GigsRabbit / Docs
Buy

Security Configuration

v1.0.0 5 min read 6 views Last updated: 11 hours ago

Security Configuration

Protect your marketplace from threats, spam, and abuse with proper security configuration.

Google reCAPTCHA Setup

Step 1: Create reCAPTCHA Keys

  1. Go to Google reCAPTCHA Admin
  2. Sign in with your Google account
  3. Fill in the registration form:
    • Label: Enter "GigsRabbit" or your site name
    • reCAPTCHA Type: Choose reCAPTCHA v2 > "I'm not a robot" Checkbox
    • Domains: Add your domain(s):
      • yourdomain.com
      • www.yourdomain.com
      • Add localhost for testing
  4. Accept Terms of Service
  5. Click Submit

Step 2: Copy Your Keys

After registration, you'll receive:

  • Site Key: 6Lc... (public key for frontend)
  • Secret Key: 6Lc... (private key for backend)

Copy both keys - you'll need them in the next step.

Step 3: Configure in Admin Panel

  1. Go to yourdomain.com/admin
  2. Navigate to Services > reCAPTCHA
  3. Enter your keys:
    • Site Key: Paste your site key
    • Secret Key: Paste your secret key
    • reCAPTCHA Version: Select v2
  4. Click Save Changes

Step 4: Enable reCAPTCHA on Forms

  1. Go to Settings > Security
  2. Find reCAPTCHA Settings section
  3. Enable for:
    • User Registration
    • User Login
    • Contact Forms
    • Password Reset
    • Support Tickets
  4. Click Save Changes

Step 5: Test reCAPTCHA

  1. Logout from admin panel
  2. Go to registration page
  3. Verify reCAPTCHA appears
  4. Test form submission

Security Settings Configuration

Step 1: Basic Security Settings

Navigate to Settings > Security and configure:

Session Security:

  • Session Lifetime: 120 minutes (recommended)
  • Session Timeout on Inactivity: 30 minutes
  • Single Session per User: Enable (prevents multiple logins)

Password Requirements:

  • Minimum Length: 8 characters
  • Require Uppercase: Yes
  • Require Numbers: Yes
  • Require Special Characters: Yes
  • Password History: 5 (prevents reusing last 5 passwords)

Login Security:

  • Max Login Attempts: 5
  • Lockout Duration: 15 minutes
  • Show Login Attempts: Yes
  • Email on Suspicious Login: Enable

Step 2: Two-Factor Authentication

Enable 2FA:

  1. Go to Settings > Security
  2. Find Two-Factor Authentication
  3. Set Enable 2FA to Yes
  4. Choose methods:
    • Email OTP
    • SMS OTP (requires SMS gateway)
    • Google Authenticator

Step 3: IP Restrictions

Block Suspicious IPs:

  1. Go to Settings > Security > IP Management
  2. Add IPs to blocklist:
    • Single IP: 192.168.1.1
    • IP Range: 192.168.1.0/24
    • Country blocking (if available)

Whitelist Admin IPs:

  1. Add your office/home IP to whitelist
  2. Enable "Restrict Admin Access to Whitelist"

SSL Certificate Installation

Option 1: Let's Encrypt (Free SSL)

Via cPanel:

  1. Login to cPanel
  2. Go to SSL/TLS Status
  3. Select your domain
  4. Click AutoSSL
  5. Wait for installation (5-15 minutes)

Via SSH (Ubuntu/Debian):

# Install Certbot
sudo apt update
sudo apt install certbot python3-certbot-nginx

# Get certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Follow prompts and enter email

Option 2: Purchased SSL

  1. Purchase SSL from provider (Namecheap, GoDaddy, etc.)
  2. Generate CSR in cPanel or server
  3. Validate domain ownership
  4. Download certificate files
  5. Install via cPanel or server panel

Step 3: Force HTTPS

  1. Go to Settings > Security
  2. Enable Force HTTPS
  3. Update .htaccess if needed:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]

Spam Protection

Configure Anti-Spam Measures

1. Rate Limiting:

  • Go to Settings > Security > Rate Limiting
  • Set limits:
    • Registration: 3 per hour per IP
    • Login: 10 per hour per IP
    • Contact Form: 5 per hour per IP
    • API Calls: 60 per minute

2. Content Filtering:

  • Enable spam word filtering
  • Add prohibited words list
  • Set moderation rules
  • Enable link restrictions

3. Email Verification:

  • Require email verification for new users
  • Block disposable email domains
  • Verify email domain MX records

4. User Verification Levels:

  • Email verified
  • Phone verified (optional)
  • ID verified (for sellers)
  • Payment method verified

Backup Configuration

Automated Backups

1. Database Backup:

# Create backup script
#!/bin/bash
DATE=$(date +%Y%m%d_%H%M%S)
mysqldump -u username -p'password' database_name > /backups/db_$DATE.sql
gzip /backups/db_$DATE.sql

# Delete backups older than 30 days
find /backups -name "*.sql.gz" -mtime +30 -delete

2. File Backup:

# Backup files
tar -czf /backups/files_$DATE.tar.gz /path/to/gigsrabbit --exclude=node_modules --exclude=vendor

3. Setup Cron Jobs:

# Daily database backup at 2 AM
0 2 * * * /path/to/backup_db.sh

# Weekly full backup on Sunday at 3 AM
0 3 * * 0 /path/to/backup_files.sh

Backup Storage

Recommended Solutions:

  1. Amazon S3: Reliable, affordable
  2. Google Cloud Storage: Good integration
  3. Dropbox: Simple setup
  4. External Server: Via SFTP/rsync

Security Monitoring

Activity Monitoring

Track Suspicious Activities:

  1. Go to Settings > Security > Activity Log
  2. Monitor:
    • Failed login attempts
    • Multiple account creation from same IP
    • Rapid transactions
    • Unusual API usage
    • Mass messages/emails

Security Alerts

Configure Alerts:

  1. Go to Settings > Security > Alerts
  2. Enable notifications for:
    • Admin login from new IP
    • Multiple failed logins
    • Large withdrawal requests
    • Suspicious payment patterns
    • Server resource alerts

Security Checklist

Regular Security Tasks:

  • [ ] Weekly: Review activity logs
  • [ ] Monthly: Check for updates
  • [ ] Monthly: Review user permissions
  • [ ] Quarterly: Security audit
  • [ ] Quarterly: Update passwords
  • [ ] Yearly: Penetration testing

Additional Security Measures

File Upload Security

  1. Restrict file types: Only allow safe formats
  2. Scan uploads: Use antivirus API
  3. Limit file size: Set reasonable limits
  4. Rename files: Use random names
  5. Store outside web root: When possible

Database Security

  1. Use prepared statements: Prevent SQL injection
  2. Encrypt sensitive data: Passwords, payment info
  3. Regular updates: Keep MySQL updated
  4. Restrict privileges: Minimal required permissions
  5. Change default ports: If possible

Server Hardening

  1. Disable unnecessary services
  2. Configure firewall rules
  3. Use SSH keys instead of passwords
  4. Regular security updates
  5. Monitor server logs
  6. Implement DDoS protection
Tags: security captcha protection
Previous
Commission Settings
Next
Authentication Settings