Hacker-Proof Your WebsiteEssential Security for Your Website [updated 3-5-22]
Website Security – Hacker-Proof Your Website
How to Hacker-Proof your website and protect your online business.
Website security can never be guaranteed, even when employing best practices, but you can guarantee that your website and your online business won’t be an easy target. Given enough time and resources, a sophisticated hacker is likely to penetrate any security barriers available to the average business.
This does not mean, however, that we should not attempt to raise our security level substantially above average. The good news is that it’s not that hard or expensive. And just like the locked vs unlocked door, if we raise the cost, in terms of time, effort and resources for the attacker, the odds are they will look for an easier target, given there are so many of them available.
Rather than take a haphazard piecemeal approach of reactionary security after the fact, we can implement a top-down approach (actually an outside-in approach) and build a security chain around your website. One weak link in the chain and all your other efforts could be compromised. Note that this is an overview of a possible security chain not necessarily in the order that you would acquire the assets.
For example, you will need to purchase your domain name before you can configure your reverse proxy service. The key is understanding that strong security requires a layered approach. Typically the more layers, the stronger the security. Let’s get started …
The best strategy for securing your WordPress website is to implement a layered security approach starting with your domain name.
Domain Name System Security Extensions (DNSSEC)
Domain Security (TLS/SSL) HTTP Strict Transport Security (HSTS)
Use a reverse proxy to filter all traffic to your server
Use a Web application firewall (WAF)
Implement secure access to lockdown login
ModSecurity web application firewall (WAF) for Apache web server
Secure hosting – avoid shared hosting if possible
Avoid hosting your email and web on the same server
Use SSL/TLS for email and unique passwords for each account
Limit access and permissions
Install each domain AND sub-domain in it’s own cPanel (so if one is compromised, others aren’t affected)
Use unique complex passwords for each account
Keep WHM/cPanel updated to latest stable release
Avoid ftp and use either cPanel File Manager or Secure FTP (SFTP) plus secure your email
Keep WordPress updated to the latest release version
Limit plugins and themes, less is more in terms of security
Keep all plugins and themes updated to the latest release version
Whenever possible, opt for premium plugins and themes that are regularly updated and supported
If a plugin is no longer used, don’t just deactivate, delete it
Install a reputable WordPress security plugin
BACKUP – schedule regular automated backups. Keep at least one copy on server and one copy off server
Layer your security to better protect your website.
Protect Your Domain Name
DNS (domain name system) is the traffic directory for the internet. Every device connected to the open internet requires an IP address. The human versions of these addresses are domain names but the computer version is an IP address consisting of a number of digits. DNS translates those names to the associated IP address.
The process involving the browser request to “look up” the address of the intended domain can be susceptible to spoofing where the communication is intercepted and possibly redirected or the credentials of the domain name holder are captured. To help protect against this, a set of security extensions (Domain Name System Security Extensions, aka DNSSEC) were adopted to verify the validity of these two-way communications. You can read more about the details here and here.
Not all Domain registrars have implemented DNSSEC but the list is growing. Just know that to implement DNSSEC requires the creation of a special DS domain record. Some registrars allow you to create this record yourself while others require that you submit a support request and they take care of the record creation for you. ICANN maintains a list of registrars that allow users to create their own DS records. If your domain registrar is not listed, contact them to see if they can create the record for you (recommended if you’re not familiar with managing your own DNS records).
I use and recommend CloudFlare (free and paid versions) which provides support for DNSSEC and once you log in and enable DNSSEC, you’ll provide your DS record to your domain name registrar.
Check with your WAF provider for DNSSEC availability. Once done, you can verify DNSSEC is active by visiting http://dnsviz.net/. Just enter your domain name and click Go. Here’s another verification service – http://dnssec-analyzer.verisignlabs.com/. Input your domain name and press Enter.
Takeaway: DNSSEC provides a valuable additional layer of domain verification and identity protection, an essential part of your website security.
Protect server communications
Domain Security (TLS/SSL)
Per Wikipedia “Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as ‘SSL’, are cryptographic protocols designed to provide communications security over a computer network.” You can and should implement TLS/SSL for your website.
