In the first post of this series, we discussed some of the main website security threats. Knowing the website security environment is a vital part of a good website posture. However, it is also important to be aware of what to do to strengthen your website.
Today, we are going to give you some practical tips on how to improve your website posture.
As a website owner, we highly recommend using the principle of least privilege. It is a computer science principle which can be applied to every level in a system and the benefits strengthen your website security posture.
The main takeaways of the principle of least privilege are:
- Use the minimal set of privileges required for each user to perform an action.
- Grant those privileges only for the time the action is necessary.
When assigning roles, only let users have the role they will need to accomplish a task. Assign roles of administrator (more access) and contributor (less access) based on the responsibilities of the user.
If you are the website admin and an author, you have two different roles. Use different users for accomplishing different tasks.
Preventing access control issues also has to do with increasing the security of all your passwords.
Here at Sucuri, we always advise our customers to create strong unique passwords for everything. Nevertheless, we often see weak passwords used to secure website login for FTP, database, cPanel, and the CMS dashboard.
Everyone has their own password policy. It’s very personal and usually based on a set of assumptions about online security. Unfortunately, many users choose policies of efficiency over security.
If you are a very practical person who would love to have to memorize only one password for all your accounts, there are plenty of password generators online and most offer options to increase the length and complexity of each unique password.
Generating a password is a great way to have unique, random passwords for every account. However, like any defensive measure, best practices in password management can only minimize the level of risk.
We advise that you are careful with which sources you trust because every piece of software that powers your website is potentially vulnerable, including:
- Web Servers
- Website Infrastructure
- Content Management System (CMS)
Protection and Monitoring
You can’t fix vulnerabilities in systems you don’t have any control over. The best thing to do is virtually patch flaws in real time and block attackers before they can reach your website.
The following technologies can prevent and alert you to Indicators of Compromise (IOC) before they have the opportunity of infecting your website:
Web Application Firewalls (WAF)
A Web Application Firewall is a layer of protection that sits between a website and the traffic it receives. A WAF is designed to stop website hacks and attacks.
Intrusion Detection and Prevention (IDP)
An intrusion detection and prevention system monitors a network or systems for malicious activity or policy violations.
In order to improve your security posture, follow some good practices tips:
- Use the principle of least privilege. Always grant people access to a website with the minimal set of privileges.
- Use strong, unique passwords for everywhere that requires a password in your website. A password generator can be of great help.
- Only install pieces of software from trusted sources on your website.
- Protect and monitor the website so that you know everything that is going on.
We have put together an easy-to-follow infographic to demonstrate what you can do to have a good security posture.
If you are looking for peace of mind, our website security platform offers both a WAF and an IDP that work as a robust security layer to enhance the protection of any website.