Security is a wide-ranging topic that requires ongoing concern and vigilance, often requiring tradeoffs in terms of usability and easy maintenance. Our goal with mojoPortal Content Management System is to provide security features that allow you to make the decisions when a tradeoff is required. Depending on the nature of the site (ranging from personal web site to a banking application), the level of security required varies.
We recommend encrypting all passwords, regardless of what purpose your site serves.
In mojoPortal you can configure passwords encryption options in Site Settings. Read more on Password Encryption.
Encrypting Communication Between the Server and the Browser
SSL encryption should be used to secure all content sent back and forth between the browser and the server. Read more on SSL Certificates.
Preventing Bogus Registration
If you want to avoid bogus email addresses being used to register in your site, you can enable the "Require E-mail Confirmation for Registration" option in the Site Settings (security tab). This will send new users an e-mail message with a link to confirm their account. They will not be able to login until the account has been confirmed.
Role Based Security
For each page in a mojoPortal web site, you can configure which roles are allowed to view or edit the page. All users are members of the "Authenticated Users" group which makes it easy to configure a page that anyone who logs in can see but anonymous users cannot see. For example, we could secure the Download page this way and require every user to be logged in before being able to download. To secure the files themselves, I could use the Shared Files module rather than just using links directly to the files.
You can create additional roles and have very granular control over which roles can view or edit any specific page. Read more on Roles and Permissions.