The Engine is Red

Digital & Web Security Policy

This document outlines how The Engine is Red handle security in relation to digital and web development.


  • We recommend VPS hosting to clients (currently UpCloud) to ensure that client websites are not on a shared server with any other companies.
  • We recommend clients move their DNS to Cloudflare, to mitigate against DDOS attacks
  • Security patches and packages are installed weekly, automatically on client servers
  • All servers that we manage are provisioned with Ploi
  • We use Ploi to install and automatically renew Let’s Encrypt SSL certificates
  • Domains managed by us:
    • Enforce HTTPS via Cloudflare
    • Enable HSTS via Cloudflare with a max-age of 6 months
    • Automatic HTTPS Rewrites
    • We use the latest LTS installation of Ubuntu for new client web servers
    • Clients are advised to move to a new server every 5 years when their LTS version of Ubuntu stops receiving updates


  • For clients that have active maintenance contracts, we update Craft and it’s plugins either monthly or quarterly
  • We recommend a maintenance contract to all clients to keep their websites updated both in terms of security and front end performance
  • All sites we actively maintain are backed up regularly to AWS via Ploi or SnapShooter

Passwords & Documents

  • We use Two Factor Authentication wherever possible
  • We use 1Password's built in tools to measure password strength and whether any passwords have been compromised
  • We never share client passwords externally
  • Passwords are stored in 1Password
  • For our own passwords, we use strong, randomly generated passwords via 1Password that are never re-used. We recommend clients do this too
  • Passwords are not sent in plain text by email
  • Our password vault is separated into containers. Only the people who need certain passwords are able to access them
  • Users who leave the company have their access to passwords revoked
  • Online documents and tools are only shared with the people who need access, never publicly

Working with Freelancers

  • Developers are required to sign an NDA before being given access to any client data
  • Access to servers is restricted to SSH keys, no passwords
  • Developers are only given access to the site they are actively working on
  • Once a developer is no longer working on a site, their access to the server and repository is revoked


  • We use code monitoring tools that point out vulnerabilities in active sites we’re working on
  • We recommend Craft CMS for almost all client projects. In terms of security, here’s what you need to know about how Craft is secured at the code level:

Shopify-specific Policies

Publicly available Shopify Apps must either be from the safe list below or be reviewed individually. Ideally, apps installed:

  • Have good documenation
  • Have a rating above 4 stars
  • Have at least 100 reviews, or have been developed specifically for one of our clients
  • Be verified as having little impact on site performance

Craft-specific Policies

Craft plugins must either fulfil the criteria below, or be reviewed individually by the lead developer. Ideally, plugins installed:

  • Have good documentation
  • Have many (at least 100) active installs
  • Be actively maintained (updated within the last 3 months)
  • Have a good response time for GitHub issues
  • Have a version number above 1.x

We follow all advisories in the Securing Craft article from Pixel & Tonic:

  • The source folder is kept above the webroot
  • allowAdminChanges are set to false in both staging and production
  • We explicitly set the @web alias for the site
  • We enable all “Purify HTML?” Redactor field settings
  • We use Freeform for all forms, which automatically enables CSRF protection
  • We use the latest major version of PHP on new sites, and upgrade existing sites when they move to new servers
  • File permissions are reviewed and set according to Craft’s installation guide
  • General Configuration settings are reviewed on a per-site basis during development
  • We set applicable security headers during development
  • We change the cpTrigger from the default /admin
  • We remove the X-Powered-By: Craft CMS header
  • Inactive CMS user accounts are disabled or deleted

Plugin Developer Safe List

The companies below have a proven track record in high quality software and have been active in the Craft community for years. We trust their work.