• Identify the Cause: Analyze access logs for suspicious activity and pinpoint the vulnerability.
• Clean and Restore: Restore your website from a clean backup and thoroughly remove any malicious code.
• Address Vulnerabilities: Patch security holes, update software, and strengthen security configurations.
• Seek Expert Help: If needed, consult security professionals for assistance with cleanup and prevention.

• SSL: Enable HTTPS for encrypted communication and improved user trust.
• Secure Zones: Configure sensitive zones to require confirmed sessions.
• Restrict Logins: Enforce IP address confirmation for enhanced account security.
• Maintenance Scripts: Restrict access to maintenance scripts like upgrader.php via IP restrictions.
• Server Hardening: Disable unnecessary services, change default ports, enable automatic updates, and more.
• Robots.txt: Use the robots.txt file to prevent search engine indexing of sensitive areas.

• XSS Attacks: By restricting inline scripts and limiting script sources.
• Data Injection Attacks: By controlling the allowed origins for data requests.
• Clickjacking: By specifying allowed framing sources.

• Confirmed: When you actively log in with your credentials.
• Non-confirmed: When you return to the site and are automatically logged in via cookies.

• Choose a Secure Host: Opt for hosts that offer suEXEC and open_basedir for better account isolation.
• Test Security: Verify the host's security measures with the provided filesystem_browser.php script.
• Restrict _config.php: Remove world-writable permissions from _config.php after installation.

• HTML Filtering: Configurable levels of filtering prevent malicious script injection.
• Content Security Policy (CSP): Restricts the sources from which scripts and other resources can be loaded.
• Input Sanitization: Data is sanitized before being processed to prevent malicious code execution.
• Output Encoding: Data displayed to users is properly encoded to prevent interpretation as active code.

• DODGY_GET_HACK: Suspicious URLs with potentially harmful characters.
• EVIL_POSTED_FORM_HACK: Possible CSRF attempts via malicious form submissions.
• SCRIPT_UPLOAD_HACK: Attempts to upload PHP scripts, potentially malicious.
• DOWNLOAD_PRIVATE_URL_HACK/TRY_TO_DOWNLOAD_SCRIPT: Attempts to download sensitive files.
• BRUTEFORCE_LOGIN_HACK: Repeated failed login attempts.
• SQL_INJECTION_HACK: Attempts to exploit SQL queries for data extraction.

• Avoid FTP: Use secure alternatives like SFTP or SSH for file transfer.
• Secure Email: Enable SSL for IMAP and POP3 email protocols.
• Strong Passwords: Use unique and complex passwords for different services.
• Secure Computers: Keep your own devices patched and secure.
• Maintenance Password: Remove the maintenance password from _config.php when not in use.

• Visual representation of password quality and enforcement of complexity rules.
• Password expiry and prevention of re-use.
• Secure password hashing, even if the database is compromised.
• Temporary passwords for staff setup.

• Two-factor authentication via IP address approval.
• IP address banning, including wildcard banning.
• Session locking to IP addresses.
• Configurable session expiry times.
• Ability to prevent privileged actions from auto-logged in sessions.
• Optional member approval process.

• Comprehensive audit logging of administrative actions.
• Logging of user actions and IP address history.
• Tools to analyze audit logs.
• Failed login logging.
• Hack attack detection, logging, and banning.
• Email notifications for changes to user credentials.

• Protection against CSRF attacks.
• Click-jacking prevention via CSP implementation.
• Secure coding standards and scanning techniques.
• Configurable HTML filtering to prevent XSS attacks.
• Secure code modularization standards.

• Granular privileges and access permissions.
• Content submission validation process.
• Rootkit detection system.
• Spam prevention systems.
• Web application firewall rules.
• Moderation systems.

• MySQL timeout setting: For MySQL 5.7+, set a query timeout to prevent searches from locking up your database. Composr automatically sets this, but you can configure it manually if needed.
• Use InnoDB tables: Switching to InnoDB tables in MySQL can prevent slow queries from affecting other users on your website. Note that InnoDB is not officially supported by Composr yet.
• Enable the fast custom index: As mentioned earlier, the fast custom index is optimized for handling large datasets and filtered searches, potentially leading to significant speed improvements.

Intuitive sitemap editor: Visually browse your site structure.

Menu editor: Our user friendly editor can work with several different kinds of menu design (drop-downs, tree menus, pop-ups, etc)

Zones (sub-sites): Organise your pages into separate zones. Zones can have different menus, themes, permissions, and content. They can also use a sub-domain.

Full structural control: Edit, move, and delete existing pages and modules.

Redirects: Set up redirects if you move pages, or if you want pages to appear in more than one zone.

Use Composr for clients and pretend you made it.

We ensure Composr is not hard-coded anywhere in the software where it would appear to an average user.

