Website Security

✓ Let's Encrypt (Free)

Free, automated SSL certificates that renew every 90 days. Supported by 99% of hosts.

• cPanel users: Click "SSL/TLS Status" → "AutoSSL" → Done.
• VPS users: Install Certbot, run sudo certbot --nginx
• Auto-renewal configured by default (cron job)

✓ Cloudflare SSL (Free)

If you use Cloudflare (you should), SSL is automatic. Enable "Full (Strict)" mode for maximum security.

• Sign up → Add domain → Change nameservers → Enable proxy (orange cloud)
• SSL/TLS → Full (Strict) mode
• Edge Certificates → Always Use HTTPS: ON

⚠ Paid SSL ($50-200/year)

Only needed for EV (Extended Validation) green bar certificates. Overkill for 99% of adult sites. Let's Encrypt works identically for encryption.

Cloudflare Free Tier (Essential)

Stops 99% of attacks before they reach your server. Acts as a shield between your server and the internet.

• Setup: Change nameservers → Enable proxy → Done
• Free protection: Handles up to millions of requests/second
• Challenge pages: Bots get blocked, humans pass through
• Firewall rules: Block countries, ASNs, known bad IPs

Server-Level Firewall (CSF/ConfigServer)

For VPS/dedicated servers. Blocks attacks that bypass Cloudflare.

• Install CSF: wget -O - https://download.configserver.com/csf.tgz | tar -xz
• Configure connection limits (CT_LIMIT = 100)
• Rate limit SSH login attempts (LF_SSHD = 5 attempts)
• Enable SYNFLOOD protection

Rate Limiting (Application Level)

Limit requests per IP at the application level. Nginx example:

limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
server {
  location / {
    limit_req zone=one burst=20;
  }
}

This allows 10 requests/second per IP, with bursts up to 20. Adjust based on your traffic patterns.

1. Hotlinking Protection

Prevents other sites from embedding your images/videos directly. They leech your bandwidth and steal traffic.

Apache .htaccess:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yoursite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|mp4|webm)$ - [F,NC]

Only allow embedding from your own domain. External sites get a 403 Forbidden error.

2. Watermark Your Content

Add your logo/domain to videos and images. When scrapers steal it, they advertise YOUR site.

• FFmpeg for videos: ffmpeg -i input.mp4 -vf "drawtext=text'YourSite.com':x=10:y=10" output.mp4
• ImageMagick for images: convert input.jpg -pointsize 20 -draw "text 10,10 'YourSite.com'" output.jpg
• Place watermark in corner, semi-transparent, hard to crop out

3. DMCA Fingerprinting

Services like DMCA.com scan the web for your stolen content and send automatic takedown notices.

• Upload your original content to their database
• They scan tube sites, file lockers, torrent sites daily
• Automated DMCA takedowns sent to hosting providers
• Cost: ~$10-50/month depending on content volume

4. Rate Limiting (Anti-Scraping)

Scrapers hammer your site with hundreds of requests/minute. Normal users don't.

• Cloudflare: Firewall Rules → Rate Limiting (10 req/10sec per IP)
• Nginx: limit_req module (see DDoS section above)
• Challenge pages: Force JavaScript validation (bots fail, humans pass)

5. Disable Right-Click (Mild Deterrent)

Won't stop serious scrapers, but deters casual theft.

<script>
document.addEventListener('contextmenu', e => e.preventDefault());
</script>

Note: Tech-savvy users bypass this instantly. Consider it a "Do Not Enter" sign, not a lock.

1. Change Admin Username

Default username "admin" is the first thing attackers try. Change it immediately.

How: Create new admin user → Delete old "admin" account → Reassign posts

2. Limit Login Attempts

Brute force attacks try thousands of password combinations. Block after 3-5 failed attempts.

Plugin: Limit Login Attempts Reloaded (free) or Wordfence Security

3. Hide wp-admin & wp-login.php

Change your login URL from yoursite.com/wp-admin to something random.

