If you want to make your website security more robust, you need to think about hardening. To harden your website means to add different layers of protection to reduce the potential attack surface. Hardening often involves manual measures of adding code or making changes to the configuration. To virtually harden your site involves allowing a Web Application Firewall (WAF) or security plugin to automatically harden your website.
The concept of hardening is part of a defense-in-depth strategy that protects your web server and database from vulnerability exploitation. Similar to other Information Security areas, it is necessary to understand website security in a comprehensive way.
When you add layers of protection to your website, you implement controls that account for:
- The depth of the defense: adding multiple controls to protect your website.
- The breadth of the attack surface: covering all potential attack vectors and security domains.
Adding virtual hardening to a website means protecting it on many levels, such as:
- The application
- The operating system
- The web server
- The database
Website CMS
It is important to emphasize that when it comes to hardening, each environment is unique. For example, if your website is using the WordPress platform, we can give you some tips to harden it, such as:
- Restrict wp-admin access for only certain whitelisted IP addresses
- Disable PHP execution inside the uploads directory
- Disable direct PHP execution inside the whole wp-content directory whenever possible
However, not all WordPress website owners are able to apply these tips for many reasons, such as, not being able to have a whitelist of IPs because your IP is dynamic and so on. It does not mean that you cannot use other methods.
In our firewall dashboard, for example, you can add an extra layer of protection by adding an authentication method of your choice. Read our Knowledge Base article to know how it works.
Providing hardening tips to all website owners regardless of their CMS can be very difficult. However, our research team has put together a guide to help you secure your WordPress site.
Web Servers
As we mentioned before, virtual hardening goes beyond the platform environment into your web server, including:
- Windows IIS
- Apache
- NGINX
- Node.js
- Lighttpd
Adding security defenses to your server can be very challenging. You will need to know which server you are running on and to research server hardening suggestions. There are also some hybrid environments with varying elements that you might need to be aware of.
Some Examples of Hardening
If you are wondering what you can do to harden your website, here are a few tips:
- Keep your CMS and extensions updated.
- Always install security patches to your CMS and extensions.
- Monitor your website and keep up with its log activity.
- Install a firewall on the device you use to access your website.
- Have long, unique, and complex passwords.
- Remove unnecessary plugins and extensions from your website.
- Use 2FA whenever possible.
- Install a Website Application Firewall.
Hardening a Website can be Difficult
The main issue with hardening is that not everyone is technical enough to follow or understand the guidance that this process entails.
One of the challenges is to keep up with the newest vulnerabilities. Another challenge is time sensitivity.
How do you apply the hardening in time to avoid becoming vulnerable and exploited?
Make Virtual Hardening Easier for You
Sucuri offers a Website Application Firewall that hardens your website by default. Every site under the Sucuri Firewall is already hardened without any work. With virtual hardening, the Sucuri team is able to apply vulnerability-agnostic patches to any website.
Once you activate the firewall, you won’t need to worry as much about maintaining security plugins and configurations. It will save you time, money, and give you peace of mind to focus on your business.