Client Security Policy
To support you, your website development and the ongoing web marketing we do for you, WebVitality (a division of Flourish Press, Inc.) engages a comprehensive security policy. We believe that your web marketing and website security is dependent on a wide number of factors, many of which are under our control, some are dependent on you, and some are dependent on third-party entities. These standards continue to evolve, and we adapt our Security Policy based on these ever-changing requirements.
We believe there are six specific categories of security that make up an effective policy. Under each of these categories, we’ll document the specific practices required to support effective security.
What We Do
WebVitality (WV) Staff Personal Security Practices
Individual device security flaws and errors made by the humans working on your website are often the leading causes of breaches. As a result, security at an individual level is critical. We protect your information through the following practices:
- Staff members are required to run security and anti-malware software on business-owned and dedicated computers.
- All company-owned computers are required to be updated with new patches and security updates for operating systems or software when deployed or twice a month at a minimum.
- Staff passwords are stored and managed by leading third-party, cloud-based password management software. Staff passwords for all software and websites are required to be complex and use uppercase and lowercase letters with numbers and symbols (if allowed).
- Access to all major WV business software requires the use of dual authentication procedures, if available.
WebVitality Corporate Security Practices
- Only trained and experienced staff members of WebVitality have access to your website and/or your web marketing accounts. Unless disclosed, no third-party vendors or contractors will have access to your website for specific functions.
- Password usage, storage, and management is one of the most common places where security breaches can happen. WV employs leading third-party, cloud-based enterprise password management software to support the storage and management of your various login credentials. Sharing of these credentials between team members is done via the password management software.
- Sharing login credentials or other secure information with or from you is done via secure, encrypted transmission tools that delete data once transmission has taken place or shortly thereafter.
- Any credit card information you provide us via secure form or call is entered at our payment processor, Infusionsoft. Infusionsoft is PCI DSS Level-One validated by SecurityMetrics, US/EU Safe Harbor Framework and the VeraSafe EU Safe Harbor Program. Credit card information that has been provided by phone and documented on paper is destroyed after being added to Infusionsoft.
WebVitality Development Security Practices
As a digital agency, we develop only on WordPress. In keeping with the Open Web Application Security Project (OWASP) Standards for WordPress, we do the following with every new WordPress website development project:
- Develop your website with well-proven, security-tested themes and plugins.
- Use strong, complex passwords during the development process that adhere to WordPress standards. We remove default admin accounts. We disable user registration and add comment control if not already required. We employ appropriate user roles for your website.
- Use and deploy two-factor authentication on your website.
- Add security plugins and tools to your website, including login limits, CAPTCHA, and more to support secure deployment.
- Change the standard WordPress admin login URL and move wp-config.php files (if allowed by hosting provider).
- Employ secure connections SFTP and SSL, and enforce transport layer encryption for administrative access.
- Implement and engage daily backups.
- Disable plugin editor and theme editor once website is deployed.
WebVitality Ongoing Web Support Practices
In keeping with the OWASP Standards for WordPress, if you subscribe to an ongoing website support program with WV, we provide the following security services:
- To ensure the most up-to-date WordPress core, theme and plugin software, we manually update them every week, testing after updates to ensure that website has not been negatively affected by the update.
- On top of the expected daily backups your hosting provider creates, we create an additional, redundant backup that is stored off your hosting server. We test our redundant backups on a regular basis to ensure they can be restored.
- To ensure adequate knowledge of all historic activity on your website, we employ a WordPress website audit tool to log all activity on the website, including logins and actions taken. This helps us to monitor activity by any registered user as well as potential hacks.
- Depending on your web hosting service requirements, restrictions and capabilities, we may also use Sucuri, a third-party WordPress security and malware monitor. If we do not use Sucuri, once a month, we scan your WordPress website for known bugs that have been indexed in the WPScan Vulnerability Database, which contains over 8,000 reported vulnerabilities. Our scanner tries to identify the plugins run on your website and will compare their versions against the bug database.
- Once a quarter, we audit plugins, themes and users on your website to determine if any need to be deleted.
- Only WV staff have ongoing access to your website. If a third-party developer is required for specific technical support, you will be notified and they will only be granted a temporary account that will be suspended and deleted after the project or task is completed.
- If you or one of your team requires a login, we will clarify the intent of that role, then provide appropriate security level access to the website.
- On a yearly basis, we confirm with you who has authority to request services and access your website or other web marketing tools or services.
What You Do
Your Security Practices Related To Working With WebVitality
While WV as your vendor may have an incredibly strong security policy, you and your employees must also support secure practices. As such, we request the following from you:
- Provide us confidential login credentials or other data via secure transmission options we provide and do not send them via email.
- Update us on staff or sub-contractors who have access to your website and the roles they require. Update us when staff members change roles or leave so we can remove access to website or other web properties.
- Use the passwords provided by WV or be sure to employ strong passwords.
- Store and manage passwords in secure ways.
What We Both Require from Others Involved
Third-Party Security Practices
WordPress Hosting: Many of the effective security practices for WordPress website development and management are based on the web hosting environment. It is our recommendation that your hosting provider offer Managed WordPress hosting and be approved by WV before we proceed with any work. It is critical that your hosting provider employ Apache, PHP and database hardening. They should also employ the most recent version of PHP. Server-level firewalls, intrusion detection systems, and other security tools need to be present and managed at a host level.
WordPress Software: We rely on the proven WordPress software platform to support evolving security standards. WordPress outlines their commitment to these standards on the following page: https://wordpress.org/about/security/.
Alternate/Additional Software Integrations: You may require alternate or additional software integrations on your website to support your business. It is important that these be addressed and confirmed as secure before implementation on your website.
Alternate Providers: In order to maintain security integrity, if you choose to involve other vendors with your website, it is critical they support and follow the same security standards outlined here.
Incident Response Protocol
As a client of WebVitality, in the event of a hack, website defacement or compromise, whether the cause was the fault of WebVitality or the fault of an employee at your company, we will work immediately to fix the issue in the following ways:
- Assess audit logs to see what events happened or actions were taken on the site, what time the hack appears to have occurred, and any other critical information.
- Scan website with Sucuri to determine the specific hack to the site.
- Check with hosting company to confirm hack and ask if they have any indication of a cause at the server level. If so, determine whether they have already started a response at a hosting server level.
- Restore the most recent backup of website before hack occured to overwrite the hacked site with a clean version.
- Reset all WordPress admin or other user access by forcing global password reset and update WordPress secret keys.
- Notify you of the hack and related findings. If we learn one of your employee accounts was found to be the source, we’ll let you know so they can scan their local computer or network for viruses, malware and keyloggers.
- Reset hosting account login, SFTP, and database passwords.
- If required, deactivate a plugin that may be cause of the vulnerability. Notify plugin developer.
- Check website blacklists to ensure website was not added. Check Google Search Console and Bing Webmaster Tools. If added to any blacklist, request removal.
- Re-secure website. Resume normal operations.
- Update you on the response and outcome.
Note: This Incident Response Protocol is only valid if you are on an active monthly website maintenance program with WebVitality. It does not apply to a website that was built by WebVitality but not actively maintained by us.