RiCreate
Sign In
RiCreate/Features/Secure By Design
RiCreate Feature

Secure By
Design.

app.ricreate.richah.uk
RiCreate
Sign in to continue
Email
Password
Sign In
Accounts are managed by your administrator.
OR
Try the demo — no account needed
← Back to home

Security That's Built In, Not Bolted On

There's a particular approach to software security that involves building the thing first and then, once it's running, adding a padlock to the front door and hoping for the best. It's surprisingly common. It's also not ideal.

Your website isn't just a brochure. It's connected to a content management system that can publish, edit, and delete pages on your live site. If the wrong person gets in — a disgruntled ex-employee, someone who's guessed a weak password, or just an opportunist who found credentials in a breach somewhere else — they can change what your customers read, pull pages down, or do considerably more damage than that. Security isn't an abstract concern. It's the thing standing between your website and someone who shouldn't be anywhere near it.

RiCreate, on the other hand, was built the other way around. The security isn't a layer applied on top — it's part of the foundation. Two-factor authentication, role-based access control, encrypted credentials, company-scoped data. All of it is there from the start, for every account, without any configuration required.

Here's what that actually means in practice.

Two-Factor Authentication. For Everyone.

When you log into RiCreate, you go through two steps. The first is your email address and password. The second is a six-digit code from an authenticator app — Google Authenticator, Authy, or any standard TOTP app — which refreshes every thirty seconds.

This isn't optional. It's not a setting you can switch off. Every account has it — including ours. When we manage a site on your behalf, we're logging in through the same system with the same two-factor requirement. There are no backdoors, no admin shortcuts, no way in that bypasses the second step. Which means that even if someone gets hold of your password — through a data breach somewhere else, an educated guess, or just leaving it written on a Post-It — they still can't get in without your phone. A stolen password on its own is useless.

Setting it up takes about two minutes. You scan a QR code with your authenticator app, enter one code to confirm it's working, and that's it. From that point on, logging in takes a few extra seconds. Those few seconds are doing a lot of work.

Recovery Codes. For When You Lose Your Phone.

The obvious objection to two-factor authentication is: what happens if I lose my phone or change it?

The answer is recovery codes. When you set up two-factor authentication in RiCreate, you're given eight recovery codes — one-time use codes that let you get back into your account without your authenticator app. You're shown these once, at the point of setup, and asked to save them somewhere safe.

This is worth taking seriously. Somewhere safe means not in your email inbox, not in a notes app on the same phone, and ideally written down somewhere physical. If you're thinking "I'll just copy them into a document and sort it out later" — sort it out now. Later has a habit of coinciding with the moment you actually need them.

If you ever use a recovery code to get in, you can generate a fresh set from your account settings. The old ones are gone; the new ones take their place. Recovery codes are stored as cryptographic hashes — a one-way transformation that can verify a code is correct but cannot be reversed to reveal what the code actually is. In practice, this means no one can read them. Not us, not anyone with access to the server. They exist only in the moment you write them down.

Everyone Has a Role. Roles Have Limits.

Not everyone who logs into RiCreate needs to be able to do everything. A content writer doesn't need to be able to manage users. A client who wants to view their website's content doesn't need to be able to delete it. RiCreate handles this with role-based access.

There are different levels of access. A Company Admin manages users and content for their site. An Editor creates and edits content. A Viewer can see content but not change it.

This matters for a couple of reasons. The obvious one is that it keeps things tidy — people can only do what they're supposed to do. The less obvious one is that it limits the damage if something does go wrong. An account that can only read content can't accidentally delete anything, and an account scoped to one company can't touch anyone else's.

If you have multiple people on your team who need access to your site's content, they each get their own account with the appropriate role. No sharing logins. No one account doing everything.

Your Data Stays Yours

Each account in RiCreate is tied to a specific company. When you log in, you see your content. You can't see anyone else's, and they can't see yours — not because of a setting, but because the system simply doesn't return data that doesn't belong to you.

This distinction matters more than it might seem. Some systems handle isolation at the interface level — they show you only your data, but the underlying queries don't enforce that boundary. A bug, a misconfiguration, or an unexpected URL can break the illusion. In RiCreate, the boundary is enforced in the database queries themselves. There's no interface quirk or accidental link that can expose one client's content to another. It was built that way, not patched to work that way later.

Passwords Are Handled Properly

Passwords in RiCreate are hashed using bcrypt before they're stored. This means that even the database doesn't contain your actual password — it contains a one-way transformation of it that can be used to verify whether you've typed the right thing, but can't be reversed to reveal what your password is.

This is standard practice in well-built software. It's worth mentioning because there are systems in use today, including some reasonably prominent ones, that still store passwords in plain text or in formats that can be reversed. Those systems are one database breach away from exposing their users' credentials. RiCreate is not.

In Short

Security in RiCreate isn't something you have to configure, request, or pay extra for. Two-factor authentication is on every account. Roles limit access to what each person actually needs. Data is isolated by company. Credentials are stored properly. It's all there from day one, without anyone having to ask.

That's what "secure by design" actually means — not a checkbox, not a feature tier. Just the way it works.

RiCreate is part of the RiCollection — the suite of apps we've built to run alongside the websites we make. We're based in Lamplugh in the Lake District, and we like building things that work properly.

Frequently Asked Questions
Can I give my whole team the same RiCreate login to avoid managing accounts?
No, each person gets their own account with a role that matches what they need to do. This prevents shared passwords and limits what any single user can change or delete.
Is role-based access control something I have to turn on, or is it always active?
It’s built in and always active; users are assigned predefined roles (Admin, Editor, Viewer) that automatically restrict what they can see or modify.
How can I be sure my company's data won’t be visible to another client’s account?
Data isolation is enforced at the database query level, meaning queries only ever return records belonging to your company. There’s no UI trickery that could accidentally expose another client’s information.
Ready to try RiCreate?
Explore a live workspace with sample content — no account needed.
Try the demo
Other Features
Create Content
Schedule & Publish
SEO & Visibility
Multi-site Management
Social Media
More from RiCreate
Create Content
Write, draft with AI, and refine your content in one place.
Schedule & Publish
Schedule content to publish at exactly the right time automatically.
SEO & Visibility
Meta, schema, FAQ structured data and Google Search Console built in.
Multi-site Management
Manage all your Richah websites from a single dashboard.
Social Media
See which content has been shared and schedule posts across all platforms.
Built By Richah — Lake District BasedVisit Richah.uk
Have a question for us?Get in touch
© 2026 RiCreate·Made byRichah·Privacy Policy·Terms of Service·v1.0.0.449