At Purple Ninja we try our absolute best to meet the latest security standards and do everything the way it should be. We don't take shortcuts.
All Purple Ninja servers have IPTables implemented, and exceptions are only made on an as needed basis (default-deny). So the only incoming connections that are allowed are the ones we choose. Specifics are available below:
All servers have brute-force preventive measures in place.
Server databases are independent; so should a website be attacked, no others would be compromised. Internal connections keep things in sync.
All of our websites that have user login systems utilise HTTPS as standard, so all data, even when not logged in, is encrypted.
All connections to our servers are logged, so we can see if anyone's doing anything suspicious!
All servers are always running the latest OS software, so important security updates are always up-to-date.
All 3rd party software required for our websites to function is also updated regularly.
All Purple Ninja Websites are written to protect against SQL Injection attacks through prepared statements and strict server-side validation & sanitisation.
All user-input is escaped by default both on input and when displayed to users, so malicious XSS attacks are safely prevented. Where HTML parsing is required to display things like line-breaks, HTML Purifier is used to parse only specific tags.
All passwords are hashed and salted before being entered into our databases, so we never see user passwords. We only see a randomly generated series of characters, which represents your password after it's been encrypted.
A nice way of getting your head around this is with a simple math equation. So if you had the numbers 4 and 15, These squared and then multiplied together would generate the number 3600 (4² x 15²). So if you only knew that the end-result was 3600 and you didn't know how many numbers you started with, working out these two initial numbers would be very difficult if not impossible; as there are hundreds of different combinations of numbers that would produce this. Imagine something thousands of times more complex than the sum above, and that end-result is what we store. So the only way to get this encrypted password is to enter the correct password when logging in.
Your unencrypted password is never logged.
Our servers are divided between 2 great hosts (Zare and Linode), so should there ever be issues with one; our entire network can be transferred to the other within minutes. We have a failover system in place that will do this automatically should the event ever arise.
Our server hosts have extremely high level network-redundancy, which means that DDoS attacks are mitigated passively; so our servers never go down due to malicious attacks.
At the date of last updating this (August 2014), our uptime is clocked at 99.96% since July 2013 (monitored at a one-minute resolution with Pingdom). We pride ourselves in updating all of our websites dynamically, so no downtime is required.
We utilise an Anycast+ network for our DNS with DNSMadeEasy. This is the fastest load balancing system for DNS globally, and provides the best redundancy for DNS that exists.