Security Policy

Each client hosting account operates within an isolated CloudLinux CageFS environment. This ensures that a compromise or resource spike on one account cannot affect other accounts on the same server. Resource limits (CPU, memory, I/O) are enforced per-account to prevent abuse and maintain stable performance.

• Cloudflare WAF: All client websites are protected by Cloudflare's Web Application Firewall, filtering malicious traffic including SQL injection, XSS, and bot attacks before they reach the origin server
• CSF/LFD Firewall: Server-level firewall with Login Failure Daemon for brute-force detection and IP-based blocking
• Imunify360 Proactive Defence: Behavioural analysis engine that blocks zero-day attacks and suspicious PHP execution in real time

Cloudflare's global network absorbs and mitigates volumetric DDoS attacks at the edge. LiteSpeed's built-in connection throttling provides an additional layer of protection at the server level. We maintain escalation procedures for attacks that exceed standard mitigation thresholds.

• SSH access restricted to key-based authentication only — password-based SSH is disabled
• SFTP enforced for all file transfers — unencrypted FTP is not available
• Administrative panels accessible only via HTTPS with valid TLS certificates
• Non-standard ports used for administrative services where possible

All client websites are served over HTTPS using TLS 1.2 or higher. SSL/TLS certificates are provisioned and renewed automatically. We enforce HSTS headers and disable legacy protocols (SSLv3, TLS 1.0, TLS 1.1) across our infrastructure.

Backup archives are encrypted before transfer to off-site storage. Database credentials and API keys are stored in secure, access-controlled configuration files with appropriate file-system permissions.

• Client data is only accessed when necessary for service delivery, troubleshooting, or at the client's explicit request
• Sensitive credentials shared by clients are stored temporarily and purged once the task is complete
• We do not access, read, or analyse client databases, emails, or files outside the scope of authorised work

• Root and administrative access is restricted to authorised Shadowtek personnel only
• Multi-factor authentication (MFA) is enforced for all administrative accounts
• Administrative sessions are logged and auditable
• Access privileges follow the principle of least privilege — staff are granted only the access required for their role

• Clients receive access credentials scoped to their hosting account only
• cPanel accounts are configured with session timeouts and IP-based access restrictions where requested
• We strongly recommend clients enable two-factor authentication on WordPress admin and cPanel accounts

All system-generated passwords meet minimum complexity requirements (12+ characters, mixed case, numbers, and symbols). Clients are encouraged to use password managers and unique credentials for each service.

• 24/7 server monitoring for uptime, resource usage, and anomalous behaviour
• Real-time malware scanning and automatic quarantine via Imunify360
• Intrusion detection and log analysis with automated alerting
• Cloudflare analytics for traffic pattern analysis and threat identification

In the event of a security incident, we follow a structured response procedure:

Where a data breach is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth).

Our disaster recovery procedures are designed to restore services with minimal downtime:

• Recovery Point Objective (RPO): Maximum 24 hours of data loss
• Recovery Time Objective (RTO): Services restored within 4 hours for critical systems
• Failover procedures documented and tested quarterly
• Contact escalation paths established for critical infrastructure failures

• Server operating system and kernel patches applied automatically via KernelCare and scheduled maintenance windows
• PHP versions kept current — end-of-life versions are proactively migrated
• WordPress core, plugin, and theme updates monitored and applied as part of managed hosting plans
• Critical security patches applied within 24 hours of release

• Automated daily malware scans across all hosted accounts
• Real-time file change monitoring for known malware signatures
• Automatic quarantine of detected threats with client notification
• Manual malware removal and site hardening included in managed plans

We conduct periodic security reviews of our infrastructure, including configuration audits, access reviews, and penetration testing of critical systems. Findings are documented and remediated on a risk-priority basis.

This disclosure policy applies to:

• shadowtek.com.au
• Systems and infrastructure operated directly by Shadowtek
• Client environments hosted and managed by Shadowtek (where applicable to infrastructure-level security)

This policy does not grant authorisation to test third-party systems, vendors, or client applications outside Shadowtek-managed infrastructure. If you are unsure whether a system is in scope, please contact us before conducting any testing.

To help us triage efficiently, include:

• A clear description of the issue
• Steps to reproduce
• Affected URL(s) or IP(s)
• Screenshots or proof-of-concept (if available)
• Your contact information

We ask that researchers:

• Avoid privacy violations, data destruction, or service disruption
• Do not exploit vulnerabilities beyond what is necessary to demonstrate impact
• Do not access, modify, or delete data belonging to others
• Do not conduct denial-of-service testing
• Provide us reasonable time to investigate and remediate before public disclosure

Shadowtek will not pursue legal action against researchers who:

• Act in good faith
• Comply with this policy
• Avoid harm to users, clients, and infrastructure
• Do not exploit vulnerabilities for personal gain

Activities outside these guidelines may be considered unauthorised.

• Acknowledgment of your report within a reasonable timeframe
• Investigation and validation of legitimate findings
• Remediation where appropriate
• Communication where clarification is needed

Shadowtek does not currently operate a public bug bounty program. At our discretion, we may acknowledge researchers who responsibly report valid vulnerabilities.

The following are generally out of scope unless demonstrably impactful:

• Automated scanner reports without proof of exploitability
• Clickjacking on non-sensitive pages
• Missing security headers without demonstrated risk
• Rate limiting or brute force claims without proof of impact
• Issues in third-party software where no misconfiguration exists