Attackers are constantly hunting for vulnerable websites. And regardless of what kind of website and server you have, they must be kept under reliable protection. And to help you, in this article we will tell you about 12 basic steps that you can take to strengthen the protection of your site and improve the security of your work environment.
1 – Update your site regularly and fix known vulnerabilities
Any software related in any way to the operation of your server and website should always be updated. Remember: attackers are constantly looking for various security gaps and actively use them, so it is extremely important to regularly update the CMS along with any third-party components (plugins, themes, extensions). Do not neglect server updates, Apache or PHP.
By regularly updating all elements of the site, you will significantly reduce the likelihood that attackers will attack it using known vulnerabilities.
2 – Reduce the attack surface
There are several ways to reduce the attack surface:
Allow public access only to public areas of your site;
Disable everything else by default;
Find and protect all access points to your site;
All this can be easily done using server configuration settings, setting file and folder access rights, as well as modern web application firewalls.
3 – Remove unnecessary plugins and themes
Everyone loves convenient and functional plugins that improve the work of the site. We all love the features and functionality that improve the engagement and performance of the site. But the more software you use on the site, the higher the risk of a cyber attack, because every additional plugin / theme / etc. – can be used by attackers against you.
To protect yourself from this, remove unused plugins, themes and third-party components. And remember: disabling a plugin or theme is not the same as removing them.
4 – Apply the principle of least privilege
Limit the capabilities of each member of your team and make sure that they have no more privileges than necessary. This can be achieved by applying the principle of least privilege. Do not forget to revoke administrator rights from site employees if they do not need them after completing certain tasks.
5 – Restrict access to the admin panel
Hacking the admin panel is one of the most common attacks faced by WordPress users. By default, WordPress Admin panel login screens are publicly accessible, which makes them vulnerable to brute force attacks.
Here are a few ways you can increase the security of your admin panel:
Restrict access to certain IP addresses;
Require CAPTCHA input;
Limit the number of login attempts;
Use a non-standard URL.
6 – Use multi-factor authentication
Everything is simple here – you just combine two or more different forms of authentication. For example:
What the user knows (password);
What the user has (one-time code);
What is a user (biometrics).
The combination of two or more forms of authentication creates a multi-level protection that reliably protects against unauthorized intruders.
7 – Use strong, unique passwords
By using strong and unique passwords for all your accounts associated with the server, database, FTP and admin panel, you strengthen your website as well. If creating and regularly updating strong, unique passwords is a difficult task for you, use a password manager to store, encrypt and manage passwords for your site.
8 – Provide access to the site via HTTPS
Do not allow direct access to the site from public access points, allowing access to restricted areas only when using a secure channel such as a VPN or proxy. Make sure that all administrators are accessing from secure devices. Ideally, all sites should be accessed via HTTPS – this ensures that all data is securely encrypted when transferring from point A to point B.
9 – Give as much information as possible to potential hackers
Instead of “Your password is invalid”, change the messages about failed password attempts to something like “Login credentials are invalid”. Why? In the first example, you directly tell the attacker that the username is correct, but the password is not. But in the second example, the attacker cannot know for sure whether they made a mistake with the username, password, or with everything at once.
In addition, make sure that important information about the site is not recorded in the logs of the site or server, and that the logs are not available to everyone who wants to view them.
10 – Check your website regularly and keep track of logs
Logs are incredibly valuable for monitoring the status of a website. They will help you fix technical problems, in addition, they are needed to comply with GDPR, CIPA and other regulations. Therefore, be sure to check the logs for anomalies in order to find incorrect configurations, malfunctions in time, learn about attack attempts and collect other important information.
11 – Use input data sanitization methods
Sanitization is the transformation of input string data into a form that is safe for their use as output. One of the excellent examples of input data sanitization can be website forms that disinfect the input data to prevent SQL injection attacks.
When using input sanitization methods, you need to determine exactly what kind of data you expect from the user:
Is it possible to use special characters in the login/password?
What is the maximum login/password length?
Can the password consist only of numbers or letters too?
Any visitor to your site can be an attacker. Therefore, it is important to be careful and never trust the information entered in the fields of the site.
Don’t forget to filter what is sent to your website or app. This will help improve security, prevent SQL injection, and strengthen your site.
12 – Purchase a firewall for web applications
The firewall will help you improve the security of your site and server, as well as protect against DDoS attacks. However, this is not a panacea for all cyber attacks, so do not forget about the tips we gave above.