Otto has multiple layers of security which are intended to stop scammers from posting on your website.
That said, Internet hackers are quite talented and nothing on the internet can ever be said to be 100% hacker-proof. So, our suggestion is always “Avoid putting anything anywhere on the internet that you consider top-secret”.
Below is a description of what we do to ensure that only you can post on your website.
All email from you to Otto is sent by you to the Blog1 email servers. Blog1’s email servers support TLS2 and SSL security. Assuming your email is secure, and you aren’t using an un-encrypted wifi connection, Otto should securely receive your emails.
The Blog1 email servers support SPF, DKIM and DMARC settings as prevention against a hacker sending emails while pretending to be you.
Server Side Security
Otto will only respond to email where he finds his name (Otto) somewhere in the subject line of the email. This is done as a first line of defense against spammers. Otto is only five years old but because his address is known to so many people, he receives a ridiculous amount of spam.
Only the email address which was used to register the Otto plugin is allowed to create or post blog entries on your website. You may register additional email addresses, but even those requests must be sent from a previously approved email address.
When the Otto plugin is registered you will be sent a “code word”. Posting anything on your blog requires that you provide this code word. This is done so that if someone is spoofing your email address (pretending to be you), and normal email security does not catch them, they will find they cannot post without knowing your code word. Write it down, and tell it to no one.
The Otto Plugin confirms all requests with the Otto Server so that no one can spoof requests to the Otto plug-in pretending to be the Otto Server.
Otto stores in his archives the information you send to him. The information is stored in a publicly accessible location (so that Otto can send you preview versions of your blog) on servers at Amazon’s AWS data center. The location is not publicly disclosed but theoretically a hacker, given a preview copy of your blog entry, could find it.