Internet safety

General questions
Server requirements
Mail on the server
Where to download the distribution
Where can I download the plugin or payment module distribution?
How to install the sсript
How to updаte the sсript
How to updаte a plugin or payment module
Site setup
Site Setup (Part 2)
Safety
Computer security
Internet safety
Apache Server Security Recommendations
Recommendations for securing the Nginx server
Script security
DDOS protection
SSL certificate for a domain
Brute force protection
Basics
The rk-hook.php file
The rk-config.php file
What is a cron job?
Website theme, website design
Front and personal account
Admin panel or admin panel
Where can I see the version of the sсript?
New Event Indicators
What is a distribution?
Settings page
Adding/Editing Elements
Sorting elements
Calculator with shortcodes element
Element "Password"
Color Selector Element
Date Picker Element
Encrypted Data Element
Data Selector element
sеlect from List Element
Element "URL-Image"
Text Editor Element
Text Field Element
What are shortcodes?
Editor shortcodes
Tables with elements
Table filters
Table display settings
Action buttons in the table
Uploading images
Merchants and automatic payments
Active choice
Checkbox element
Information Text Element
Warning element
Hint element
Site management
Change the website language
Maintenance mode
Test mode
Updаte mode
Authorization on the site
Admin panel address
Address for authorization in the admin panel
Creating the first administrator
Cron jobs
File for robots, robots.txt
XML sitemap file. sitemap.xml
Console. Widgets in the console
Change the admin panel language
Section "Plugins"
User Files Section
Images section
E-mail settings
Section "Settings"
User roles section
User authorization notification
Two-factor authentication
User authorization log
User editing
Adding a new user
Section "Users"
Widgets
Menu. Control
Section "Appearance"
Section "Pages"
Section "Migration"
Exchanger management
Exchange filters
Exchange table settings
Exchanger settings
Application section
Currency codes
Payment systems
Additional currency fields
Currencies
Additional fields for exchange directions
Exchange Direction Templates
Bulk editing of exchange directions
Exchange directions
Plugins
Converting numbers (beautynum)
User authorization (userlogin)
User password recovery (userlostpass)
User registration (userregister)
Copying additional modules (extcopy)
Proxy settings and Timeout of additional modules (extproxy)
News (news)
Articles (articles)
Form rules (formrules)
Tech support chat (techchat)
Telegram (telegram)
SEO (seo)
Logging administrator actions (admin_logs)
Personal account (useraccount)
Professional status customization (profistatus)
Reserve amount settings (reservedisplay)
Reserved Reserves (reservetieds)
Reserve limit for currencies (currencylim)
Links with crypto transactions and addresses (currexplorer)
User exchanges (userxch)
Export bids (export_bids)
Export contacts (export_contacts)
Setting the initial bid ID (setbidid)
Widget for checking the status of the application (checkstatus)
The effect of entering numbers in a calculator (beautyinput)
Financial statistics (finstats)
Log of additional modules (extlogs)
Card number with spaces in the admin panel (beautycard)
Error Page
Shortlinks (shortlinks)
PHPmailer (phpmailer)
E-mail mailopost.ru (email_mailopost)
Disabling CDN (nocdn)
Captcha for the site (captcha)
Website notifications (notices)
HTML sitemap (htmlmap)
Bookmarks for admin bar (fav)
Block partners (partners)
Email notification log (emaillogs)
Recalculation of exchange amount and course (bidrecalc)
Reviews (reviews)
Block with advantages (advantages)
Contact form (feedback)
301 redirects
Rates block
User comments (usercomments)
API (api)
Stylized email template (beautyemail)
Comments (comments)
Confirmation of e-mail before registration (confrmail)
Custom Shortcodes (indxs)
Currency pages (currpages)
Custom shortcodes from file (fileindxs)
Maintenance mode (maintenance)
Operator status (operator)
SMS (sms)
Formatting additional fields (fieldsformat)
Reserve adjustments (correserve)
Site parser (parsers)
BestChange parser (bestchangeapi)
Archiving exchange requests (archive)
Automatic user registration (autoreg)
Crypto transaction confirmation counter (bcc)
Phone verification before creating an application (confephone)
Confirming your email before creating an application (confemail)
Work operators (workoperators)
Request a reserve (zreserve)
Instruction shortcodes (txtshtds)
Exchange request editor (bidedit)
Log of application statuses (bidlogs)
Bid comments (bidscomment)
Custom bid statuses (bidstatus)
Direction of exchange commissions (dircom)
Copying directions (dircopy)
Direction groups (dirgroups)
Exchange filter for guests (dirguest)
Filter exchange directions by languages ​​(dirlangs)
Reserve limit in the direction of exchange (dirlim)
Redirect to exchange directions (dirredirect)
Direction of exchange reserve (dirreserve)
User restrictions (dirrestrictions)
Exchange amount multiple (kratn)
Check for a new user when exchanging (newuser)
Saving auto-payout coupons in the application (payout_coupons)
Automatic deletion of unpaid bids (bidsautodel)
Coupons for exchange discounts (coupons)
User discounts (discounts)
Bank card information (cardinfo)
GEO IP (geoip)
Blacklist bestchange (blacklistbest)
Money transfer number (transfernum)
Payment checks (transfercheck)
Blacklist (blacklist)
Setting up the output of exchange directions in an XML/TXT file (dirxml)
User accounts (userwallets)
Internal Account Module (intacc)
AML (aml)
Selecting a city in the direction of exchange (cities)
Cashback (cashback)
User verification (userverify)
VK Bot (vkbot)
Telegram Bot (tgbot)
Plugin for additional options in the menu (addmenuoptions)
Logging settings (logssettings)
Accepting deposits from an internal account (deposits)
Affiliate program (pp)
User security settings (usersecurity)
Merchants
Merchants
Creating a merchant
Automatic Payments
Automatic payments
Creating an auto-payment
300 140

