Further harden your website

Although keeping your webserver and all its components up-to-date is probably the most important task in terms of security, there are a few other measures that should be considered, to further heighten security.

Use a WAF

A WAF, or Web Application Firewall is a layer 7 firewall that you can configure to perform analysis and filtering on incoming connections to your web server. A plethora of common attacks can be prevented with a properly configured WAF. As with most security measures, the web server (and WAF) administrator has to strike a balance between functionality and security. Having a WAF configuration that is too strict, could potentially also block legitimate traffic to the web server.

Protect your database

User data is a very valuable asset to your organization, and should be protected well. In case of a data breach, you have a legal obligation to report this to the Data protection Authority. (DPA/GBA/APD) Besides this, there is both a risk for financial loss and brand name damage if you do not keep this safe. Furthermore, make sure to back up your databases regularly, to be able to recover from a data loss much more easily. Store these back-ups in a secure manner, and test the validity of the backups by restoring your website to a test environment regularly.

Disable directory browsing

Disabling directory browsing can prevent attackers from easily finding all your valuable data. Avoid using default, public accessible locations for any files you store. (example: /wp-content/uploads/backup/backup.zip)

Any sensitive data should be stored in areas that are only accessible to authenticated users. You can disable directory browsing on the webserver or on the CPANEL level, depending on your hosting model.

Review your website through the eyes of a search engine

A lot of compromised websites will be monetized by displaying ads to users worldwide, but those ads remain hidden for the owner of the website.

Use the search query “site:yoursite.com” to view what pages of your site the search engine has indexed.

Use the “view cache” functionality to see your website the way Google sees it. If the cached version has ads or links that the non-cached version doesn’t have, your website may be compromised.