A lot to take in on a simple title, but seeing there were compromised accounts, I wanted to double check for my own sake. With quick evaluation there's no cross-site safety as in a hacker.com can make a /get /post for for another user and act as them... CSRF through header is safest bet and can be deployed when a users session is made and remembered and not re-generated for stateless purposes or regenerated upon each refresh but pointless. The headers of the website and forum are reporting incorrect I can go in-depth in a later topic but the core focus asides from above, NGINX is out of date and very vulnerable, PHP is out of date and very vulnerable... Suggested actions would be to update these things on a separate environment ensure it works and re-deploy, beyond such I would deploy CSRF and have someone confirm your headers for security purposes/etc.
If there's needed help, I am confident in header support, updating NGINX, PHP however; I don't write PHP no more. I just want to see this secure. As for CSRF, I can help you keep it stateless and appropriate with low system usage. Just miss old GMS, don't mind helping. Cheers.
