We often get asked a very straightforward question.
How can I improve the security of my website ?
This is on the face of it a common requirement. Why would you NOT want to ensure your website has the maximum levels of security ? You have a duty of care morally and legally to protect the site from compromise and theft of data or compromise for the proliferation of malware. PCI, GDPR all terms that affect website and user data security.
So let’s get started. How can we improve our website security ?
Let’s make things easier. Firstly let’s assume you are using something simple like WordPress with a shopping cart integration and you handle credit card payment. Let’s assume it’s ‘store.itogether.co.uk‘ for example !
1. Try to keep wordpress updated – easier said than done sometimes, but ensure plug-ins are also updated. Keep plug-ins to a minimum. Do you really need them ? use them all ?
2. Pre-harden the server before installation. If using a LAMP server obtain it from a trusted source and remove anything not needed to provide basic functionality of the website.
3. Use a WAF (Web Application Firewall) to protect the site. We recommend the Akamai products, but if on a budget, consider Incapsula. Protects against XSS and SQL injection if deployed.
4. Host the DNS zone on Akamai FastDNS to provide DDoS and security for the DNS records themselves. This is a ‘per Zone’ cost.
5. Firewall off the WAF to only allow connections from the WAF provider to your website only. Not open to the world.
6. Code review your website and any content installed. This can be a task you carry out when a major release is added. It’s just a review of the source code from the perspective of security and compromise. It doesn’t need to compromise the actual site functionality. It is a manual process, but essential.
7. Use regular and also manual pen-tests of the website. We use OutPost24 for regular daily scanning, but manual pen tests are carried out by an actual human being.
8. Install software on the server to look for malicious and suspicious changes to the webserver, we use Tripwire to do this.
9. Monitor the server for availability and compromise, ITogether use a combination of services, including in-house NOC, Orion Solarwinds, RapidSpike, Uptime, Pingdom, and log event information reporting into SIEM.
10. Another basic requirement is to ensure you have snapshot backups of the website so that it’s possible to roll-back changes quickly. Might sound trivial, but quick recovery is vital.
11. SSL – Use well regarded digital certs, SHA-256 SHA-2, from Symantec. Gives the customers that extra level of confidence. Symantec also perform their own automated vulnerability checks at a low level on the site.
12. User Credentials – Use two factor authentication for the webserver, Duo is the best we know of. Just remove the local user accounts. Far more secure.
13. Limit login attempts. Restrict to two or three failed attempts to login to the website from the same IP address.
14. Not really security, more BC (Business Continuity). Create a mirror of your server and site in a second provider. This way should you ever have a disaster with your primary provider, it is easy to flip to the second. You can apply the same logic to using the secondary provider as ‘dev’ environment. The WAF/DNS mentioned above can be used to flip over to a secondary provider should it sense your primary is down.
15. Encrypt the SQL element of the website, so that data at rest is encrypted should the worst happen.