Security Features

Layer	What it does	Where you can spot it
TLS everywhere	The site forces an automatic HTTP→HTTPS redirect, so all traffic is encrypted in-transit.	Hitting `http://bensmomcraft.com` bounces straight to `https://…` bensmomcraft.com
OAuth log-ins	Instead of making you create yet another password, you can authenticate with Discord or Google—both hand you back via the standard OAuth 2.0 flow, meaning the site never handles your credentials.	Login / Register screens show the social buttons bensmomcraft.combensmomcraft.com
NamelessMC hardening	The site runs the NamelessMC CMS, which ships with: • bcrypt-hashed passwords • built-in CSRF tokens on every form • optional Google reCAPTCHA for registration • optional per-group or per-user TOTP 2FA	NamelessMC docs highlight 2FA & reCAPTCHA settings docs.namelessmc.comgithub.com and its April 2025 security-patch release notes namelessmc.com
Legal & privacy notices	Dedicated Terms & Conditions, Privacy Policy, and Cookie Notice links in the footer satisfy basic GDPR/CCPA transparency and give you opt-in tracking consent.	Footer links on every page bensmomcraft.com
Cookie-banner opt-in	Visitors from regions that require it see a banner before non-essential cookies are set, reducing regulatory exposure. (It’s the stock NamelessMC “Cookie Notice” module.)	Footer + first-load banner trigger bensmomcraft.com
Isolated payments	All rank/keys purchases jump to Tebex.io, which is PCI-DSS compliant and runs its own fraud filters—your site never touches card data.	“Shop Now” button points to Tebex bensmomcraft.com
Account-consent gate	New users must tick “I Agree” to the T&C before registration is accepted, adding an explicit contract layer.	Register page checkbox bensmomcraft.com
Role-based permissions	NamelessMC lets you granularly restrict StaffCP access, forum moderation, API tokens, etc., minimising blast-radius if a staff account is compromised.	(Exposed in StaffCP; documented in NamelessMC docs) docs.namelessmc.com
Non-default game port	The public server address (`play.bensmomcraft.com:25620`) isn’t the vanilla 25565 port, which deters the laziest mass-scan botnets.	Front-page IP widget bensmomcraft.com

Extra security you get just by sitting behind Cloudflare

Layer (edge-side)	What it brings to the party	Source
Anycast CDN & unmetered DDoS shield	All HTTP/S traffic first lands on Cloudflare’s 310-city Anycast network. Their autonomous systems absorb and disperse L3/L4/L7 floods (unlimited, even on the free tier).	cloudflare.comdevelopers.cloudflare.com
Cloudflare Web Application Firewall (WAF)	A rule-set that blocks OWASP-Top-10 attacks (SQL-i, XSS, file-inclusion, etc.) and lets you add custom “if…then” rules from the dashboard.	cloudflare.comdevelopers.cloudflare.com
Bot Fight Mode	One-click setting that fingerprints headless browsers & known bad ASNs, then rate-limits or puzzles them—handy for vote-spam and credential-stuffers.	developers.cloudflare.comdevelopers.cloudflare.com
Universal SSL + automatic renewals	Cloudflare issues and rotates DV certs for every host under the domain, so you never chase Let’s Encrypt cron jobs again. Pair it with “Always HTTPS” and HSTS for end-to-end TLS.	developers.cloudflare.comdevelopers.cloudflare.com

Why it matters for BensMomCraft.com

Edge filtering before NamelessMC ever sees traffic – SQL-i probes against the forum or shop get nixed at the perimeter, sparing your PHP backend and database.
Global POPs mean lower latency for players – Static assets (CSS/JS/avatars) are cached close to EU/Asia visitors, shaving seconds off first load.
DDoS peace-of-mind – If someone targets play.bensmomcraft.com or the website because of your spicy “Ben’s a cuck” tracks, Cloudflare’s network takes the blast without extra cost or config.
No extra keys to store – OAuth log-ins, Tebex checkout, and NamelessMC sessions still flow through the same TLS tunnel; Cloudflare just manages the certs.