> I have no experience in web development and am making my first site.
Can I very very strongly recommend, that if this site does any collection of PII or handles payments (even if those are 3rd party ones using something like Stripe), that you get a trusted and experienced dev to do a review for you?
You acknowledge you have unknown unknowns, you must also realise that there are people out there (quite likely people you count as friends) who's space of unknown unknown in the web platform security area is smaller than yours.
There are many unexpected things you likely haven't considered. Where I am, IP addresses are not on their own considered PII, but email addresses are. Somewhat less expectedly though, is that IP addresses that can be linked to another piece of PII then become PII themselves, so if you have a database with an email address and, say, a signup or last login timestamp, suddenly all your web server logs full of IP addresses, request paths (which can identify signups/logins), and timestamps - become linkable via the timestamp/request path to users logging in and their email address in the db, and suddenly the log files become PII with all the duty of disclosure around breaches. (And that's without even considering super common rookie mistakes where PII gets written out win clear text to access or error logs on purpose for debugging reasons.)
Thanks for the advice. Unfortunately I don't know anyone who would do it. Do you have any good recommendations of services?
My goal was to be more secure than an out of date wordpress site - which I think I have achieved.
I don't really understand the harm that can come from an email/password/ip leak, besides spam or stolen accounts if they reuse their password. Do you have a link that might impress the seriousness of the situation on me?
It is your responsibility as a product owner to protect users from their own security worst-practices. This is true everywhere, but it's especially true in software development. For better or worse, many people reuse passwords. It's not a great idea, but they don't deserve to have their lives upended because someone decided that it's their own fault for not being savvier.
If you don't have any friends that can help then you will likely have to pay someone. "Security engineer" is a job after all.
Can I very very strongly recommend, that if this site does any collection of PII or handles payments (even if those are 3rd party ones using something like Stripe), that you get a trusted and experienced dev to do a review for you?
You acknowledge you have unknown unknowns, you must also realise that there are people out there (quite likely people you count as friends) who's space of unknown unknown in the web platform security area is smaller than yours.
There are many unexpected things you likely haven't considered. Where I am, IP addresses are not on their own considered PII, but email addresses are. Somewhat less expectedly though, is that IP addresses that can be linked to another piece of PII then become PII themselves, so if you have a database with an email address and, say, a signup or last login timestamp, suddenly all your web server logs full of IP addresses, request paths (which can identify signups/logins), and timestamps - become linkable via the timestamp/request path to users logging in and their email address in the db, and suddenly the log files become PII with all the duty of disclosure around breaches. (And that's without even considering super common rookie mistakes where PII gets written out win clear text to access or error logs on purpose for debugging reasons.)