In order to implement SSL for your website, you have a couple of choices. If you are using Cloudflare, you can take advantage of CloudFlare’s free Universal SSL even if you don’t have a digital certificate (aka SSL certificate) for your server. Their free SSL service is called Flexible SSL and will allow communications to and from your web browser to be encrypted without a certificate installed.
IMPORTANT to note that the Cloudflare Flexible SSL will NOT encrypt communication between the Cloudflare servers and your server but only between a public side browser and the Cloudflare proxy server.
To encrypt the entire channel from the web browser to your server, you will need to install an SSL certificate on your server. I highly recommend that you do this as it’s not that difficult or expensive. Many web hosting services will install the certificate for you for free or at a minimal charge.
This will allow you to take advantage of full SSL from Cloudflare as well as another complimentary security option known as HTTP Strict Transport Security (HSTS). If you’re not tech-challenged, here’s how to install your SSL certificate yourself via WHM on your server, it’s not really that difficult.
Log into WHM then:
Step 1: Generate an SSL Certificate and Signing Request; fill out the required information and click Create
Step 2: Submit your Signing Request to your Certificate provider Sep 3: Install your SSL Certificate in WHM
Once your certificate is installed on your server, log into Cloudflare and click on the Crypto icon, then set your desired options:
Takeaway: SSL/TLS provides a solid foundation for your website security. It is a requirement for any serious online business. Not only will your business be safer but your business will be seen as more trustworthy by your clients and prospects. Also, Google has publicly stated that it will start favoring sites that are fully SSL secure (HTTPS) in its search engine results. The sooner you go all HTTPS the better.
HTTP Strict Transport Security (HSTS)
- User bookmarks or manually types http://example.com and is subject to a man-in-the-middle attacker
- HSTS automatically redirects HTTP requests to HTTPS for the target domain
- Web application that is intended to be purely HTTPS inadvertently contains HTTP links or serves content over HTTP
- HSTS automatically redirects HTTP requests to HTTPS for the target domain
- A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate
- HSTS does not allow a user to override the invalid certificate message
HSTS can be bypassed if the first HTTPS request is downgraded. To prevent this, you can “OPTIONALLY” add your domain to a hardcoded browser “preload” list. The preload list for Chrome is located here. This list is also included by Firefox, Safari, IE 11, and Edge.
IMPORTANT: To add your domain to the preload list, you must include all sub-domains in your HSTS header which means they will also need to be secured with SSL. If at any point, you allow an SSL certificate to expire, BE AWARE THAT USERS WILL BE LOCKED OUT OF THE DOMAIN, and getting a domain or sub-domain OFF the preload list is NOT guaranteed.
- If you turn on HSTS and do not have HTTPS for your website, browsers will not accept the HSTS setting.
- If you have HSTS enabled and leave CloudFlare, you must continue to support HTTPS through a new service provider otherwise your site will become inaccessible to visitors until you support HTTPS again.
- If you turn off CloudFlare’s HTTPS while HSTS is enabled, and you don’t have a valid SSL certificate on your origin server, your website will become inaccessible to visitors.
Takeaway: Enhance your website security by enabling HSTS to ensure that all access to your website is encrypted via SSL/TLS.
Protect Your Website
SaaS Reverse Proxy WAF(web application firewall)
A reverse proxy – WAF can mitigate threats before they ever reach your server. Two of the better-known SaaS (software as a service) security and performance solutions are CloudFlare and Incapsula. There are many others, e.g. Amazon AWS WAF, TrustWave, Sucuri, etc.
Cloudflare, due to the aggressive marketing of its free version, has one of the largest installed communities. However, independent reviews have shown Incapsula to be better on the security side of things while CloudFlare offers strong performance benefits.
Both offer Free versions (Incapsula free is for “personal” blogs only) to get started which will provide some security filtering. If security is your priority, you’ll need to move up to the paid versions, which include advanced protection including threats from the dreaded DDOS (distributed denial of service), where hundreds or even thousands of computers can be triggered to send thousands of requests to your server in an attempt to overwhelm it’s resources, effectively putting it out of commission.
For this article, I’ll focus on Cloudflare as that’s the one I currently use.
CDN bonus: These services not only filter out a good amount of the bad stuff but unless they are security-focused only, they can also offer dramatic performance improvements as well. They store copies of your web pages and distribute those copies around the globe, then serve them up to your visitors from their data center closest to the visitor. This greatly reduces the bandwidth and resources needed by your server.