Internet Security for Cryptocurrency Exchange Owners

Launching an exchange service (exchange, swap service) is not only a technical and marketing task but also a *challenge in the field of cybersecurity*. You become a target for hackers, fraudsters, and competitors because you manage the flow of other people's funds. The security of your online activity is the **cornerstone of customer trust** and the long-term viability of the business. This guide outlines critical practices for protecting you and your users.

1. Foundation: Team Personal Security

Before protecting servers, protect yourself. An attack on the owner or an employee is the easiest way to compromise the system.

1.1. Email Hygiene

Dedicated Mailboxes: Create separate email addresses for domain registration, hosting, social media accounts, and personal purposes. Do not use personal email for business operations.

Two-Factor Authentication (2FA): ALWAYS enable 2FA on all mailboxes, especially the one linked to the domain and hosting.

Caution with Phishing: Carefully check the senders of emails, especially those requesting personal data or access. Never click on suspicious links in emails.

1.2. Password Management

Password Manager: Use a reliable password manager (Bitwarden, 1Password, KeePass). This allows you to generate and store complex, unique passwords for each service.

Password Complexity: Passwords should be long (from 12 characters), contain uppercase and lowercase letters, numbers, and special symbols.

No Shared Passwords: Prohibit employees from using the same password for different services.

2. Protecting Exchange Infrastructure

This is the technical foundation upon which everything depends.

2.1. Choosing and Configuring Hosting

Dedicated Server/VPS: Use a dedicated server or VPS from a reliable provider. Avoid shared hosting.

Secure Connection: All connections to the server must be made *only* via secure protocols (SSH keys instead of passwords, SFTP).

Regular Updates: Keep the operating system, web server (Nginx/Apache), database, and all used libraries up to date.

2.2. Website Security

SSL Certificate: Be sure to use an SSL certificate (HTTPS) for the entire site. This encrypts traffic between the client and the server. Consider an Extended Validation (EV SSL) option for greater trust.

DDoS Attack Protection: Proactively enable DDoS protection from your hosting provider or through third-party services (Cloudflare). Exchanges are frequent targets for such attacks for extortion purposes.

Web Application Firewall (WAF): Install and configure a WAF. It will filter and block malicious traffic (e.g., SQL injections, XSS attacks) before it reaches your application.

3. Security of Operations and Customer Data

Trust is your main currency.

3.1. Principle of Least Privilege

Configure employee access rights so that they only have access to the functions and data necessary to perform their tasks.

Administrative access to the server and the site's admin panel should be granted to the *minimum necessary* number of people.

3.2. Protecting API Keys

If your exchange interacts with other exchanges via API:

Restrict Permissions: Create API keys only with the permissions that are truly needed (typically, only for viewing balances and creating orders). Never use keys with withdrawal rights.

Secure Storage: Do not store API keys in plain text within the code. Use secure environment variables or specialized services for storing secrets.

3.3. Handling Customer Data

Data Minimization: Collect and store only the customer information absolutely necessary for KYC/AML (Know Your Customer / Anti-Money Laundering) compliance and service operation.

Encryption: All personal data and private keys (if you use hot wallets) must be stored in encrypted form.

Backup Policy: Regularly create backups of databases and site files. Store copies separately from the main server (3-2-1 rule).

4. Procedures and Monitoring

Security is a continuous process.

4.1. Logging

Enable detailed logging of all activities on the site:

Login attempts to the admin panel.

All financial transactions (creation, execution, cancellation of orders).

User actions related to data changes (password change, email change).

Analyze logs for suspicious activity.

4.2. Incident Response Plan

Develop an action plan in advance for cases of hacking, data leaks, or DDoS attacks. The plan should answer the questions:

Who is responsible for decision-making?

How to notify users quickly (if their data is compromised)?

How to patch the vulnerability?

Who to contact for legal and technical support?

Quick Security Checklist for an Exchange

  • 2FA is enabled on all critical accounts (email, hosting, domain).
  • The entire site operates on HTTPS with a valid SSL certificate.
  • DDoS protection is connected and a WAF is configured.
  • API keys from exchanges have limited permissions (no withdrawal rights).
  • Backups are regularly created and verified.
  • Logging of all significant events is maintained.
  • Employees have minimally necessary access rights configured.
  • A prepared incident response plan exists.

Conclusion

For a cryptocurrency exchange, security is not an expense item, but a **primary investment in reputation and the future of the business**. One serious leak or hack can permanently destroy customer trust. A proactive approach to protecting your online activity will allow you to focus on service development, confident in its reliability.

Category: Safety
Back to Wiki

© 2025-2026 RichExchanger - professional, reliable, secure currency exchange sсript.

E-mail: support@richexchanger.com
Telegram news: @RichExchangerNews
Русский English

We use cookies to improve the functioning of the site and its interaction with users. By continuing to use the site, you consent to the use of cookies (find out more).

You can always disable cookies in your browser settings.