At Purple Ninja we try our absolute best to meet the latest security standards and do everything the way it should be. We don't take shortcuts.
All Purple Ninja servers have IPTables implemented, and exceptions are only made on an as needed basis (default-deny). So the only incoming connections that are allowed are the ones we choose. Specifics are available below:
Cloud Web Servers - SSH port & HTTP/HTTPS ports.
Dedicated Servers - Run on an internal network, so only a single server is exposed to the public; in this case: SSH port, HTTP/HTTPS ports, ports required for specific gaming servers (depending on which are running on each dedicated server).
All servers have brute-force preventive measures in place.
Server databases are independent and only accessible internally; so should a website be attacked, no others would be compromised.
All of our websites that have user login systems utilise HTTPS as standard, so all data, even when not logged in, is encrypted. In late 2017 we plan to use HTTPS as standard on all Purple Ninja websites.
All connections to our servers are logged, so we can see if anyone's doing anything suspicious!
All servers are always running the latest OS software, so important security updates are always up-to-date.
All 3rd party software required for our websites to function is also updated regularly.
All Purple Ninja websites are scanned weekly for web and network vulnerabilities using the same software used by NASA and the US Air Force. This includes common web attacks such as SQL Injection (prevented through prepared statements and strict server-side validation & sanitisation) and XSS, and also covers network vulnerabilities such as Heartbleed.
All passwords are hashed and salted before being entered into our databases, so we never see user passwords. We only see a randomly generated series of characters, which represents your password after it's been encrypted.
A nice way of getting your head around this is with a simple math equation. So if you had the numbers 4 and 15, These squared and then multiplied together would generate the number 3600 (4² x 15²). So if you only knew that the end-result was 3600 and you didn't know how many numbers you started with, working out these two initial numbers would be very difficult if not impossible; as there are hundreds of different combinations of numbers that would produce this. Imagine something thousands of times more complex than the sum above, and that end-result is what we store. So the only way to get this encrypted password is to enter the correct password when logging in. If the hash function we use for encryption is ever compromised, we will immediately update to a secure one and force a password reset for all users.
Your unencrypted password is never logged.
Our servers are divided between 2 great hosts (Zare and Linode), so should there ever be issues with one; our entire network can be transferred to the other within minutes. We have a failover system in place that will do this automatically should the event ever arise.
Our server hosts have extremely high level network-redundancy, which means that DDoS attacks are mitigated passively; so our servers never go down due to malicious attacks.
At the date of last updating this (march 2017), our uptime is clocked at 99.97% since July 2013 (monitored at a one-minute resolution with Pingdom). We pride ourselves in updating all of our websites dynamically, so no downtime is required.
We utilise an Anycast+ network for our DNS with DNSMadeEasy. This is the fastest load balancing system for DNS globally, and provides the best redundancy for DNS that exists.
If you think you've found a vulnerability on one of our websites, get in touch! We're happy to reward you for helping us keep our services safe & secure, and to credit you on this page if you wish. If after investigation we find you've abused a vulnerability prior to disclosure, we'll take appropriate legal action & give no reward; please disclose issues responsibly by contacting is via email and provide us adequate time to fix the issue.
Contact us at firstname.lastname@example.org if you have a security concern or think you've found a vulnerability. Google's Vulnerability Reward Program has some great resources if you're not sure how to report something.