Security

  • Remove email accounts from the server where crypto dealing sites are. Find another host for emails. see wordfence article 
  • Keep crypto-dealing domains in separate cPanel Accounts – done, also clickforafrica.org is on a totally separate server to the others with its own cPanel also. 
  • ———— trying below on clickforafrica first ————-
  • Enable HTTP Strict Transport Security – in .htaccess – see here.
  • Add content security policy. -htaccess again. see here. Good CSP intro here.
  • [cfa] X-Frame-Options – stop clickjacking attacks. see here, also has other stuff (incl. XSS protection, below). Intro here.
  • [cfa]X-XSS-Protection – Here – and htaccess here
  • [cfa]X-Content-Type-Options – here and use this for the 3 altogether (as above).
  • [cfa]Referer Policy – here – htaccess and possible problem here.
  • [cfa]Feature Policy – here – restrict feature availability (e.g. camera, geolocation) to self.

A scan via securityheaders.com showed many faults. We are on shared hosting so I don’t have full access. Most can be done via .htaccess though, so I have put links above to help with that. Found a security headers plug-in for WP too – will check that out and see if it will save time. It has all the ones we failed on.