Security โ 2FA, HSTS, SSL, and WAF
Scottsdale Mint implements multiple layers of security for the WordPress admin and customer accounts to protect high-value precious metals transactions.
Imperva WAF (Web Application Firewall)โ
All traffic passes through Imperva before reaching AWS. Imperva is the outermost security layer in the request chain:
Visitor โ Imperva WAF โ Amazon CloudFront โ AWS Lambda (WordPress)
Impact protections Imperva provides:
| Protection | Description |
|---|---|
| DDoS mitigation | Absorbs volumetric and application-layer DDoS attacks |
| Bot management | Detects and blocks malicious bots and scrapers |
| IP reputation filtering | Blocks known malicious IP ranges |
| OWASP Top 10 rules | SQLi, XSS, RFI, LFI, and other common web attack protection |
| Rate limiting | Throttles abusive request patterns per IP/session |
| Geo-blocking | Can restrict access by country if required |
CloudFront is not used as a firewall. Its role is CDN caching and request routing. All WAF/security filtering happens at Imperva upstream.
Two-Factor Authentication (2FA)โ
Pluginโ
- Plugin: WP 2FA Premium (by WBarrish or equivalent commercial 2FA plugin)
- SMS provider: Twilio
2FA Coverageโ
| User Group | 2FA Required |
|---|---|
| WordPress administrators | Mandatory |
| WooCommerce shop managers | Mandatory |
| Compliance officers | Mandatory |
| Regular customers | Optional (configurable) |
Authentication Methodsโ
Users can choose from:
- SMS (Twilio) โ One-time code sent via text message
- Email โ One-time code sent to account email
- Authenticator app โ TOTP (compatible with Google Authenticator, Authy)
- Backup codes โ One-time download during setup
Twilio Integrationโ
SMS-based 2FA uses Twilio. The 2FA plugin connects to Twilio's messaging API.
| ENV Variable | Description |
|---|---|
TWILIO_ACCOUNT_SID | Twilio account SID |
TWILIO_AUTH_TOKEN | Twilio auth token |
TWILIO_FROM_NUMBER | Twilio from phone number (e.g., +16022841200) |
Patchโ
patches/2FA-fix-path-in-twilio.patch
This patch fixes a file path resolution issue in the Twilio integration path within the 2FA plugin for the Bedrock directory structure.
HTTP Strict Transport Security (HSTS)โ
The site enforces HTTPS via HSTS headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
HSTS is typically configured at:
- CloudFront โ Headers injected by CloudFront response headers policy
- Lambda (Ymir) โ Can be set in
ymir.ymlresponse header configuration
Once a browser receives the HSTS header, it will refuse HTTP connections for the configured duration (1 year) and attempt HTTPS automatically.
SSL/TLSโ
All traffic is served over HTTPS:
- SSL certificates managed by AWS Certificate Manager (ACM) โ auto-renewing
- TLS 1.2 minimum (TLS 1.3 preferred)
- Configured on the CloudFront distribution
The WordPress WP_HOME, WP_SITEURL, and FORCE_SSL_ADMIN settings enforce HTTPS for all WordPress requests.
Configuration in config/application.php:โ
define( 'FORCE_SSL_ADMIN', true );
Config::define( 'WP_HOME', env('WP_HOME') ); // Always https://scottsdalemint.com
Config::define( 'WP_SITEURL', env('WP_SITEURL') ); // Always https://scottsdalemint.com/wp
Content Security Policy (CSP)โ
A Content Security Policy restricts which external scripts and resources can be loaded, preventing XSS attacks.
The CSP is configured to allow:
- PayPal hosted fields CDN
- Kount data collector CDN
- NFusion chart widget CDN
- Algolia InstantSearch CDN
- Google Analytics, Google Tag Manager
- Attentive SMS CDN
- Yotpo CDN
- FontAwesome / Google Fonts
Review the CSP when adding new third-party integrations โ a missing CSP directive will silently block the new integration.
WordPress Admin Securityโ
| Measure | Implementation |
|---|---|
| 2FA | WP 2FA Premium (mandatory for admins) |
| Login rate limiting | Wordfence or security plugin |
| Admin URL change | Custom admin URL (if configured) |
| XML-RPC disabled | Via suma-patches or security plugin |
| REST API authentication | Nonce or Application Passwords for API clients |
| File editing disabled | DISALLOW_FILE_EDIT = true in config/application.php |
WooCommerce Securityโ
| Measure | Implementation |
|---|---|
| PCI compliance | PayPal PPCP hosted fields; no card data on server |
| Fraud screening | Kount pre-auth on all card transactions |
| Order access control | WooCommerce Order Access REST API โ only order owner or admin can access |
| Payment webhooks | Verified by HMAC signature |
Lambda Securityโ
The serverless Lambda environment provides additional security isolation:
- Each Lambda execution is ephemeral โ no persistent file system access
- Environment variables are encrypted at rest via AWS Secrets Manager or Lambda environment encryption
- S3 access is via IAM roles โ no long-lived credentials in code
- VPC configuration restricts Lambda to private subnets with no direct internet exposure (traffic via NAT gateway)