Hello. I would like to share with you my knowledge about how you should secure your website so that no unpleasant incidents occur nowadays people more and more often forget about it or postpone it for later or simply do not know how to do it here I will give you some tips what can help in most cases.


1.) It may be controversial for some, but not using PHP is one of the best solutions is to switch to Express frameworks as they are much better protected against SQL Injection and XSS and many other things.

2.) Securing login/registration from bots is a good solution because it avoids possible lagging of the site by a huge number of bots and clogging the database with fake users. The best way to do this is to add ReCaptcha or HCaptcha because it costs nothing and protects your site quite well against such cases, of course there are also sites like 2Captcha which sell services solving captcha for you cheaply but it is still worth adding captcha because some "bots" will be discouraged by the fact that they have to pay for it to be able to do anything else.

3.) Improve site logs to show suspicious activity even for trivial things so that you can react quickly if someone finds a vulnerability on your site.

4.) Secure your database as well as all admin pages as well as possible and use passwords of at least 16 characters with special characters because someone may try to hack using BruteForce although it is not very popular nowadays it is still a threat to many sites even hosting companies that provide access to the database via their website often generate such a weak password that it is possible to hack into almost any database which usually leads to leaks

5.) Scan the website regularly with your own hands, even with free tools from the net, for vulnerabilities so that no one does it before you and finds something you should not.

6.) Regularly delete old unused endpoints as they can also lead to many different problems depending on what the endpoint was doing and how secure it was

7.) Make sure that the user session is secure in terms of e.g. not having a cookie which is so badly done that changing it properly can even lead to connecting as another user and using his account without restrictions.

8.) Use sites that can help with security to detect if a user has a VPN or Proxy or TOR and block them if necessary or just keep an eye on them.


There are many other ways, but I have listed the ones I come across most often on websites, it may be useful to someone.

If I had read number 2 one week ago, I would have avoided being hacked by some random Russian dude.

Forgot to add recaptcha on a simple form that allow users to invite other people in their team.

The Russian dude created a team with a link in the team's name and used a basic bot to open the form, add a random email from a list and send the invite.

The person would receive an email telling them to join the team [link url] with my application's name and layout around it. Yeah...

21k persons got invited in my application. Which means we lost 21k emails in the email sending platform we use.

And what's even worse is that it busted our max number of connections on the database. Which means the app was down during 4 hours before I restarted it and fix the problem.

So yeah, use recaptcha.