Responsive design and hi-dpi images

True and correct XHTML5 markup

WCAG, ATAG: Meeting of accessibility guidelines in full.

Tableless CSS markup, with no hacks

Support for all major web browsers

Inbuilt tools for checking webstandards conformance of XHTML5, CSS, and JavaScript

Extra markup semantics including Dublin Core support, schema.org, Open Graph, and microformats.

Standards-based JavaScript (modern DOM and AJAX, no DOM-0 or innerHTML)

Automatic cleanup of bad XHTML5: HTML outside your control (e.g. from RSS) will be cleaned up for you.

Highly optimised code

Can run CDNs

Multiple levels of caching

Sophisticated template compiler

Self-learning optimisation system

Automatic pruning of old cache files when caches get large

Translate Composr into your own language

Translate content into multiple languages

Custom time and date formatting

Language packs: Download new language packs as users post them; host multiple languages on your website at the same time.

Time zone support: Members may choose their own time zones, and dates / times will adapt to them.

Support for different character sets and Unicode

Serve different theme images for different languages

Right-to-left languages possible

Professionally designed user interfaces

AJAX techniques: Streamlined website interaction.

WYSIWYG editing

Tutorials: Over 200 written tutorials, and a growing collection of video tutorials.

Displays great on mobiles: Mobile browsers can be automatically detected, or the user can select the mobile version from the footer. All public website features work great on QVGA or higher. The default theme is also responsive and will adapt to the client screen size.

A consistent and fully integrated feature-set: Breadcrumb navigation, previews, and many other features we didn't have space to mention here – are all present right across Composr.

Supports different URL schemes and textual monikers

Automatic site-map generation: Both XML Sitemaps and sitemaps for users.

Metadata: Meta descriptions and keywords for all content. Auto-summarisation.

Keyword density analysis when previewing content

Correct use of HTTP status codes

Content-contextualised page titles

Semantic and accessible markup (e.g. ‘alt tags')

Compliance with major data protection legislation such as the GDPR

Allow members to download or purge their personal data from their profile. Set a limit on the number of days between downloads / purges to preserve server resources.

Also manage member data to a more technical degree in the Administration Zone.

Allow members to purge their data upon deleting their member account

Composr is careful to maintain important data (such as warnings or bans) when members request their data to be purged from their profile. But this data can still be purged on the admin side (in the Admin Zone).

Automatic generation of a basic Privacy Policy based on site settings and installed addons

Cookie Consent notice

Set declarations on the rules page which members must agree to on registration (or whenever they are changed) which are also stored in the database and e-mailed to the member as a written copy

Automatic detection, logging, notifying, and banning of hackers

2-factor-authentication: E-mail based 2-factor-authentication security when unrecognised IP addresses are used with certain usergroups (optional, Conversr-only).

Password strength checks: Enforce minimum password strengths based on length and use of upper / lower case, numbers, and symbols, and avoiding repeated characters (Conversr-only).

Architectural approaches to combat all major exploit techniques

A JavaScript framework that makes XSS attacks virtually impossible

Defence-in-depth: Multiple layers of built-in security.

Encrypted custom profile fields: Once set the CPF can't be read unless a key password is entered (Conversr-only, requires OpenSSL).

Extensive support and use of Content Security Policy (CSP)

Track failed logins and automatically ban brute-force attacks

HTML filtering

Protection against CSRF attacks: Forms and AJAX requests make use of randomly generated POST tokens

Root-kit detection kit for developers

Cookies are secure and HttpOnly where possible to prevent session hijacking

Set number of days that passwords expire or must be changed

(Conversr Only)

Issue warnings (with an optional Private Topic sent to them) for unruly members. Optionally include one or more of several punitive actions as explained below.

Ban the member's IP address so they can no longer access the site from that device (this also adds their IP address in your htaccess file)

Ban the member so they can no longer log in (and their profile can no longer be viewed by others except high-ranking staff)

Report spammers to public blocklists such as Stop Forum Spam

Put members in a special restricted 'probation' usergroup for a specified number of days

Silence a member from the forum or topic on which they made their problematic post (this also works on comments).

Change a member's usergroup (useful to de-rank them)

Automatically delete recent or violating content / posts posted by the member

Charge points from the member's balance (also affects rank points to penalise their ability to rank up)

Reverse recent point transactions members made in abuse

Save and load explanatory messages for future use

Automatically generate punitive action text in the Private Topic sent to the member

Members can view their account standing on their profile, including any active punitive actions and their warnings history

Staff can view full details of individual warnings including an action log and options to undo some of the individual punitive actions

Develop your own cns_warnings hooks to define additional punitive actions that can be used with the warnings system

Use one of the several pre-defined "reasons" for a warning in the dropdown to include the warning in your site statistics (for number of warnings issued by reason).