Security policies for Red8 Interactive projects and hosted sites

We have had one compromised site since 1995.

Red8 Interactive follows modern best practices in our continued efforts to prevent and mitigate security-related incidents in our projects and hosted sites. Our portfolio includes sites for large national firms, banks, and other security-sensitive organizations.

Modern hosting services

We rely on the security, monitoring, and recovery resources provided by our hosting service partners, and select reputable hosting services with proven track records.

Cloudflare

We encourage all of our clients to use Cloudflare for their edge traffic and benefit from Cloudflare’s additional resources and best-in-class denial of service mitigation.

Modern credential storage

Credentials (usernames, passwords, and related information) are a common source of security breaches. We store all credentials in BitWarden, a modern credential management system. Passwords are unique and randomly generated.

Updates

Vulnerabilities in WordPress themes, plugins, and other components are also a frequent source of security incidents. WordPress projects require frequent updates to prevent the exploitation of these vulnerabilities, and we use a popular third-party service to notify us of available updates and make the update process as easy as possible.

Backups

Multiple third-party services take daily snapshots of all of our sites and store them for varying periods of at least 30 days. These backups allow us to revert unwanted changes to sites and gather more information in the event of a security breach. The backups are not accessible from any of our hosted sites.

Monitoring

We use multiple tools and services to provide constant monitoring and rapid alerts for uptime, errors, and potential security issues.

Plugins

All of our sites have either WordFence or iThemes Security Pro installed to provide an additional layer of defense against malicious traffic and warnings for updates, vulnerabilities, and incidents.

Limited access

We encourage our clients to minimize the number of administrative accounts on their sites and regularly review notifications for inactive user profiles.

Audits

We audit our sites a couple of times each year for inactive accounts and other potential issues that haven’t already been handled by all of the processes above.

How you can help

Weak and reused passwords on administrative accounts can still provide attackers with access to sites. Please use a modern password manager that will generate and store unique, random passwords for you.