HairyChick

I've been setting up a site that will process payments. Some are processed via APIs that handle it on their side. Nothing is retained by me.

Others have APIs that process on my site but nothing is stored.

The offsite processing wil have buttons on an http page, like htttp:// www. .com/payment space php (intentional space) .It runs a php script.

From my site, the button goes to https:// www.otherdomain.com/index.php. The API code will be there. It runs Wordpress but just the index page and directories/payment1, /payment2 with payment.php page. One file only

I'll use ReCaptcha on both and security plugins on Wordpress. But -- beside .htaccess, what security scripts can I run to keep the main domain secure? Nothing confidential there but for normal stuff. No payment info at all.

The https is required by the banks but doesn't guarantee security, I know that. Hacking will just frustrate me and I'll backup every twelve hours, just in case. But I'd like to lockdown both sites as tight as possible.

I know Wordpress can be risky but it's just a gateway. 3/4 pages to replace if hacked with just API code. The other script isn't popular and I'll set up the db to save hourly if possible.

Am I covering all bases? Security suggestions? What am I overlooking?

Thanks. Hope I didn't leave anything out. I don't want to skip things and when hacked, yell at myself for not thinking about it.

__________________
*****************************************
Anti-Semites have Small Penis Syndrome. The only known treatment is electroshock therapy combined with cerebellum removal. Fortunately, it’s a tiny procedure.
*****************************************

Barry-xlovecam

If you are going to use Wordpress you need to refer all data entry and payments to the processor's server. The processor's server will return your costumers to your success and acknowledgement page.

If you can do this with an API that is a TLS (HTTPS) post it is probably OK but make it clear on the page that "this website does not store your credit card data" I would store all the customer personal data outside of the document root so that the webserver and PHP would hopefully not give it up on the public internet to an exploit -- you really need a dedicated or a good VPS server to do this right.

Wordpress security is an oxymoron when dealing with e-commerce payments.

rowan

ReCaptcha for what? Please don't use it "just in case", because there's several people who don't just get an instant tick, and have to solve multiple puzzles. It's a massive waste of time. I typically have to solve 4 to 6 puzzles with each challenge.

HairyChick

Barry, Wordpress is just the script to put the page. They click a link there but go elsewhere. I can't remember why I wanted to use a script and just deleted Wordpress.

I'm sure I had a valid reason. So, ah, I remember. It's easier to put code on a plain page than put it in my php program. If I have to hire a coder, I can't. I know it's just copy and paste but no one wants to spend an hour or two and get not much money in return. Understandable. If I try to properly paste code for four APIs, I'll break my script.

I felt I could paste each separately on a blank page in Wordpress. I can do it on one blank page, sure, but the script needs editing to direct and redirect to that page. Any references to payment needs to be changed.

I'm stuck between a rock and a hard place. I'm literally not sleeping in figuring this out. I chose Wordpress as I'm familiar with it. I'd use other programs as a landing page if I knew they were secure and small learning curve. With amnesia I need simple. Shit, i have to reinstall my php program as I forgot the pass. It's in iCloud Drive but won't work.

Any recommendations on a program to put the API and payment buttons on? I store nothing. Click to pay and go to the processing site.

I can https the page with my awesome host. I can add security programs and ReCaptcha to frustrate bots. What I can't do is figure out how to set this up. No matter what, the php script has to be edited. I don't want a redirect as that hesitation will scare newbies away

__________________
*****************************************
Anti-Semites have Small Penis Syndrome. The only known treatment is electroshock therapy combined with cerebellum removal. Fortunately, it’s a tiny procedure.
*****************************************

Barry-xlovecam

As long as you are just adding a 'paypal' like API button or something WordPress is usable but not for any volume or secure application. in the editor -- select the text tab and just paste the API HTML. Whoever developed the API should have made the code acceptable to that editor.

The picture below is pretty much self explanatory. If you have problems: try looking for an online formatting tool that will escape the HTML characters for PHP



Bots posting to your API will affect the server it posts to -- the API processor. The processor should anticipate this and take whatever counter-measures the processor deems necessary.

The best counter-measure for wordpress security is not to use plugins without some search engine reading -- preface the plugin with 'exploit'+ plugin name > see if there are known issues before you install them. And you need to constantly update the wordpress code to the newest version as wordpress is the holy grail of code-kiddie hackers.

https://www.yourdomain.com/wp-admin/plugin-install.php?s=ip+ban&tab=search&type=term

Use a IP log-in blocker for code-kiddies (C0d3-k1ddi3s) that will try to brute force their way in. WordPress' SEO features like feeds and ping backs are like beacons to low skill hackers using automated exploit tools.