In today's digital landscape, ensuring robust website security is not just a best practice—it's a necessity. As data protection and GDPR compliance take centre stage, safeguarding your website, brand, and organisation's reputation from cyber threats becomes paramount. The rising frequency of high-profile data breaches, such as the 2020 attack on Boots that compromised customer accounts, underscores the critical importance of comprehensive security measures.
This guide, created whilst working on behalf of a digital marketing agency, delves into the various layers of website security—from cloud firewalls and network security to server protection and CMS hardening. Whether you're preventing DDoS attacks, blocking bot traffic, or implementing two-factor authentication, each strategy plays a vital role in protecting your digital assets. Additionally, continuous monitoring and compliance with data protection regulations ensure that your website remains secure and resilient in an ever-evolving threat landscape.
Cloud Firewall
Before traffic arrives at the web server hosting your site or application, it can pass through Cloudflare or Stackpath (Content Delivery Networks) which offer security and performance optimisation including these features, and much more:
- Centralized WAF Intelligence Cluster analyses traffic data and applies that learning and other threat intelligence to determine whether to block or allow new traffic.
- Fingerprinting technology distinguishes individual devices—not just individual IP addresses—to take a better look at suspicious traffic and reduce false or missed positives from situations, like bad devices using different IPs or good devices using “bad” IPs.
- Automatically-updated policies address vulnerabilities related to Open Web Application Security Project (OWASP) Top 10 threats, Cross-Site Request Forgery (CSRF) attacks, automation and bot protection.
- Anti-Automation Suite / Bot Traffic Protection stops malicious activities—like inventory lockups, scraping and price stealing—from automated tools and bots, identifying and covering tactics and threats including common traffic anomalies, automated clients, domain-specific traffic anomalies, and headless browsers.
- DDoS Attack Mitigation - Overlapping layers of threshold rules (domain, burst, sub-second) recognize application layer DDoS attacks and activate the protection of individual or clustered resources, while machine-learned models of normal traffic allow good traffic through even while DDoS attacks are being mitigated.
- Data & Analytics - Built-in monitoring and reports provide real-time visibility of WAF activity, with all the details of any security event available.
Network Security
Whether using use Rackspace, Amazon Web Services, Cloudways, Nimbus or another hosting partner, I suggest choosing a ‘managed service’ which means the infrastructure is managed by your partner who will manage hardware including updates, their own level of network security including DDoS prevention, and provide an IT support service.
- Network-Level Traffic Analysis - capable of handling tens of millions of packets per second — examines all incoming packets for patterns of malicious activity.
- Multi-Layered Protection - Multi-layered anomaly detection, packet monitoring and filtering help to ensure that only legitimate traffic makes it through to your network.
- DDoS prevention - mitigate against DDoS attacks up to 40Gbps.
Our hosts also help to ensure we use the latest versions of the LAMP-stack hosting environment;
Server Firewall
When traffic arrives at your server it should first passes through ModSecurity Firewall or similar if using Plesk or similar GUI, this checks all requests to your web server and related responses from the server against its set of rules. We can use either of these rulesets:
- Atomic ModSecurity rules contain important security features and bug fixes released on a monthly basis.
- Comodo rules-based traffic control system that prevents newly emerging hacking techniques with the use of a frequently updated rules database.
Plus the following should be actioned to enhance security further on the server:
- Keep server software up to date
- Strong password policy
- Filter all unused ports
- Only use sFTP
- Limit administrative access
- Plus other techniques here
Web Application Firewall
On all websites we use a security plugin which typically provides these features and many more:
- Threat Defense Feed - Arms the Wordfence plugin with the newest firewall rules, malware signatures, and malicious IP addresses it needs to keep your website safe. Wordfence protects over 4 million WordPress websites, giving unmatched access to information about how hackers compromise sites, where attacks originate from and the malicious code they leave behind.
- Leaked Password Protection - Using Troy Hunt’s version 2 of the Pwned Passwords API, which is a substantial list of hundreds of millions of compromised passwords across hundreds of data breaches. The feature allows you to block logins for administrators that use a known compromised password. Any administrator using a password previously seen in a breach will need to reset their password to log in. And we keep up to date with the latest breaches as the occur.
- 2FA (Two-Factor Authentication) is the most effective way to stop brute force attacks permanently. It adds a second layer of security to your users’ accounts. It requires them to not only enter their password, but also a second piece of information only they have access to. An account protected by 2FA is virtually impossible to compromise. Even if an attacker discovers your username and password somehow, they still can’t log in.
- Geographic protection - Wordfence country blocking is designed to stop an attack, prevent content theft or end malicious activity that originates from a geographic region. Blocking countries who are regularly creating failed logins, a large number of page not found errors or are clearly engaging in malicious activity is an effective way to protect your site during an attack.
CMS security
Always follow best practices for hardening the CMS including for example:
During build
- Disable directory browsing
- Removing default ‘admin’ user account
- Changing default database table prefixes
- Only use plugins, extensions and libraries with good support, high number of users
- Turn off XML-RPC - https://xmlrpc.eritreo.it/
- Block access to all scripts using HTAccess
- Prevent PHP execution in uploads directory
- Explicitly deny access to config files
- Add Latest HTTP Security Headers
- Disable file editing in CMS
- Update security keys in core CMS application - SALT keys
- Hide CMS version
- Move database connection scripts outside of default directory
- Use robust folder permissions.
Post build
- Enforcing strong password policies and encouraging the use of 2FA
- Keeping CMS and plugins up to date
- Limit number of admin users
- Lock CMS access to static IP - where feasible
- Disable blog commenting (optional)
- Install SSL
- Use basic auth to lock admin.
Monitoring
To maintain the strongest security, speed is of the essence, these tools help keep informed in real-time:
- Manage WP is used to identify WordPress core and plugin updates
- Wordfence sends our tech team Slack alerts
- Uptime Robot 24/7 monitoring alerts us to issues so we can respond quickly.
Compliance
- ICO / GDPR / Data protection
- Data processor agreement
- All data stored in UK
- Automated scripts to remove customer data after X days
- Accessibility.