Recommendations for making your YourSites server as secure as possible.
- Make sure the server runs on https:// in the frontend and backend
- Use a dedicated site and domain/subdomain - do not install any additional extensions (with the exception of backup and security addons such as Akeeba Backup or Akeeba AdminTools)
- Make this domain/subdomain obscure and don't publish any links to it where search engines may find it,
- Even if you run YourSites on an obscure subdomain you should ideally run YourSites within a very obcure and hidden folder. So an ideal domain/folder for YourSites would be something like https://lskniune.myyoursites.com/._kwjniun98one867gbi/
- Disable user registration.
- Disable all non-essential core Joomla components e.g. Banners, Contacts, Articles, Media. Leave Fields and Tags enabled since these are used in YourSites.
- Use one or more additional authentication mechanisms for the backend
- 2 Factor Authentication
- Basic access authentication (popup username/password)
- Secret words in backend URLs (e.g. /administrator?myscretword)
- IP address restrictions on access - if you can always access your YourSites server from fixed IP addresses then block access from all other IP addresses
You can increase the security of YourSites further but at the cost of making the addition of sites to your YourSites server a little bit more complicated.
- Running YourSites on a private server or your local computer
- Basic access authentication (popup username/password) for the frontend
- Setting the frontend of the site offline - if you do this then you MUST use the cli interface for your CronJobs
In all these cases you will need to add your sites to YourSites manually and downloading and installing a site specific client package. The main functionality of YourSites will work perfectly on such a restricted server.