Website Security Strategy
Alongside data protection and GDPR compliance, website security is paramount to protect your website, brand and organisation’s reputation.
High profile data breaches only reinforce the importance of security, like when Boots was forced to suspend loyalty card payments in March 2020, following an attempted cyber attack which aimed to use stolen passwords to compromise customers' accounts.
Before traffic arrives at the web server hosting your site or application, it can pass through Cloudflare or Stackpath (Content Delivery Networks) which offer security and performance optimisation including these features, and much more:
- Centralized WAF Intelligence Cluster analyses traffic data and applies that learning and other threat intelligence to determine whether to block or allow new traffic.
- Fingerprinting technology distinguishes individual devices—not just individual IP addresses—to take a better look at suspicious traffic and reduce false or missed positives from situations, like bad devices using different IPs or good devices using “bad” IPs.
- Automatically-updated policies address vulnerabilities related to Open Web Application Security Project (OWASP) Top 10 threats, Cross-Site Request Forgery (CSRF) attacks, automation and bot protection.
- Anti-Automation Suite / Bot Traffic Protection stops malicious activities—like inventory lockups, scraping and price stealing—from automated tools and bots, identifying and covering tactics and threats including common traffic anomalies, automated clients, domain-specific traffic anomalies, and headless browsers.
- DDoS Attack Mitigation - Overlapping layers of threshold rules (domain, burst, sub-second) recognize application layer DDoS attacks and activate the protection of individual or clustered resources, while machine-learned models of normal traffic allow good traffic through even while DDoS attacks are being mitigated.
- Data & Analytics - Built-in monitoring and reports provide real-time visibility of WAF activity, with all the details of any security event available.
Whether we use Rackspace, Amazon Web Services, Cloudways, Nimbus or another hosting partner, I suggest choosing a ‘managed service’ which means the infrastructure is managed by your partner who will manage hardware including updates, their own level of network security including DDoS prevention, and provide an IT support service.
- Network-Level Traffic Analysis - capable of handling tens of millions of packets per second — examines all incoming packets for patterns of malicious activity.
- Multi-Layered Protection - Multi-layered anomaly detection, packet monitoring and filtering help to ensure that only legitimate traffic makes it through to your network.
- DDoS prevention - mitigate against DDoS attacks up to 40Gbps.
Our hosts also help to ensure we use the latest versions of the LAMP-stack hosting environment;
- Linux - https://en.wikipedia.org/wiki/Ubuntu#Releases
- Apache - https://en.wikipedia.org/wiki/Apache_HTTP_Server#Versions
- MySQL - https://en.wikipedia.org/wiki/MySQL#Release_history
- PHP - https://en.wikipedia.org/wiki/PHP#Release_history
When traffic arrives at your server it first passes through the Plesk ModSecurity Firewall which checks all requests to your web server and related responses from the server against its set of rules. We use either of these rulesets:
- Atomic ModSecurity rules contain important security features and bug fixes released on a monthly basis.
- Comodo rules-based traffic control system that prevents newly emerging hacking techniques with the use of a frequently updated rules database.
Plus we do the following to enhance security further on the server:
- Keep Plesk up to date
- Strong password policy
- Filter all unused ports
- Only use S-FTP
- Limit administrative access
- Plus other techniques here
Web Application Firewall
On all websites we use a security plugin which typically provides these features and many more:
- Threat Defense Feed - Arms the Wordfence plugin with the newest firewall rules, malware signatures, and malicious IP addresses it needs to keep your website safe. Wordfence protects over 4 million WordPress websites, giving unmatched access to information about how hackers compromise sites, where attacks originate from and the malicious code they leave behind.
- Leaked Password Protection - Using Troy Hunt’s version 2 of the Pwned Passwords API, which is a substantial list of hundreds of millions of compromised passwords across hundreds of data breaches. The feature allows you to block logins for administrators that use a known compromised password. Any administrator using a password previously seen in a breach will need to reset their password to log in. And we keep up to date with the latest breaches as the occur.
- 2FA (Two-Factor Authentication) is the most effective way to stop brute force attacks permanently. It adds a second layer of security to your users’ accounts. It requires them to not only enter their password, but also a second piece of information only they have access to. An account protected by 2FA is virtually impossible to compromise. Even if an attacker discovers your username and password somehow, they still can’t log in.
- Geographic protection - Wordfence country blocking is designed to stop an attack, prevent content theft or end malicious activity that originates from a geographic region. Blocking countries who are regularly creating failed logins, a large number of page not found errors or are clearly engaging in malicious activity is an effective way to protect your site during an attack.
Always follow best practices for hardening the CMS including for example:
- Disable directory browsing
- Removing default ‘admin’ user account
- Changing default database table prefixes
- Only use plugins, extensions and libraries with good support, high number of users
- Turn off XML-RPC - https://xmlrpc.eritreo.it/
- Block access to all scripts using HTAccess
- Prevent PHP execution in uploads directory
- Explicitly deny access to config files
- Add Latest HTTP Security Headers
- Disable file editing in CMS
- Update security keys in core CMS application - SALT keys
- Hide CMS version
- Move database connection scripts outside of default directory
- Use robust folder permissions.
- Enforcing strong password policies and encouraging the use of 2FA
- Keeping CMS and plugins up to date
- Limit number of admin users
- Lock CMS access to static IP - where feasible
- Disable blog commenting (optional)
- Install SSL
- Use basic auth to lock admin.
To maintain the strongest security, speed is of the essence, these tools help keep informed in real-time:
- Manage WP is used to identify WordPress core and plugin updates
- Wordfence sends our tech team Slack alerts
- Uptime Robot 24/7 monitoring alerts us to issues so we can respond quickly.
- ICO / GDPR / Data protection
- Data processor agreement
- All data stored in UK
- Automated scripts to remove customer data after X days