Security Features & Best Practices

  • Plugin Author edward_plainview

    (@edward_plainview)


    3 months, 2 weeks ago

    Hello everyone,

    As cryptocurrency adoption grows, so do the threats targeting WordPress e-commerce sites. Because you are accepting payments directly to your wallet, the security of your WordPress Admin Dashboard is just as important as the security of the plugin itself.

    We have introduced a suite of security tools directly into MyCryptoCheckout to help you harden your store against common and advanced attack vectors.

    🛡️ New Built-in Hardening Tools You can access these options by navigating to Settings > MyCryptoCheckout > Global Settings > Security.

    1. Administrator Lockdown (Freeze Admin Creation)
      • What it does: Blocks the creation of any new Administrator accounts at the database level.
      • Why: Prevents hackers from “escalating privileges” by secretly creating rogue admin users.
      • Recommendation: Keep this ON. Only uncheck it temporarily if you need to manually add a new administrator.
    2. Disable Application Passwords
      • What it does: completely disables the WordPress Application Passwords feature.
      • Why: Attackers often use compromised Application Passwords to bypass Two-Factor Authentication (2FA) and modify site settings remotely.
      • Recommendation: ON.
    3. Disable File Editors
      • What it does: Disables the built-in Theme and Plugin editors.
      • Why: If an attacker gains access, they often use these editors to inject backdoors. Disabling them removes this easy entry point.
      • Recommendation: ON.
    4. Disable XML-RPC
      • What it does: Shuts down xmlrpc.php, an older API often used by bots to launch brute-force attacks.
      • Recommendation: ON.

    👁️ Active Monitoring (No Configuration Required) These features run automatically in the background to protect your checkout integrity:

    • Wallet Change Notifications: If your wallet addresses are manually updated, the site administrator immediately receives an email alert with the User, Time, and IP Address.
    • Frontend Heartbeat Protection: A client-side system that continuously verifies the displayed wallet address matches your settings. If a discrepancy is detected, the customer is automatically redirected away from the payment page.

    🔒 Disable Wallet Editing You can completely disable the ability to edit wallet addresses via the dashboard by adding this line to your wp-config.php file: define( 'MYCRYPTOCHECKOUT_DISABLE_WALLET_EDITOR', true );

    Standard WordPress Best Practices While MyCryptoCheckout secures the payment process, you must also secure your “Front Door.”

    • Enable 2FA: Use a plugin like WP 2FA or Google Authenticator to protect your login page.
    • Monitor Activity: Use a security suite like Sucuri or Wordfence to scan for malware.

    For a full breakdown of these features, please see our security page: https://mycryptocheckout.com/security-features/

The topic ‘Security Features & Best Practices’ is closed to new replies.