Derailed By Jump In Traffic, Concerns About Security
It has been an interesting couple of weeks with a major jump in traffic on our splashplan.com website. At first I thought it was great. Then I got to thinking about the possible setup issues we may encounter and I started getting ready for manually reviewing profiles and link overrides. Then I started getting concerned that we were getting multiple signups per IP, and we were. Then I started getting concerned about security.
User Setup Issues
Unlike other sites I have worked with in the past, user setup and or data entry issues are minimal. The main areas to watch are user profile setup, link overrides, and forum entries. Forums are virtually unused, as are link overrides so I concentrated on manually reviewing user profile setups. Nothing much to report here either. I am working towards an automated system to review and approve changes to user (member) profiles that I can hand off to an employee to take care of. I am watching the forums for anything myself right now and watching for link (resource) overrides to start happening.
Multiple Signups Per IP
Unbelievable. We started getting multiple signups per IP. There is absolutely no advantage whatsoever with doing this. Nothing to be gained. So I looked at blocking IPs that have more than 5 signups. I am doing this manually for now but I have thought of some automated ways to take care of this. We will see.
An IP is a number that typically identifies a single user or group of users. I would say that 5 is a lot of sign ups. 17 is far too many for an individual signup.
I researched each IP at first and found that many forums are having the same problem with these IPs. So blocked.
It looks like security will be a never-ending process of thinking and rethinking my security strategies. So far it looks like I was pretty good with my user id/password and reset strategy. I simply ask new members to enter their email and password to sign up. If they need to reset their password, they can use “I forgot my password” to reset it.
Resetting a password sends an email to the member with a 6 digit random number. Once the number is used successfully, it is removed from the database. Passwords and reset codes are encrypted so even I cannot see either in the database. Even if somehow somebody gets a email and password from a member, there is very little to be gained. We do not collect payment or personal information from a member.
We could do more. We could require certain kinds of passwords. We could require a two-step sign in. We could follow best practices all the way around. But even if a hacker got my sign in to the web site, they really would not be getting much.
I have also thought about socially engineering a hack, which is a possibility with a lot of work. What if somebody got my sign on and password or got it reset? What if somebody got my email password? What if somebody got the database password? Security, honestly, is not paramount. I would be more worried about getting data destroyed than stolen. Most of the information stored is public or semi-public, we do not have credit card information or anything that sensitive stored. People are not worried about being associated with the web site.
Of course this does not stop me from worrying about it.
New “The SplashPlan Blog”
I did also move over The SplashPlan Blog from WordPress.com to our own hosted site here. I am still working on the stories here, as I merged in three different blogs. Hopefully I should have it in a good state within a couple of weeks.