security
- Remove email accounts from the server where crypto dealing sites are. Find another host for emails. see wordfence article
- Keep crypto-dealing domains in separate cPanel Accounts - done, also clickforafrica.org is on a totally separate server to the others with its own cPanel also.
- -------------- trying below on clickforafrica first ----------------------
- Enable HTTP Strict Transport Security - in .htaccess - see here.
- Add content security policy. -htaccess again. see here. Good CSP intro here.
- [cfa] X-Frame-Options - stop clickjacking attacks. see here, also has other stuff (incl. XSS protection, below). Intro here.
- [cfa]X-XSS-Protection - Here - and htaccess here.
- [cfa]X-Content-Type-Options - here and use this for the 3 altogether (as above).
- [cfa]Referer Policy - here - htaccess and possible problem here.
- [cfa]Feature Policy - here - restrict feature availability (e.g. camera, geolocation) to self.
A scan via securityheaders.com showed many faults. We are on shared hosting so I don't have full access. Most can be doen via .htaccess though, so I have put links above to help with that. Found a security headers plug-in for WP too - will check that out and see if it will save time. It has all the ones we failed on.