Plugin: WPS Hide Login (free) — Makes login URL yoursite.com/secretlogin123

4. Disable File Editing

WordPress lets you edit theme/plugin files from the admin panel. If hacker gets in, they own your site. Disable it.

Add to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

5. Two-Factor Authentication (2FA)

Require phone/authenticator app code in addition to password. Even if password leaks, they can't get in.

Plugin: Wordfence Login Security (free) or Google Authenticator

6. Keep Everything Updated

90% of WordPress hacks exploit known vulnerabilities in outdated plugins. Enable auto-updates.

• WordPress core: Auto-update minor versions (Settings → General)
• Plugins: Check weekly, update immediately when security patches released
• Delete unused plugins/themes (attack surface reduction)

7. Security Plugins

Pick ONE. Running multiple security plugins causes conflicts.

Automated Daily Backups (WordPress)

UpdraftPlus (Free): Most popular WordPress backup plugin. Backs up to Google Drive, Dropbox, or S3.

• Install UpdraftPlus → Settings → Schedule daily backups
• Store remotely (Google Drive recommended for small sites)
• Keep 7 daily backups (rotating)
• Test restore monthly (critical step everyone skips)

Manual VPS Backups (Non-WordPress)

Files backup (rsync):

rsync -avz /var/www/yoursite/ /backups/site-$(date +%F).tar.gz

Database backup (MySQL):

mysqldump -u root -p database_name > backup-$(date +%F).sql

Automate with cron: Add to crontab to run daily at 3am

0 3 * * * /path/to/backup-script.sh

Offsite Storage

Backups on the same server are worthless if the server dies. Store copies elsewhere:

• Cloud storage: Google Drive (15GB free), Dropbox, Amazon S3 ($0.023/GB)
• Local drive: External HDD connected to your computer (manual download weekly)
• Second VPS: Rsync to a backup VPS in different location

What to Back Up

• Database: All your posts, users, settings
• Uploads folder: wp-content/uploads (images/videos)
• Theme files: If custom-coded
• Plugin settings: Some plugins store config outside database
• .htaccess: Your rewrite rules and security configs
• wp-config.php: Database credentials (store encrypted!)

1. Store Offline (Best Practice)

Keep 2257 records on an encrypted external hard drive, NOT on your web server. If your server gets hacked, records stay safe. Only upload to server during FBI inspections (rare).

2. If You Must Store Online

• Encrypt the files: Use AES-256 encryption (7-Zip, VeraCrypt)
• Separate server: Don't store on same server as your website
• Password-protected directory: .htaccess password protection minimum
• No indexing: robots.txt disallow, noindex meta tags
• Access logs: Monitor who accesses the directory

3. Compliance Statement

Required on every page with original content. Example:

18 U.S.C. § 2257 Record-Keeping Requirements Compliance Statement

All models were 18+ at time of photography.
Records custodian: [Your Name]
Address: [Physical address, NOT P.O. Box]
Email: [email protected]

Wordfence Scanner (WordPress)

• Scans all files for known malware signatures
• Checks core files against WordPress.org repository (detects modifications)
• Alerts on suspicious admin users, backdoors, SEO spam
• Free tier scans are delayed 30 days (premium = real-time threat defense)

ClamAV (Linux Server)

Open-source antivirus for Linux. Install via package manager:

sudo apt install clamav
sudo freshclam  # Update virus definitions
clamscan -r /var/www/yoursite/

Run weekly via cron. Not perfect, but catches common PHP malware.

External Scanners

• Sucuri SiteCheck: sitecheck.sucuri.net (free, scans from outside)
• VirusTotal: Upload suspicious files to virustotal.com (60+ antivirus engines)
• Google Safe Browsing: Check if Google blacklisted your domain

Signs of Infection

• Unexplained redirects to pharmacy/casino sites
• New admin users you didn't create
• Files modified recently that you didn't touch
• Spam links injected into footer/sidebar
• Google search results show your site with pharmacy keywords
• Antivirus software flags your own site

1. Disable Root Login (SSH)

Edit /etc/ssh/sshd_config:

PermitRootLogin no
PasswordAuthentication no  # Force SSH keys only

Restart SSH: sudo systemctl restart sshd

2. Change SSH Port (Security Through Obscurity)

Default port 22 gets hammered by bots. Change to random high port:

# In /etc/ssh/sshd_config
Port 49221  # Pick random port 49152-65535

WARNING: Update firewall rules BEFORE restarting SSH or you'll lock yourself out!

