Keep all your web server components up-to-date
As with all IT systems, one of the principal elements of website security is keeping everything up-to-date. Not only does this enable the latest technologies and functionality for your site, it also continuously fixes newly found vulnerabilities, or vulnerabilities that arrive naturally with technological advancements. (for example: cracking of older encryption algorithms with vastly improved computational power)
When setting up your update strategy, you have to account for all the different components in play.
The typical components bottom-up include:
- BIOS/firmware of the hardware your server is running on
- Optional: virtualization layer
- Operating system of the server
- The actual web service used (example: Apache, nginx, IIS, …)
- The content management system (example: Drupal, Joomla, WordPress, …) used to develop and maintain the website and its plugins
Depending on the model of web hosting used, some of these may not be under your control, however it is strongly recommended to have very clear agreements about the update cycle with your (cloud) service provider and/or web developer and maintainer.