❓How is my website protected, and what levels of security are included? #

Your website is protected using a multi-layered security model designed to safeguard your data, block attacks, and maintain performance. Here’s how each layer works:

🛡️ 1. Domain-Level Security (Top Layer – Enabled by Default) #

• Managed through Cloudflare DNS and Web Application Firewall (WAF)
• Stops threats before they even reach your server or website
• Blocks malicious traffic, brute force bots, and common web attacks
• Includes firewall rules to block spam and unauthorized access attempts
• Major performance advantage: all security processing happens before it impacts your website speed

✅ Included and enabled for all Business Growth websites where we manage the domain (DNS/Domain Renewal Service is separate)
🔗 Learn more about WAF & Spam Protection »

🌐 2. Server-Level Security (Middle Layer – Enabled by Default) #

• Websites are hosted on Google Cloud Infrastructure
  • Enterprise-grade data center security
  • Load balancing and uptime protection
  • Isolated infrastructure to reduce risk
• Benefits from the same advanced security used across Google’s global services
• Ensures fast performance and scalable uptime by offloading heavy processing from the website itself
• Ideal for ensuring availability, performance, and server integrity

✅ Included and active by default as part of your hosting

🔐 3. Site-Level Security (Optional Plugin-Based Layer) #

• Managed through WordPress plugins like Defender Pro, which are included upon request
• Can enable features like:
  • Two-Factor Authentication (2FA/MFA)
  • Malware/file scanning
  • Login attempt tracking
• Best used selectively — too many features or real-time scans can slow down site performance, especially during peak hours

🔄 Available upon request – Site-level scanning is not enabled by default and should be requested. We recommend enabling only what’s necessary, such as login MFA or periodic malware scans

🔐 Layer 4: SSL/TLS Certificate (HTTPS Encryption) #

• We include a Let’s Encrypt SSL certificate on every site by default
• These certificates enable secure HTTPS connections between browsers and your server
• Protects sensitive data like form submissions and login credentials by encrypting traffic
• Auto-renewed every 90 days (renewal occurs 30 days before expiration to avoid downtime)

✅ Included and automatically managed for all hosted websites

🔓 Login Access & Brute Force Protection #

• By default, we block direct access to /wp-admin and standard WordPress login URLs
• Logins are securely routed through the Business Growth Platform portal to reduce attack surface
• This feature can be disabled, but doing so is not recommended

🧠 CAPTCHA for Forms (Optional but Recommended) #

• Our WAF already blocks the majority of contact form spam
• If spam continues, we recommend enabling CAPTCHA for extra protection
• CAPTCHA adds friction for bots but may slightly reduce user engagement — use wisely based on your needs

⚖️ Bottom Line: Balance is Key #

We focus on layered security that protects your site at the domain and server level first — and reserve site-level tools for selective, high-value protections like MFA and scanning. This keeps your website secure without sacrificing performance.

🔗 Request Site-Level Security Setup »
🔗 Business Growth Platform Overview »