Web servers are unique in network environments because they are exposed to the internet and serve web traffic to potentially unknown users. Furthermore, web servers often run dynamic applications like WordPress websites or act as proxies for internal applications. Thus, it is not surprising that they are desirable targets for attackers.
Hardening a system involves enhancing its defences to make it harder for hackers to penetrate and gain access to a network. Hardening a web server varies based on its type (e.g., Apache HTTP Server, Nginx, Microsoft IIS). Still, core principles and best practices can be applied to improve security regardless of the web server.
This blog post will explore technology-agnostic best practices for web server hardening. For specific information on hardening WordPress, please check our guide on reducing the WordPress Attack Surface.
- Keep your web server updated: Keeping software up-to-date is crucial for security, as updates often contain fixes for security vulnerabilities. Although it may seem trivial, patching is not always straightforward and requires a system or routine for regular updates. Also, please remember to keep the underlying operating system up-to-date.
- Remove unnecessary software and modules: Web servers are complex software that comes with modules (like plugins in WordPress) that can be enabled or disabled. Malicious actors can exploit the features and vulnerabilities of these modules to gather information about the web server. To prevent this, remove or disable any unused software or modules.
- Tighten access control: Access control is essential for maintaining the security of your web server. Best practices include using sudo instead of the root user, using strong passwords, using SSH keys, restricting SSH/RDP access to specific IP addresses, enabling Two-factor Authentication, and having separate user accounts for each person accessing the web server.
- Set up File Integrity Monitoring (FIM): FIM helps system administrators identify file changes on the web server. This is useful for identifying unauthorized changes to important files, such as a WordPress installation. When selecting a FIM solution, choose one that is specific to the application, easy to set up, and does not produce too many notifications. Such tools include OSSEC or Wazzuh.
- Use a DDoS mitigation and WAF service: Instead of exposing your web server directly to the internet, use a service like Cloudflare, Fastly, or Akamai to protect against Distributed Denial of Service (DDoS) attacks and other web application attacks.
- Manual and automated penetration testing — Use an automatic service like WPSec, a standalone scanner like WPScan, or hire a penetration testing company to perform a manual penetration test of your web server and WordPress website.
It is important to remember that no single method of defending a system is foolproof, and security requires constant attention and effort. However, regular patching and following good security practices can make it much harder for attackers to succeed.