Built by a
security engineer.
The person who builds your website also writes security tooling, audits cryptographic implementations, and reports vulnerabilities to companies like Adobe. That background shows up in every site we ship.
The problem
Most small business websites are wide open
The average WordPress site has 20 to 30 plugins installed. Each one is a door. When a plugin stops getting updates — and most do within two years — that door stays unlocked. A brute-force script hits /wp-admin on every WordPress site on the internet, every day. It costs nothing to try.
Most web designers don’t set security headers. No Content Security Policy. No HSTS. No X-Frame-Options. The browser has built-in defences against clickjacking, XSS, and data leaking — but they only activate if the server tells them to. If your designer didn’t set the headers, those defences are off.
This isn’t hypothetical. 43% of cyber attacks target small businesses. The average cost of a data breach for a small business in the UK is £8,170 (DCMS Cyber Security Breaches Survey 2024). For a café or a salon, that’s three months of profit.
What ships with every Pacavita site
Defence in depth, not a checkbox
Every site we build ships with the same security baseline. Not as an add-on. Not as a “security package” you pay extra for. This is the default.
0 plugins
No WordPress
Custom Next.js. No plugins, no admin panel, no /wp-admin brute-force surface. The attack surface is the size of a business card, not a football pitch.
6 headers
Security headers on every page
HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. The browser’s built-in defences are actually turned on.
0 card data
PCI SAQ-A payments
Card data goes directly from the customer’s browser to Stripe. It never touches your server or ours. The smallest PCI scope possible.
30-day retention
Daily automated backups
30-day retention. Tested restores, not just a checkbox. If something breaks on a Saturday night, we can roll back in minutes.
60s intervals
External uptime monitoring
Your site is checked every 60 seconds from outside the network. If it goes down, we know before you do and before your customers do.
0 trackers
Minimal third-party scripts
No analytics bloat, no tracking pixels, no HotJar session recorders watching your customers type. Every external script is a data leak waiting to happen.
AES-256
Encrypted data at rest
Contact form submissions and client data sit in Supabase (SOC 2 compliant, AES-256 encryption at rest). Not in a WordPress MySQL database on shared hosting.
0 stale deps
Automated dependency updates
No stale npm packages sitting for six months. Dependencies are pinned, audited, and updated. A known vulnerability in a dependency is patched within days, not quarters.
Isolated
No shared hosting
Every site runs on Vercel’s edge network with isolated builds. Your site is not on the same server as 200 other WordPress installations.
Side by side
What you get vs what most agencies ship
| Pacavita | Typical agency | |
|---|---|---|
| HTTPS / SSL | Enforced on every page, HSTS preload | Usually yes, sometimes misconfigured |
| Content Security Policy | Strict CSP on every site | Almost never set |
| X-Frame-Options | DENY — prevents clickjacking | Rarely set |
| X-Content-Type-Options | nosniff — blocks MIME sniffing | Rarely set |
| Referrer-Policy | strict-origin-when-cross-origin | Default (leaks referrer data) |
| Permissions-Policy | Camera, mic, geolocation disabled by default | Not set |
| CMS / platform | Custom Next.js — no plugins, no admin panel | WordPress with 20+ plugins |
| Admin login page | None. No public attack surface. | /wp-admin — brute-forced daily |
| Payment handling | Stripe Elements, PCI SAQ-A. Card data never touches the server. | Varies. Often a redirect to PayPal or a shared Stripe link. |
| Automated backups | Daily, 30-day retention, tested restores | Maybe. Often the host’s default (untested). |
| Uptime monitoring | External monitoring with alerts | You find out when a customer tells you |
| Dependency updates | Automated. No stale npm packages sitting for months. | Manual, if at all |
| Third-party scripts | Minimal. No analytics bloat, no tracking pixels leaking data. | Google Analytics, Facebook Pixel, HotJar, 4+ marketing scripts |
| Data storage | Supabase (SOC2, encrypted at rest). Contact forms → your inbox. | WordPress database, often unencrypted, shared hosting |
Every row above is verifiable. Run your site through securityheaders.com after we build it.
Who builds this
Not a web designer who read a blog post about SSL
Pacavita is founded by someone with a mathematics background who moved into security engineering. The same person who builds your website also builds cryptographic tooling, reverse-engineers protocols, and has reported vulnerabilities through responsible disclosure programmes.
That doesn’t mean your café website needs military-grade encryption. It means the person configuring your headers actually knows what a Content Security Policy does, why HSTS preload matters, and what happens when you don’t set Referrer-Policy. The difference between “we take security seriously” and actually implementing it is the difference between a padlock icon and a locked door.
Most web designers can build you a nice page. Very few of them can explain what X-Frame-Options does, or why your contact form should use a honeypot field instead of a CAPTCHA, or what PCI SAQ-A scope means for your payment setup. At Pacavita, that’s the baseline, not the premium tier.
0
WordPress installations
6
Security headers on every page
0
Card numbers touching our servers
Don’t trust us. Verify.
Test any Pacavita site yourself
Pick any site we’ve built. Run it through these free tools. Then run your current website through the same tools and compare.
Security Headers
Grades your HTTP security headers A+ to F
securityheaders.com
Google Lighthouse
Performance, accessibility, SEO, best practices
PageSpeed Insights
SSL Labs
Grades your TLS configuration A+ to F
ssllabs.com
Your business deserves infrastructure that doesn’t get hacked on a Saturday
Every Pacavita site ships with everything above. No add-ons. No “security package”. From £349.