Wednesday, 21 March 2018 11:41

What is Virtual Hardening?

Written by

(Source article was taken fromhttps://blog.sucuri.net/2018/03/what-is-virtual-hardening.html)

 

If you want to make your website security more robust, you need to think about hardening. To harden your website means to add different layers of protection to reduce the potential attack surface. Hardening often involves manual measures of adding code or making changes to the configuration. To virtually harden your site involves allowing a Web Application Firewall (WAF) or security plugin to automatically harden your website.

The concept of hardening is part of a defense-in-depth strategy that protects your web server and database from vulnerability exploitation. Similar to other Information Security areas, it is necessary to understand website security in a comprehensive way.

When you add layers of protection to your website, you implement controls that account for:

  • The depth of the defense: adding multiple controls to protect your website.
  • The breadth of the attack surface: covering all potential attack vectors and security domains.

Adding virtual hardening to a website means protecting it on many levels, such as:

  • The application
  • The operating system
  • The web server
  • The database

Website CMS

It is important to emphasize that when it comes to hardening, each environment is unique. For example, if your website is using the WordPress platform, we can give you some tips to harden it, such as:

  • Restrict wp-admin access for only certain whitelisted IP addresses
  • Disable PHP execution inside the uploads directory
  • Disable direct PHP execution inside the whole wp-content directory whenever possible

However, not all WordPress website owners are able to apply these tips for many reasons, such as, not being able to have a whitelist of IPs because your IP is dynamic and so on. It does not mean that you cannot use other methods. In our firewall dashboard, for example, you can add an extra layer of protection by adding an authentication method of your choice. Read our Knowledge Base article to know how it works. Providing hardening tips to all website owners regardless of their CMS can be very difficult.

Web Servers

As we mentioned before, virtual hardening goes beyond the platform environment into your web server, including:

  • Windows IIS
  • Apache
  • NGINX
  • Node.js
  • Lighttpd

Adding security defenses to your server can be very challenging. You will need to know which server you are running on and to research server hardening suggestions. There are also some hybrid environments with varying elements that you might need to be aware of.

Some Examples of Hardening

If you are wondering what you can do to harden your website, here are a few tips:

  • Keep your CMS and extensions updated.
  • Always install security patches to your CMS and extensions.
  • Monitor your website and keep up with its log activity.
  • Install a firewall on the device you use to access your website.
  • Have long, unique, and complex passwords.
  • Remove unnecessary plugins and extensions from your website.
  • Use 2FA whenever possible.
  • Install a Website Application Firewall.

Hardening a Website can be Difficult

The main issue with hardening is that not everyone is technical enough to follow or understand the guidance that this process entails. One of the challenges is to keep up with the newest vulnerabilities. Another challenge is time sensitivity.

 

Read 190 times Last modified on Wednesday, 28 March 2018 12:23