Disclaimer:
Use this information as friendly advice, I claim no responsibility nor liability for incorrectly configured security solutions. Seek professional help if you are unfamiliar with anything below.
Here is an example of what I was talking about:
Hide your web server IP address - Use
https://cloudflare.com and make sure to setup SMTP for mailing otherwise your IP will seep out in email headers. Thanks to
M@rc for pointing out that this should be done at setup time, if you are looking to set this up as a transition from a preexisting server --- you should consider getting a new IP assigned to the server and or only allow IP connections to the server on your SSH port and only
from the CDN (Cloudflare) on your web ports where port 443 is HTTPS (secure) and 80 is simply HTTP.
Block common website attacks such as SQL injection or XSS - You may use
https://sucuri.net/website-firewall/signup as an affordably priced solution. Alternatively, for free
OWASP has a list of mod_security rules to block common website attacks.
Prevent domain hijacking - Use a domain registrar that takes security seriously e.g. offers multi-factor authentication and will not simply unlock your domain with a fake ID, fake business letter, etc. Social engineering is a very real threat and you should also
consider using privacy (whois) with your domain. If you pair multi-factor authentication with whois privacy, you should be good to go.
https://markmonitor.com,
https://hover.com, and
https://www.cscdigitalbrand.services/ are all great choices to start with. Security is part of your responsibility which means you should go into your account options and check security settings to enable multi-factor with a phone, etc.
Encrypting user traffic keeps the green padlock up top and users feeling safe?! So this can be free using
Certbot (Let's Encrypt) or you may wish to have a paid SSL certificate which you may happily setup yourself on
Apache or
NGINX.
Considering checking the security of your website! Many free tools are available to analyze your website's security. I will list some below.
Mozilla Observatory - Scans your website for important headers and gives tips on fixing them --- my personal favorite.
SSL Labs Test - While the above provides this information, you may only want to check the SSL configuration.
DNSSEC Checker - Check to see if you have setup DNSSEC properly.
SPF Checker - The Sender Policy Framework allows you to specify what servers may send emails on your domain's behalf.
DMARC Checker - Check your
DMARC records.
If you have any other good tools feel free to comment them below.
This information would be helpful to most people, how would it be hard or in any way a bad idea to provide this type of information to XenForo users? It could surely help anyone. I'm not saying we have to nor should we tell people what to do for security but giving some hints would surely be the thoughtful/caring thing to do for customers rather than have them skim through multiple other Internet forums to find what they need.
Out of the box XenForo doesn't come with Cloudflare, an SSL certificate, a web application firewall (the Zend Framework does help to mitigate SQL injections and the XenForo developers know what they are doing) but a web application firewall is never a bad thing just in case
because humans are prone to human errors no matter who you are. Having an area of the forum to let people know "Hey, this is a good thing to do to keep your web server and users safe." would be quite _AWESOME_
