Yup, in the interim you could always change the port numbers as well until you can upgrade your infrastructure. A quick fix would be to filter our the input characters: " ; ' - / * xp_ \ and %. In addition to that, you can redirect all your 40x error pages back to your login page. You usualy have to create the pages and then tell the webserver that you have those pages. Like so:
http://httpd.apache.org/docs/2.4/custom-error.htmlYou might also want to capture the login ip address and then for x amount of failed logins, lockout that IP address by adding to the firewall as a block. This will help prevent against someone running a dictionary attack on your login code. You might want to add a timer or captcha after a failed login as well. In the error messages, don't distinguish between a failed username or password, I think you just display a generic error message which is good. If you decide on a password reset function, whether the email address exists or not, don't display an error message if someone submits a bad email address.
Netnames has a bad history of having some lax security for social engineering, if someone figures out your real name, they may attempt to contact them and social engineer a password reset on your vps account. What I usually tell people is to contact them in advance and tell them to deny all password and email change resets over the phone and call you back on your mobile phone. They have a notes field in their customer management systems (I think they use salesforce) so that your request gets honored. You might have to ask for a supervisor, but they will do it. You can also help mitigate someone finding your hosts by using cloudflare to help mask some of your DNS lookup traffic, plus cloudflare has some DDoS features too for cheap. It's not foolproof, but it will keep the kiddies at bay.
Lastly, you might want to throw in what I call a fake breadcrumb trail or Chum in your php/html. In the comments section of your login page, deposit, or withdrawal page, something that goes like this:
/* Hot wallet is located at fake.ip.address and rpc login is fakepassword on port fakeport. */
It won't fool everyone, but you can at least redirect some of the snooping elsewhere. I would also create a fake directory in the php directory called wallet and put a wallet.dat file in there with 0 btc in it or dust. That way if someone breaks in, they'll go for the easy target. You can then monitor the file for access or the wallet balance to see if it gets nabbed.
In your database, don't call the password field password, call it something else like indexing, etc and then dump in fake unencrypted passwords into the password field. I often create fake user, password, and email tables for my applications. That way, if someone steals the password database, they'll go for the low hanging fruit to buy yourself some time. Also, avoid MD5 and SHA1 for encryption, I'm sure you already know this, but just putting it out there. When you salt your passwords, don't store the salt in the config files. You can also write a function to scan for a specific account in there, like Admin and P@ssw0rd, so if someone uses them, you'll get some type of an alert and then a shutdown function so you know your username and password table has been compromised and powers down (or disables) the services preventing additional loss.