For most smaller businesses on a tight budget, the free versions are a great place to start IF they are combined with additional layers of security. Achieving a balance between security and performance requires testing as every business environment is unique.
Although SSL will consume more CPU resources, a proxy caching CDN can help ensure that your site still loads fast, as seen below. You can test your SSL implementation here: https://www.ssllabs.com/ssltest/ and then test your site performance here:
Takeaway: Every business, regardless of size, can benefit from a SaaS Reverse Proxy WAF. A well-tuned SaaS WAF/CDN can not only increase your website security but improve your website performance as well. Given that you can start for free, there’s no excuse not to get started.
Protect your server
ModSecurity is an Apache server module that provides website protection from hackers and other malicious attacks. While a SaaS WAF provides perimeter-based security for your website, you can and should add another layer of security on your web server using the free Apache module ModSecurity (WAF).
VPS or dedicated server: If you have a VPS or dedicated server, you will have the ability to create an even more secure environment. Assuming you’re using a Linux web server, the vast majority of websites, you can take advantage of the ModSecurity module for the Apache webserver.
Unless you’re familiar with managing your own server and security, I strongly recommend that you let your web host implement and manage security for your server, especially your server firewall. Confirm with your host that the ModSecurity module is installed and actively protecting your website(s).
Shared Hosting: On standard shared hosting, you will have less direct control over your security. Because you share server space with others, you will not have direct access to ModSecurity and limited access to other security features. In this case, your web host will implement security for the server and lock down certain options. Nevertheless, there are some simple security precautions that you can and definitely should implement.
If you have more than one domain, make sure that each is configured with its own control panel. This ensures that each domain will have its own master username and password. So if one domain should become compromised it won’t affect the other.
Note that you should never use the same username and/or password for multiple accounts. Doing so puts them all at risk.
Even on shared accounts, you can take advantage of encryption by using an SSL certificate.
Takeaway: Make sure your server has a properly configured firewall. For a dedicated or VPS hosting account, enable the ModSecurity module for enhanced Apache website security.
WHM/cPanel access security
Solid website security includes limiting administration, especially remote administration to secure access When accessing WHM or cPanel always use SSL to encrypt your data stream.
Also, limit access by anyone else unless necessary. If you contract a third party to work on your website, only give them permission and access to the areas they need. Create a dedicated account for them to use with a complex password. When they are finished, delete their account and have your web host run a complete scan of your server.
When adding accounts in WHM, whether for yourself or your clients, always put each domain and/or sub-domain in its own cPanel. Make sure to use a unique password for each cPanel. Should one of these become compromised, the threat will be contained to that cPanel. Use complex passwords, longer is better (>13 characters). If you use a password manager, this simplifies creating and managing (no need to remember) all your passwords.
Activate the CPHulk brute force protection security service to prevent brute force login attempts to your server. This will monitor and protect the following:
- cPanel services (Port 2083)
- WHM services (Port 2087)
- Mail services (Dovecot® and Exim)
- The PureFTPd service
- Secure Shell (SSH) access
Protect remote file access and email
Remote file access management and email security
Remote file access: Avoid using standard FTP (username and password transmitted in plain text) and instead use Secure FTP (SFTP) to encrypt your communication. Implement two-factor communication whenever and wherever possible. Remote administration should be via SSL only.
Email security: For your domain emails, implement secure email. Assuming you’ve already installed and configured SSL for your website, it’s simply a matter of configuring your email client(s) to use SSL/TLS.
For outbound SMTP, this is usually port 465. For inbound pop, this is usually port 995. Check with your web host to ensure the correct ports are available.
For mail campaigns, your newsletter, or autoresponder series, use a mailing service, e.g. Aweber, GetResponse, or MailChimp. If you plan on taking advantage of email marketing automation, consider ActiveCampaign with its powerful visual editor. Using these services will keep your server IP for internal communication and ensure a better chance that your emails don’t end up in the receiver’s spam folder.
Lastly, make sure that any computers accessing your website backend, WHM, or cPanel have up-to-date anti-virus and anti-malware protection. When implementing your website security, there’s no point in securing the front door if you leave the back door wide open.
