that we can restore a website to a specific point in time, up to 2 weeks past. In addition, we provide additional backups to other adhoc points in time.

Closed Source System

Our platform is closed source, meaning that only authorised persons have access to the source code. In comparison, open source systems can expose holes to unscrupulous users.

Vulnerability Tests

We regularly run vulnerability tests on random websites, and action any important issues. 

Uptime Monitoring

We run regular health checks using multiple third party monitoring tools, such that our systems administrators are alerted to resolve any issue urgently.

Firewalls and Rate Limiting

We run 2 different firewalls. We use an industry standard firewall that is integrated with our web server. This firewall secures our web servers against many well known attacks. We also run a custom firewall at the application level, that blocks many common attacks, and rate limit robots attempting to brute force their way in, or bring your website down in a denial of service attack.

Spare Capacity and Load Balancing

Our servers are all tuned to run at around 10% of CPU usage. This allows the servers to burst up to 10 times the normal amount of activity. We also provide load balancing, so that web servers with spare capacity can take on more load if another server is busy. 

reCAPTCHA and Robot Blocking

All web forms are secured by our own custom AI anti robot firewall. This firewall looks for common spam approaches, and will force a user to complete a reCAPTCHA step. reCAPTCHA fields are provided by Google, and attempt to confirm that a human is completing the form. You can also choose to use a reCAPTCHA on all your forms. Our anti form spam AI system will learn from other users marking received enquiries as spam.

Server Patching

We patch our servers regularly, to ensure they are up to date to prevent any known operating system issues. 

Member Security

We provide a security layer that you can use to provide authorised persons access to specified pages and content. You can manage member access levels, and well as assign members to multiple groups. Pages can be secured by access level and/or by member groups. Security access involves the typical approach of a member's email address as their username, and a quality password that is automatically generated by our system. We make it easy for your customers and members to login, via a single link or button, containing a secure hash. 

Email Security

All email is sent and received via secure servers, requiring authentication. We use SPF and DKIM techniques to validate your email as authorised, and to inform other email servers not to accept email that is not from authorised mail servers. That said, your email account is only as secure as you protect your own username/password. To ensure the safety of other users of our servers, we rate limit send speeds for all users, and we independently monitor any possible black list status. Our email servers have a very good reputation, and users of our own bulk email service enjoy good deliverability and read rates. 

2 Factor Authentication

Our cloud systems infrastructure is protected by 2 factor authentication. All our servers are protected to be accessed from limited IP addresses, and only when the correct SSH keys are provided. This protects our infrastructure level from intrusion. At the individual user website maintenance level, we do not currently offer 2FA.

Other Administrator Access Privileges 

You can assign limited access to your staff and contractors, such that they can only access limited section of our website content management system. For example, some staff may only access POS, or an SEO expert can only access your SEO meta tags, but not ecommerce reports.

Logging and Monitoring

We log all sorts of system activity, such as web and email, as well as most update actions within the CMS. We regularly monitor these logs using automated tools to alert us to any suspicious behaviour, or to audit the root cause of any issues. 

Domain Security

Website World was awarded the "Most Secure Domain Portfolio" by the dot nz registry in 2019. Website World regularly reviews the quality of our registrant data. Website World also offers a domain DNS locking feature, to prevent unauthorised changes.