Script security

General questions
Server requirements
Mail on the server
Where to download the distribution
Where can I download the plugin or payment module distribution?
How to install the sсript
How to updаte the sсript
How to updаte a plugin or payment module
Site setup
Site Setup (Part 2)
Safety
Computer security
Internet safety
Apache Server Security Recommendations
Recommendations for securing the Nginx server
Script security
DDOS protection
SSL certificate for a domain
Brute force protection
Basics
The rk-hook.php file
The rk-config.php file
What is a cron job?
Website theme, website design
Front and personal account
Admin panel or admin panel
Where can I see the version of the sсript?
New Event Indicators
What is a distribution?
Settings page
Adding/Editing Elements
Sorting elements
Calculator with shortcodes element
Element "Password"
Color Selector Element
Date Picker Element
Encrypted Data Element
Data Selector element
sеlect from List Element
Element "URL-Image"
Text Editor Element
Text Field Element
What are shortcodes?
Editor shortcodes
Tables with elements
Table filters
Table display settings
Action buttons in the table
Uploading images
Merchants and automatic payments
Active choice
Checkbox element
Information Text Element
Warning element
Hint element
Site management
Change the website language
Maintenance mode
Test mode
Updаte mode
Authorization on the site
Admin panel address
Address for authorization in the admin panel
Creating the first administrator
Cron jobs
File for robots, robots.txt
XML sitemap file. sitemap.xml
Console. Widgets in the console
Change the admin panel language
Section "Plugins"
User Files Section
Images section
E-mail settings
Section "Settings"
User roles section
User authorization notification
Two-factor authentication
User authorization log
User editing
Adding a new user
Section "Users"
Widgets
Menu. Control
Section "Appearance"
Section "Pages"
Section "Migration"
Exchanger management
Exchange filters
Exchange table settings
Exchanger settings
Application section
Currency codes
Payment systems
Additional currency fields
Currencies
Additional fields for exchange directions
Exchange Direction Templates
Bulk editing of exchange directions
Exchange directions
Plugins
Converting numbers (beautynum)
User authorization (userlogin)
User password recovery (userlostpass)
User registration (userregister)
Copying additional modules (extcopy)
Proxy settings and Timeout of additional modules (extproxy)
News (news)
Articles (articles)
Form rules (formrules)
Tech support chat (techchat)
Telegram (telegram)
SEO (seo)
Logging administrator actions (admin_logs)
Personal account (useraccount)
Professional status customization (profistatus)
Reserve amount settings (reservedisplay)
Reserved Reserves (reservetieds)
Reserve limit for currencies (currencylim)
Links with crypto transactions and addresses (currexplorer)
User exchanges (userxch)
Export bids (export_bids)
Export contacts (export_contacts)
Setting the initial bid ID (setbidid)
Widget for checking the status of the application (checkstatus)
The effect of entering numbers in a calculator (beautyinput)
Financial statistics (finstats)
Log of additional modules (extlogs)
Card number with spaces in the admin panel (beautycard)
Error Page
Shortlinks (shortlinks)
PHPmailer (phpmailer)
E-mail mailopost.ru (email_mailopost)
Disabling CDN (nocdn)
Captcha for the site (captcha)
Website notifications (notices)
HTML sitemap (htmlmap)
Bookmarks for admin bar (fav)
Block partners (partners)
Email notification log (emaillogs)
Recalculation of exchange amount and course (bidrecalc)
Reviews (reviews)
Block with advantages (advantages)
Contact form (feedback)
301 redirects
Rates block
User comments (usercomments)
API (api)
Stylized email template (beautyemail)
Comments (comments)
Confirmation of e-mail before registration (confrmail)
Custom Shortcodes (indxs)
Currency pages (currpages)
Custom shortcodes from file (fileindxs)
Maintenance mode (maintenance)
Operator status (operator)
SMS (sms)
Formatting additional fields (fieldsformat)
Reserve adjustments (correserve)
Site parser (parsers)
BestChange parser (bestchangeapi)
Archiving exchange requests (archive)
Automatic user registration (autoreg)
Crypto transaction confirmation counter (bcc)
Phone verification before creating an application (confephone)
Confirming your email before creating an application (confemail)
Work operators (workoperators)
Request a reserve (zreserve)
Instruction shortcodes (txtshtds)
Exchange request editor (bidedit)
Log of application statuses (bidlogs)
Bid comments (bidscomment)
Custom bid statuses (bidstatus)
Direction of exchange commissions (dircom)
Copying directions (dircopy)
Direction groups (dirgroups)
Exchange filter for guests (dirguest)
Filter exchange directions by languages ​​(dirlangs)
Reserve limit in the direction of exchange (dirlim)
Redirect to exchange directions (dirredirect)
Direction of exchange reserve (dirreserve)
User restrictions (dirrestrictions)
Exchange amount multiple (kratn)
Check for a new user when exchanging (newuser)
Saving auto-payout coupons in the application (payout_coupons)
Automatic deletion of unpaid bids (bidsautodel)
Coupons for exchange discounts (coupons)
User discounts (discounts)
Bank card information (cardinfo)
GEO IP (geoip)
Blacklist bestchange (blacklistbest)
Money transfer number (transfernum)
Payment checks (transfercheck)
Blacklist (blacklist)
Setting up the output of exchange directions in an XML/TXT file (dirxml)
User accounts (userwallets)
Internal Account Module (intacc)
AML (aml)
Selecting a city in the direction of exchange (cities)
Cashback (cashback)
User verification (userverify)
VK Bot (vkbot)
Telegram Bot (tgbot)
Plugin for additional options in the menu (addmenuoptions)
Logging settings (logssettings)
Accepting deposits from an internal account (deposits)
Affiliate program (pp)
User security settings (usersecurity)
Merchants
Merchants
Creating a merchant
Automatic Payments
Automatic payments
Creating an auto-payment
300 140

Web application security is not an option, but a necessity. Attacks are becoming increasingly sophisticated, and effective countermeasures require multi-layered defense. Our script implements a comprehensive security system based on the Defense in Depth principle. This means that even if an attacker overcomes one barrier, another will stand in their way.

