According to Hackmageddon’s “June 2019 Cyber Attacks Statistics“, malware attacks are the most common form of cyber-attack on websites today. Of particular note is ransomware, which accounted for 37.4% of all website attacks in May 2019.
Other forms of attacks that can be directed against your website include account hijacking attempts, cyber-espionage, script injections, brute-force attacks, DDoS attacks, and more.
And it is for this reason that you need to think about website hardening, which is beefing up your site’s security by adding layers of protection to reduce the risk of website attack.
Cybersecurity experts also refer to website hardening as “defense in depth.” Multiple defensive mechanisms are set up to protect your site, so even if one measure fails, another layer is still active to thwart the attack.
Here are ten tips to harden your business website:
1. Keep Your Site Updated
There’s a big reason why content management systems (such as WordPress) release updates on a regular basis. The same goes for pieces of software, plugins, extensions, themes, and other applications.
For security purposes, it’s important to update your CMS along with any third-party components. A lot of these updates are designed to fill in gaps in security or patch up certain vulnerabilities that might have been discovered.
Remember, your server, Apache, and PHP must be up-to-date as well.
2. Reduce the Surface of Attack
Access to your site may be achieved through a number of ways: your control panel, your FTP/SFTP, hosting, database, and content management system are all entry points that might be exploited.
So you should harden your website access points. Only allow public access to public areas of your application, and deny everything else by default. This can be accomplished with server configuration rules, setting file and folder permissions, and through the use of a web application firewall.
3. Use Input Sanitization Techniques
Limit the kind of data a user can enter. By cleansing and scrubbing user input, you prevent them from exploiting possible security holes.
You can eliminate unwanted characters from the input, limit the maximum length or size, or limiting the use to just numbers or just letters.
As a rule, never trust the user and always accurately filter what is sent to your application. Accidental damage can be just as harmful as intentional damage.
4. Remove Unnecessary Extensions or Components
Take away all plugins, themes, or apps that you are not using on your site. Delete them– disabling them is not the same as removing them.
Each additional piece of code in your application is a potential gateway for an attacker, so by limiting the number of dependencies, you also minimize the risk of an attack.
5. Have Granular Permission Control
You don’t have to give every team member or user administrative access. Restrict permissions only to certain designated people, and make sure you don’t give away privileges to other users that aren’t necessary.
So in the case of your site, you probably should only have a couple of admins, maybe a few editors. Authors or other contributors certainly should not have administrative privileges.
6. Use Multi-Factor Authentication
2-Factor Authentication (2FA) measures help restrict access even further. This simple measure can thwart many attacks simply by making sure that someone accessing your site is not just a random individual.
2FA tools ask for a token of sorts after the initial authentication method, like a string of numbers sent to an authorized user’s mobile phone or some other similar measure.
7. Use Secure Passwords
There are password management tools to help you employ strong unique passwords. Go ahead and enforce a minimum level of strength for your passwords– use a combination of upper-case and lower-case letters, numbers, and at least one special character.
For even added security, set an expiration date so passwords always stay strong and fresh.
8. Allow Secure Access Only
This is where your HTTPS comes into play. This layer of security ensures that all traffic is encrypted. This can be easily confirmed by checking for an unbroken padlock right there on the URL window just before the web address.
Secure access prevents direct access from public hotspots, and only allows access to restricted areas when using a secure channel such as a VPN or proxy. Make sure all your site administrators are accessing your business website from safe devices.
9. Reduce Verbosity and Exposure of Information
No need to get specific when someone enters a wrong username or password. So, instead of “Your password is incorrect”, the prompt should say something like “Login credentials invalid.”
Reducing verbosity in this manner can diminish the chance of a successful brute force attack just by introducing doubt about whether the username is correct or not.
In addition, sensitive data must not be written on application logs and neither should these logs be publicly accessible. This is the reason why you should be employing internal error codes– you can reduce the amount of information displayed while still allowing for easy debugging.
10. Monitor Your Website and Keep Up With its Log Activity
Remember, there’s no rest for the wicked. Make sure you scan through your logs to check for anomalies. This way, you spot important information concerning application misconfiguration, malfunctions, attack attempts, and other important status information right away before it does any serious damage.
A Final Word on Website Hardening
Web security issues are more common than you think, but by taking a more proactive stance when it comes to hardening your business website, cyber-attacks can be avoided.
One of the best ways to harden your website is through a web application firewall. When used in conjunction with good security habits like proper password management and limiting privileges, you’ve already secured your site, giving you the much-needed peace of mind to focus on your business.
Website security is something you should take seriously. As far as hardening and securing your website goes, we here are LOJO are always happy to help!
Go right ahead and request a free, no-obligation WordPress Security Checkup from our web security team, so we can have a look at your site and share with you our recommendations to better secure and harden your website.