Top 10 Website Hardening Tips

This article was originally published on Sucuri blog (read here).

Website hardening means adding layers of protection to reduce the risk of website attacks, a process known as “defense in depth.”

Here are our top 10 virtual hardening principles:

1 – Keep your website updated

Every single piece of software required to run your application needs to be kept up to date with the latest patches and security updates. Website vulnerabilities come in all shapes and sizes, so it is important to update your CMS along with any third party components like plugins, themes, and extensions.

Don’t neglect your server, apache and php. They also need to be up to date. By keeping everything updated, you reduce the prospects of having vulnerabilities endanger your website.

2 – Reduce the surface of attack

Only allow public access to public areas of your application. Deny everything else by default. Search and harden your website access points.

This can be accomplished with server configuration rules, setting file and folder permissions, and through the use of a web application firewall.

3 – Use input sanitization techniques

Specify exactly what kind of data you expect from the user:

  • Is it supposed to accept special characters?
  • What is the maximum length or size?
  • Should it allow only numbers, or letters, too?

Never trust the user and always accurately filter what is sent to your application. Accidental damage can be just as harmful as intentional damage.

4 – Remove unnecessary extensions

The higher the number of dependencies, the greater the risk of an attack. Each additional piece of code in your application is a potential gateway for an attacker.

Be sure to keep only what is being used – disabling a plugin or theme is not the same as removing it.

5 – Have granular permission control

Restrict what each member of your team can do and make sure they don’t have more privileges than necessary. Granting every user administrative access is a security hazard which can be mitigated with appropriate permissions.

If you have an author or editor contributing to your website, they should not need administrator privileges.

6 – Use multi-factor authentication

Restricted areas need restricted access levels. The best way to guarantee that the person accessing something is not an attacker is to ask for a token after the initial authentication method (usually a password), which is exactly what 2FA tools do.

7 – Use secure passwords

Enforce a minimum level of strength for passwords and set an expiration date so passwords are always strong and fresh.

Use password management tools to simplify the use of strong unique passwords.

In this short video, we demonstrate how fast malicious users can break into a website:

8 – Allow secure access only

Prevent direct access from public hotspots by allowing access to restricted areas only when using a secure channel such as a VPN or proxy. Make sure all administrators are accessing from safe devices.

All applications should be accessed over HTTPS — ensuring all traffic is encrypted which is easily confirmed by checking for an unbroken padlock.

9 – Reduce verbosity and exposure of information

Instead of “Your password is incorrect”, change to “Login credentials invalid.” This kind of reduced verbosity can diminish the chance of a successful brute force attack by introducing doubt about whether the username is correct.

Sensitive data must not be written to application logs and these logs cannot be publicly accessible. Using an internal error code can reduce the amount of information displayed while still allowing for easy debugging.

10 – Monitor your website and keep up with its log activity

Check for anomalies in your website logs to detect important information concerning application misconfiguration, malfunctions, attack attempts, and other important status information.

The Ultimate Hardening Tip – Use a Web Application Firewall

Sucuri offers a Website Application Firewall that hardens your website by default. Every site under the Sucuri Firewall is already hardened. With virtual hardening, the Sucuri team is able to apply vulnerability-agnostic patches to any website.

Once you activate the firewall, you won’t need to worry as much about maintaining security plugins and configurations. However, you will still need to practice good security habits like passwords and privileges. Having a website security team to count on will save you time, money, and give you peace of mind to focus on your business.