Let's look at the key elements of our security system.

1. Application and Data-Level Protection

This is the first line of defense, blocking the most common attack vectors.

XSS (Cross-Site Scripting) Protection: All data output to the browser is escaped for special characters. This prevents malicious scripts from executing in the context of another user's browser, protecting their data and sessions.

SQL Injection Protection: All database queries are executed exclusively through parameterized Prepared Statements. This completely eliminates the possibility of spoofing SQL query logic via user input.

Clickjacking Protection: Prevents attacks where users are tricked into clicking on invisible or fake elements.

CSRF (Cross-Site Request Forgery) Checking: Unique CSRF tokens are used for all critical operations (password changes, form submissions). The server checks their validity before executing the action, ensuring that the request was initiated from a trusted page on our site.

2. Securing Uploaded Files

Uploading files is a critical vulnerability. We have implemented a multi-layered system of checks to prevent the download and execution of malicious content.

Whitelisted file type validation: Only files with certain, safe extensions (e.g., '.jpg', '.png', '.pdf') are allowed to be uploaded. Both the extension and MIME type are checked.

Magic number (signature) check: The file is checked to ensure its actual content matches the declared type. This prevents scripts (e.g., '.php') from disguising themselves as images (by changing the extension to '.jpg').

Unique file name generation: When saved to the server, the file is assigned a new, generated name, preventing attacks involving overwriting system files or executing files with pre-known names.

File size limit: Strict limits on the size of uploaded files are set to prevent DDoS attacks and disk space overflows.

3. Resistance to Brute-Force Attacks and Unauthorized Access

These measures are aimed at countering automated attacks and direct hacking attempts.

Protection against brute-force attacks: A system for temporarily blocking an account or IP address after several unsuccessful login attempts has been implemented. This significantly increases the difficulty of brute-forcing credentials, making the attack impractical.

Protection against brute-forcing authentication via session cookies: Session identifiers are generated using cryptographically strong algorithms and have sufficient entropy, making them resistant to simple brute-force attacks.

4. Security of the Administrative Panel

The admin panel is a prime target for attackers, so its security is enhanced with additional measures.

Change the admin panel path: Standard paths like '/admin' have been changed to unique ones known only to authorized personnel. This effectively protects against attacks targeting vulnerabilities in popular management systems.

Change the login address: In addition to changing the path, the login URL can be further obscured, making life more difficult for automated scanners and scripts.

Two-factor authentication (2FA): Access to the admin panel requires not only a password but also a one-time code from email or Telegram. This means that even if the password is compromised, an attacker will not be able to gain access.

Allow authorization from specific IP addresses: Access to administrative functions is permitted only from a pre-approved list of IP addresses (e.g., the office network). This mitigates the risk of external access, even if credentials are stolen.

5. Session and User Data Protection

The goal is to ensure the confidentiality and integrity of user data at all stages.

Data Encryption in the Database: Sensitive information (e.g., personal data, tokens) is stored in the database in encrypted form. Even in the event of a database leak, this information will remain inaccessible without the encryption key.

Secure Cookies: All critical cookies (especially session cookies) have the following attributes:

- 'Secure' — cookies are transmitted only over a secure HTTPS connection.

- 'HttpOnly' — blocks access to cookies from JavaScript, protecting against attacks.XSS vulnerabilities.

- 'SameSite' — prevents sending cookies with cross-site requests, strengthening protection against CSRF.

Session binding to IP and User-Agent: Each user session is bound to the IP address and the browser's 'User-Agent' header. If these change, the session becomes invalid, and the user must log in again. This prevents the use of a stolen session cookie from another device or network.

Session encryption: Session data is stored encrypted on the server, protecting it from unauthorized reading if the server is compromised.

Conclusion

The presented security system is not a static set of rules. It is a dynamic, multi-layered shield that is constantly evolving.

XSS/SQL injection protection ensures code and data integrity.

Uploadable file protection prevents one of the most dangerous attack vectors.

Brute-force blocking and session stickiness make unauthorized access extremely difficult.

Hiding and enhanced authentication in the admin panel protect the most valuable segment.

Data encryption and secure cookies guarantee the confidentiality of information both in storage and during transmission.

This comprehensive approach, which now includes reliable protection against malicious files, ensures a high level of security for scripts and user data, in line with the best practices of modern web development. Security is a process, and we continue to work to strengthen it.

Category: Safety
Back to Wiki

© 2025-2026 RichExchanger - professional, reliable, secure currency exchange sсript.

E-mail: support@richexchanger.com
Telegram news: @RichExchangerNews
Русский English

We use cookies to improve the functioning of the site and its interaction with users. By continuing to use the site, you consent to the use of cookies (find out more).

You can always disable cookies in your browser settings.