If you read our blog you know that we are really open to providing insight into malware infections, remediation and hardening tips. The goal is to help educate website owners where and when we can. Unfortunately, that education only goes so far. We have learned that when it comes to hardening no single environment is the same and what you tell one person doesn’t necessarily apply to another person.
Take into consideration three of the simple things we tell website owners that use the WordPress platform:
- Restrict wp-admin access for only certain white listed IP addresses
- Disable PHP execution inside the uploads directory
- Disable direct PHP execution inside the whole wp-content directory whenever possible
Although effective for many of them, most are unable to apply them. Reasons include things like static versus dynamic IP’s and lack of understanding of the use of secure tunnels and static IPs proxies. Then you have the challenges of web servers, is it a Windows IIS web server, or an Apache web server? Is it something else? And what if the environment is a hybrid with varying elements, each with specific considerations.
The same applies to guidance we provide other content management system (CMS) applications like Joomla, Magento, vBulletin, osCommerce and many others. The fact of the matter is that it’s hard to provide one solid solution that all website owners, regardless of platform, can use and employ to harden their websites.
Hardening is HARD
The main issue with hardening is that not everyone is technical enough to follow or understand the guidance. Especially when they see long posts like this one: WordPress Security – Cutting Through The BS or WordPress and Server Hardening – Taking Security to Another Level. The reality is that every one of the configuration changes is one potential new headache for the website owner. What works for one, doesn’t work for the other. Perhaps a host doesn’t allow a specific directive or disables specific functions. How do you account for that when talking to the masses?
Then you have to keep up with the growing threats. Is there a new attack vector? Is there a new hardening tip to address that vector? How do you know? How do you apply the hardening in time to avoid becoming vulnerable and exploited?
Enter Virtual Hardening
In our previous post, we talked about the concept of virtual patching: Virtual Patching for Websites with Sucuri CloudProxy, it is the idea that a non-patched web site can still be protected (patched) by a web application firewall (our CloudProxy).
Fortunately, the benefits of our CloudProxy does not stop there. By default, every site under our CloudProxy is already hardened without any work. In our WordPress plugin we have the 1-click hardening. That’s the no-click hardening. You no longer need to run any security plugin or modify your configuration, since all the hardening is done “virtually” by our WAF.
You can automatically restrict access to your administration panel per IP address. All direct access to non-allowed directories are blocked. And all the steps we provide in our blogs are implemented there to all our users.
Go back a few months and look at the Timthumb mass compromise, where thousands of sites were hacked. Any site that was hardened like we recommend would not get hacked through it, even if they had the insecure timthumb installed. And even without any type of virtual patching or custom WAF rule. Just the hardening alone.
That’s what the Virtual hardening offers without any work for web site owners.
If you have questions about virtual hardening, or the Sucuri CloudProxy service, email us at firstname.lastname@example.org and we can get you setup.