3. Firewall (UFW for Ubuntu)

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp   # SSH (or your custom port)
sudo ufw allow 80/tcp   # HTTP
sudo ufw allow 443/tcp  # HTTPS
sudo ufw enable

4. Fail2Ban (Auto-Ban Brute Force)

Monitors logs for failed logins, bans IPs after X attempts.

sudo apt install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Default config protects SSH. Bans after 5 failed attempts for 10 minutes.

5. Keep System Updated

sudo apt update && sudo apt upgrade -y  # Ubuntu/Debian
sudo yum update -y                      # CentOS/RHEL

Enable automatic security updates (unattended-upgrades package).

6. Disable Unused Services

Every running service is a potential attack vector. Disable what you don't need:

sudo systemctl list-unit-files --state=enabled  # List running services
sudo systemctl disable [service-name]           # Disable unused ones

Why Use Third-Party Processors?

• PCI compliance: They handle it. You don't touch card data.
• Fraud protection: Advanced fraud detection (saves you chargebacks)
• Recurring billing: Subscriptions managed for you
• High-risk merchant accounts: Adult is high-risk. They specialize in it.
• Chargeback management: They fight fraudulent chargebacks on your behalf

Security Requirements (If You Must Self-Process)

• PCI DSS Level 1 compliance (annual audit, $10k-50k cost)
• Tokenization (never store raw card numbers)
• Encrypted transmission (TLS 1.2+ only)
• Dedicated payment server (isolated from web server)
• Regular vulnerability scans (quarterly PCI scans)
• Incident response plan (documented breach procedures)

Reality: 99.9% of adult sites should NOT self-process. Use CCBill/Epoch.

SQL Injection

Attacker inserts malicious SQL into input fields, gains database access.

Example vulnerable code:

$query = "SELECT * FROM users WHERE id = " . $_GET['id'];  // NEVER DO THIS

Protection:

• Use prepared statements (PDO in PHP)
• Never trust user input
• WordPress/frameworks handle this automatically

Cross-Site Scripting (XSS)

Attacker injects JavaScript into your pages, steals user sessions/cookies.

Example:

// Vulnerable: Displays unsanitized comment
echo "<p>" . $_POST['comment'] . "</p>";  // Allows <script> injection

Protection:

• Sanitize all output: htmlspecialchars($_POST['comment'])
• Content Security Policy headers (CSP)
• WordPress auto-escapes output via esc_html()

File Upload Exploits

Attacker uploads PHP shell disguised as image, executes code on your server.

Protection:

• Validate file extensions (whitelist, not blacklist)
• Check MIME types server-side
• Store uploads outside web root (serve via script)
• Disable PHP execution in upload directories (.htaccess)

Brute Force Login Attacks

Bots try thousands of username/password combos until they guess correctly.

Protection:

• Limit login attempts (Wordfence, Limit Login Attempts plugin)
• 2FA (Google Authenticator)
• Strong passwords (16+ chars, random)
• CAPTCHA after 3 failed attempts

Plugin/Theme Vulnerabilities

Outdated WordPress plugins are the #1 entry point. Nulled (pirated) themes often contain backdoors.

Protection:

• Update plugins/themes weekly (enable auto-update)
• Delete unused plugins/themes (attack surface reduction)
• Never use nulled themes (pre-infected with malware)
• Check plugin reviews/last updated date before installing

Phishing (You)

Fake emails pretending to be your host/registrar, tricking you into giving up credentials.

Protection:

• Never click login links in emails (manually type URL)
• Check sender email carefully (godaddy-support.com vs godaddy.com)
• Enable 2FA on host/registrar accounts
• Hosts never ask for passwords via email