We often pay attention to website design, SEO, content and underestimate the security area. As a website owner, web security should have higher importance than anything.
Here are 3 key areas that you should consider when securing your domain and website.
- Secure your Domain Name
- Secure your Email
- Secure your Website
1. Secure your Domain Name
Domain Registrar Protection
Ensure your domain is protected from unsolicited deletion, update and transfer requests with the registrar.
Enable Domain Lock from your domain registrar.
How to Enable Domain Lock: GoDaddy, Net Registry, Google Domains
Enable DNSSEC
DNSSEC records prevent third parties from forging the records that guarantee a domain’s identity. DNSSEC should be configured for your domain if possible.
At the time of this article, DNSSEC is not widely adopted by many DNS Hosting providers, if your DNS Host does not provide DNSSEC at present, its ok to wait.
Test if DNSSEC Is enabled on your domain
DNS Hosts that Support DNSSEC: GoDaddy, Google Domains, Cloudflare, NameCheap
Not Supported: Azure DNS, DNSMadeEasy
2. Secure your Email
Create a SPF Record
Sender Policy Framework (SPF) records prevent spammers from sending messages with forged addresses. This is crucial, even for domains that do not send email.
Create an SPF Record that strictly enforces only specified senders allowed to send email. Ensure the SPF Record uses the Strict Fail policy “-all”
Tools: SPF Record Generator
Enable DKIM Signing
DKIM lets you add a digital signature to outbound email messages in the message header. When you configure DKIM, you authorize your domain to associate, or sign, its name to an email message using cryptographic authentication. Email systems that get email from your domain can use this digital signature to help verify whether incoming email is legitimate.
Enable DMARC policy
DMARC protects against fraudulent emails being sent from a domain. This makes it more difficult for attackers to send email from your domain. A DMARC policy should be deployed for your domain, even if it is not used to send email.
3. Secure your Website
See the UpGuard Website Security Checklist
Enable SSL
Every page should only be available on SSL. Information transmitted outside of SSL connections passes in plain text and can easily be intercepted by anyone willing to put the work in. A single form with sensitive information or password entry on the unencrypted side could compromise the entire site.
Use a strong and trustworthy SSL certificate. SHA1 is no longer considered secure, you should use at least SHA256.
SSL Check: SSLChecker | DigiCert SSL Checker | Qualys SSL Labs
HTTP to HTTPS Redirect
Now that you have enabled SSL on your website, redirect all HTTP traffic to HTTPS to ensure sensitive data is encrypted from a user browser to the web server or network edge. Having SSL also give some trust to the visitor that your website is secure.
How to redirect websites from HTTP to HTTPS
Tools: HTTPStatus.io
Use TLS 1.2
Enable TLS 1.2 or better and disable use of TLS 1.0 and TSL1.1
What Is TLS and How to Enable It on Windows Server? (partitionwizard.com)
Tools: Check TLS
Remove Unnecessary Headers
By default, a number of hosting platforms and applications will add unnecessary HTTP headers which can be used to identify vulnerabilities in the server or application version you are using.
Secure your ASP.NET Application
Enable HSTS
HTTP Strict Transport Security (HSTS) is a web security policy and web server directive launched by Google in July 2016. It is a method used by websites that set regulations for user agents and a web browser on how to handle its connection using the response header sent at the very beginning and back to the browser. Enabling HSTS will revoke SSL protocol attacks and cookies hijacking.
How to Enable HTTP Strict Transport Security (HSTS) Policy | Cloudways Help Center
Update WordPress
Update your WordPress version to the latest stable version as soon as possible. There are a number of known vulnerabilities exposed in WordPress that are being continuously addressed.
Latest Version: 5.7.1 (As of April 2021)
By default, your WordPress version is visible to the public. Displaying WordPress version number publicly could make you an easy victim of version-targeted-attacks. It is best to hide the WordPress version number from the public.
Tools: WordPress Vulnerability Report
How to update WordPress
WordPress security best practices
Other wordpress things:
Remove Server Header,
Update PHP
Ensure your PHP Version is up to date.
12 Online Free Tools to Scan Website Security Vulnerabilities & Malware (geekflare.com)