TickYouOff
Sign in
Back
🌐

Website Security Hardening

Hard 18 items · 2 hours
testuser's avatar
testuser Published 4 weeks ago
Technical

A practical, action-focused checklist to harden a website against common attacks. Designed for site owners, developers, and admins who manage CMS-based sites and need a concise set of technical steps to improve security.

Progress
0 / 18
  1. Install and configure an SSL/TLS certificate — Use Let's Encrypt or a commercial cert; configure auto-renewal and correct chain.
  2. Redirect all HTTP traffic to HTTPS (301) — Update server or CMS redirects and test with curl and browsers.
  3. Enable HSTS with a conservative max-age and test before preloading — Start with a small max-age, verify all subdomains serve HTTPS before increasing.
  4. Disable weak TLS versions and ciphers; enable TLS1.2+ / TLS1.3 — Scan with SSL Labs and remove TLS1.0/1.1 and weak ciphers.
  5. Update CMS core to the latest stable release — Apply updates on staging first when possible; test critical functionality.
  6. Audit plugins and themes for vulnerabilities — Check changelogs, vendor reputation, and vulnerability databases.
  7. Remove inactive or unsupported plugins and themes — Delete unused code to reduce attack surface.
  8. Verify plugin/theme update cadence and vendor support — Prefer actively maintained extensions with quick security fixes.
  9. Configure and test a Web Application Firewall (WAF) — Enable OWASP/core rules and tune false positives before enforcing.
  10. Enable login rate limiting and account lockout — Throttle failed attempts and temporarily block abusive IPs.
  11. Enforce strong admin account policies — Use unique usernames, long passwords, and role-based access.
  12. Enable multi-factor authentication for administrator accounts — Use time-based OTP or hardware keys for higher assurance.
  13. Change database table prefix and rotate DB credentials — Rotate DB user password and restrict DB user privileges.
  14. Harden file and directory permissions to least privilege — Apply 644/640 for files and 755 for directories, adjust for your server user.
  15. Restrict wp-config.php and other sensitive files via server rules — Set file to 400/440 and block web access with server or .htaccess rules.
  16. Disable directory listing and block access to .git and backup files — Prevent exposure of source and backups via web server configuration.
  17. Implement regular offsite backups and test restores — Schedule automated backups, keep versions offsite, and perform restore drills.
  18. Monitor logs and enable alerting for suspicious activity — Centralize logs, watch for repeated failures and unexpected file changes.
Sign in to save
📝 My Notes