Hi guys, in this post i want to share with you how I secured my website and what are the keys to have an unbreakable defense!^^
1. Multiple layers of defense
Cybersecurity is like an onion; it makes you cry and has layers. the more layers you have the greater your defence is. It is that simple if one layer or wall falls you have two or three another to protect your critical data.
When you have a clean website, the first thing you have to do is install a WAF (Web Application Firewall), there are plenty of good ones on the market, but if you are low on a budget I recommend WordFence (for WordPress sites).
They help you block brute force attacks and can mitigate a variety of XSS and SQL vulnerabilities. Many of them come with a fail2ban function, which means that after x failed number of authentication attempts, they block the IP for a period of time.
Multi-factor authentication! Very important, the most important I think. It gives us access control like no other solution. Your password can be leaked, and you can be a part of a data breach, but if you have MFA, it can give you enough time to realize that there is an attack happening with your credentials and you can change it. It’s not a 100% solution, MFA can be bypassed ed, and attackers can use fatigue and Social Engineering to obtain your code. But that’s why we are talking about LAYERS of defense, if one falls, you will have another.
If you know something about coding, then I recommend reviewing the code of your website.If it’s in PHP than look for the following functions and check if their properly sanitezed:
- exec()
- passthru()
- system()
- shell_exec()
- eval()
- include()
These are the most vulnerable ones I saw during my assessments, but if you want to deep dive into it here is an amazing GitHub library about PHP functions:
https://gist.github.com/mccabe615/b0907514d34b2de088c4996933ea1720
NEVER, I repeat NEVER pentest your website. Your website has a public IP, but it can host various domains, if you go out of your domain it can hurt you financially. If you want to feel like a hacker go to THM or HTB and pawn some machines.
The maximum you can do without worrying about legal stuff is to test your input fields manually for XSS and SQL vulnerabilities.
2. Narrow down the attack surface
In the field of Cybersecurity the less the merrier. If we are talking about assets and vulnerabilities, if we are talking about the budget the management gave us then…Nevermind. So you have your website and some defensive countermeasures in place, awesome, now we have to analyze what functions we need.
NEVER TRUST USER INPUT.
Any input fields are potential attack vectors, by eliminating them we remediate the risk of having them exploited.
Look for:
- Search bars
- Comment field
- Contact Forms
For example: Instead of contact forms you can use the links of your socials.
Check the version number of your plugins, the PHP package, and the version of your CMS and update them if needed. if version numbers can be seen on your website, try to hide them. Try to show the least amount of information on your website to the world.
3. Maintenance
You have multiple levels of defence in place, and you narrowed down the attack surface, but every day new vulnerabilities are found. Keep yourself up to date about the new web-related vulnerabilities. The OWASP project and its forums are a great place for that.
Test your defenses every once in a while, you narrowed down your attack surfaces and implemented various countermeasures, but you can make mistakes, we all can make mistakes. Also, if you have a solution that can easily be bypassed, try to find a new one and implement it.Do this cycle every 3 months at least, to prevent yourself from surprises.
Cybersecurity is an ever-changing world, where we as the defenders are the mouse trying to survive another die, and hackers are the cat which we always have behind us.
Thanks for reading, If you enjoyed this post follow my page on LinkedIn:
https://www.linkedin.com/company/83026465
Support my work by buying me a coffee:
