Security
- Remove email accounts from the server where crypto dealing sites are. Find another host for emails. see wordfence article
- Keep crypto-dealing domains in separate cPanel Accounts – done, also clickforafrica.org is on a totally separate server to the others with its own cPanel also.
- ———— trying below on clickforafrica first ————-
- Enable HTTP Strict Transport Security – in .htaccess – see here.
- Add content security policy. -htaccess again. see here. Good CSP intro here.
- [cfa] X-Frame-Options – stop clickjacking attacks. see here, also has other stuff (incl. XSS protection, below). Intro here.
- [cfa]X-XSS-Protection – Here – and htaccess here.
- [cfa]X-Content-Type-Options – here and use this for the 3 altogether (as above).
- [cfa]Referer Policy – here – htaccess and possible problem here.
- [cfa]Feature Policy – here – restrict feature availability (e.g. camera, geolocation) to self.
A scan via securityheaders.com showed many faults. We are on shared hosting so I don’t have full access. Most can be done via .htaccess though, so I have put links above to help with that. Found a security headers plug-in for WP too – will check that out and see if it will save time. It has all the ones we failed on.