The number one thing you can do to increase your WordPress security is to keep WordPress up to date. Most WordPress updates include security updates to fix potential security vulnerabilities. Test major WordPress updates for compatibility before deploying to your production website.
There are s security plugins available for WordPress. I used to use BulletProof Security, as it forms its core security via the .htaccess file which controls access permissions for files and folders as well as other security configuration settings. Even if BPS is deactivated, your .htaccess file will continue to function. However, a large .htaccess file will affect your website performance due to it being executed for every page load. So, I’ve since switched to WordFence. Other popular security plugins are iThemes Security and Sucuri Security, All In One WP Security & Firewall, and many others. Pick one with good ratings/reviews that you’re comfortable with but realize that any of these security plugins are potentially the weakest link in the chain. Some of them will be rendered ineffective or severely degraded should the plugin become deactivated for any reason. Their security is also close proximity, on server protection and these plugins will NOT prevent DDoS (distributed denial of service attacks). What you want to strive for is security that begins off your server, at the perimeter. If the threat can’t even get to your server, then you won’t have to rely only on close proximity security. It’s also important to note that with each additional plugin that you add to your WordPress installation, you open up another possible avenue for exploits. Many free plugins are coded with features and functions taking priority and security is often an afterthought.
Just like plugins, not all themes are created with security in mind. Many free themes in particular also lack adequate support and are not kept up to date. Stick with premium themes that are well coded, regularly updated, and well supported. Anything less is just not worth the risk for your business.
Unless you have a well-trained team available to handle your online technology, including your website security, it’s best to stick with a fully managed hosting account solution. I would not entertain any hosting service that does not provide phone support 24/7/365. However, the length of the wait time, as well as the knowledge of the support personnel are just as important. Response times should ideally be less than 15 minutes. Chat is a nice addition for minor issues but in my experience, chat support does not provide focused support for YOUR problem. How many chat sessions is the support person handling? This doesn’t mean that every issue can be solved during the phone conversation but in a one-to-one phone conversation, your chances of miscommunication are minimized. A dedicated server, VPS (virtual server), or cloud server will always provide a better “opportunity” to configure a secure environment. Although a VPS or cloud hosting may still technically be a shared environment (more than one account sharing the same server resources) they offer a more isolated environment and fewer chances to be impacted by bad neighbors. And since you’ll have more control over your server, you can tune your server resources and security to your demands. If you absolutely can’t afford a VPS and must use standard shared hosting, it’s critical that you use a SaSS firewall and reverse proxy caching service. You can get started with CloudFlare for free so there’s no reason to suffer worse performance and security from your shared hosting. A SaSS proxy caching firewall will reduce the need to access your server directly, provide added security by filtering out malicious exploits, reduce the amount of bandwidth your shared account uses and dramatically improve your website performance.
Scheduling regular backups should be a mandatory part of any good website security plan. And while there are many popular WordPress plugins (Backup Buddy, UpDraft Plus, etc.) available, WHM has a good built-in backup option that will not only allow you to schedule your backups but you can also store them offsite via Amazon S3. Here’s what that looks like: and note the following storage options: Whether using WHM or a plugin, make sure you have regularly scheduled backups as part of your website security plan, just in case. Takeaway: For WordPress, it’s essential to keep the core WordPress installation up to date. The best practice is to use a good security plugin but only as an additional layer of website security not as your sole security solution. Limit the number of plugins and themes and if possible, choose premium plugins and themes that provide ongoing support and are updated regularly. Get the best hosting you can afford, preferably a VPS, dedicated, or cloud server. Go with a fully managed hosting account from a well-respected web host and you’ll sleep better knowing that it’s being properly managed and secured.
Web Application Firewall (WAF)
Employ a Web Application Firewall to prevent specific attacks aimed at WordPress by blocking them before they reach your server. I recommend Cloudflare’s Pro plan ($20/month). This includes a Web Application Firewall (WAF) that will allow you to easily activate security rulesets, including one for WordPress. There are other benefits to the Pro plan, including Automatic Platform Optimization (not listed on the Cloudflare web page at the time of this post update).
If you implement your website security using a layered approach to form a solid security chain around your website and your online business, you’ll go a long way to making your website hacker-proof. Realize that in the final analysis, it’s your business and it’s up to you to ensure your website security. Hopefully, this article will help you to better understand the technologies involved so you can make the best decisions for your business.