At ProXScripts, security is of utmost importance for us. It is our constant endeavour to suggest implementation of new and better security measures to our clients. It is certainly not a good feeling to face a security breach. In this day and age, where we are constantly performing a wide range of tasks online, it is imperative to implement security measures. In recent times, many security concerns have surfaced. We checked in detail and found that the security breaches were due to a number of reasons. So, we have come up with some suggestions for security enhancement. Our security team strongly recommends to follow the below mentioned steps on a regular basis specifically for your admin panel in order to avoid any security infringement or account compromise.
NEVER SHARE YOUR PASSWORDS IN TICKETS
It is highly recommended not to share any of your passwords in the ticket body whenever you send a ticket to ProXScripts. Make sure that you always enter your password credentials whether it is admin panel details or cPanel details or any other passwords in the “Secure Details” area only. The secure box works in such a way that whenever your ticket is closed, then within a few hours, our system automatically deletes the passwords from your secure details. Moreover, all the passwords are encoded. As an added security step, it is better to change our password once your task is completed.
PROCESSOR API CREDENTIALS
We highly recommend not to store Payment Processor API credentials in your Admin Panel. If you have to use them then kindly add them temporarily and remove them when your work is done. For further details and instructions on this, please read our documentation on the following link: http://proxscripts.com/docs/index.php/Finance_Settings#Payment_Processors
USE STATIC IP
If possible, then go for a Static IP. Get server access and admin panel through a Static IP only. If you enable Static IP, then no one else can access your site admin panel except you. The ProXScripts team also works with their own set of Static IPs. Therefore, when you open a ticket and if required to access your admin panel, you can ask for our Static IPs and white list them, so that only you and the ProXScripts team can access your admin area securely.
THINK TWICE BEFORE CLICKING ON ANY LINK IN YOUR TICKETS
Always be cautious of members sending links in tickets. Make sure that you never click on suspicious links in tickets. The reason for this is that there could be a Keylogger program when in the link, which even an antivirus software would not be able to detect it. A keylogger is a program, which can be installed in your system. These keylogger programs can be installed in your computer automatically if you visit an untrustworthy site, or if you download files or add-ons from untrustworthy websites. Executable files could contain a virus or keylogger. When a keylogger program is installed in your computer, it records each and every keystroke of yours. So, imagine when you type your admin area or email password, this important information is accessible to hackers and they can have access to your script or email. Therefore, make sure you download executable files from a trustable source only.
USE DIFFERENT BROWSER FOR ADMIN PANEL
If your admin panel is open in a particular browser, then if possible don’t surf any other website in that browser. For instance, if you have your admin panel opened in Chrome and if you want to surf other websites, then surf them in Safari.
EMAIL SERVICES
Your email is extremely crucial. You can reset your passwords including your payment processor passwords through your email. Therefore, we suggest that you always use Gmail services because it has better security than any POP3 email services. Also, make sure that you use Google 2-Step Verificationfor your Gmail email account as well. Gmail service is better and more secure than hosting email services. So, it is recommended not to use your hosting email service as any person who has access to your server can access your hosting email.
RECOMMENDED TOOLS
Last Pass
LassPass is a password generator and manager tool that is trusted by millions of people and major companies across the world are using it. They also have a special Yubikey Two-Factor Authentication support as well. We also use LastPass for our personal use as well. You can signup for LassPass and get it free from the following link:
https://lastpass.com/
Use Google Authenticator App
Use Google Authenticator App for 2-Step verification. This will give you an added layer of security for your account. The Google Authenticator App needs to be configured in your mobile phone for your Admin Area. Our ProXCore Script has a special Google 2-Step Verification setup. We highly recommend to keep the authentication ON. If you are sending a ticket and if our time zones are different, then you can disable it for some time.
Play Store: https://play.google.com/store/apps/detailsid=com.google.android.apps.authenticator2&hl=en
App Store (iOS):
https://itunes.apple.com/in/app/google-authenticator/id388497605?mt=8
Anti-Virus
Purchase Anti-Virus software with Total Security solution. For instance, Anti-Virus with internet solution etc. Make sure that you install the plug-in of the anti-virus software in your browser so that it can automatically scan websites. Our recommendation is Bitdefender Total Security.
We are not at all promoting any kind of products/services. It is clearly without any affiliate links.
HOSTING
There are security features available in Hosting if you are using a Dedicated/VPS Server with cPanel. If you are using a Static IP, then you can enable it for your cPanel/WHM, so that any third party cannot access it except your IP.
Make sure you host a single website if you have a Dedicated or VPS Server. It is highly recommended to not host any otherWordpress site or any open source software that is easily vulnerable with your domain. If possible, don’t host your domain with any other domain. If server security is not proper, then access from one domain to the other is possible.
DEDICATED COMPUTER FOR YOUR PROJECT
We recommend Admins to dedicate a particular computer exclusively for your script/program purpose only and not to conduct any other work on that computer. This computer should not be used for usual web browsing or for any other purpose except for accessing your admin panel. As you are aware, a lot of money is at stake, so it is advisable to purchase and use a single device solely for your program purpose and not to surf any third party sites on that device. Many will find this suggestion strange, but when funds worth thousands of dollars are taken by a hacker in just a second, then we are certain that everyone will agree that it is worth investing in a separate computer costing hundreds of dollars specifically for your script.
Another thing we recommend is to go for less popular operating systems like Mac OS or Linux etc. We know that Windows is top in the OS market, but on the other hand, it is more vulnerable to viruses, since it is more popular than other operating systems. It is not that other operating systems are not prone to viruses, but they are more secure since they are less popular and hackers are more likely to attack a Windows system than any other OS.
PASSWORDS BEST PRACTICES
You can follow some of the best password best practices as below:
- Generate a lengthy password: The more the characters in the password, the more difficult it would be for anyone to crack it.
- Generate unique passwords: Make sure that you have a different password for every service of yours e.g. admin panel, cPanel, email account etc.
- Create password with a combination of different characters: Use uppercase letters, lowercase letters, symbols and numbers in your passwords.
- Change your password regularly: Make sure you change your admin area and cPanel passwords on a regular basis. Change your password once your work is completed.
- Do not use the same password of your admin panel or cPanel anywhere else.
- Make sure you change your password in case if you share it with anyone.
- Never make use of dictionary words as they are easier to crack.
- Never use names of people, pets, date of birth and places as your password.