Due to their function, web servers are different from many other devices in a typical network environment—they are not only exposed to the internet by design, but they likely serve web traffic to complete strangers. Additionally, in many situations, web servers are likely serving dynamic applications such as WordPress websites or acting as proxies towards other internal applications. It is, therefore, no surprise that web servers pose as interesting targets for attackers.
Hardening a system refers to the process of improving a system’s defenses such that it makes it harder for a malicious hacker to compromise that system and gain a foothold within a network.
The process of hardening a web server will, of course, depend on the kind of web server you are using (e.g. Apache HTTP Server, Nginx, Microsoft IIS…), however, there are a number of core principles and best practices to improving your web server security that you should keep in mind, irrespective of which web server you are using.
This article is a web server hardening guide. In it, we’ll be looking at a number of technology-agnostic best practices by which you can improve your web server security. For WordPress hardening, refer to our WordPress security & hardening guide.
1. Keep your web server updated
Keeping software up-to-date may not sound like a big deal, but applying security patches on time is arguably one of the most important defenses you can implement. Aside from performance and stability improvements, web server and operating system updates often contain fixes for security vulnerabilities.
On the surface, it may sound trivial, however, any information security professional will tell you that patching is more complicated than it sounds—not because installing the latest version of most software is particularly hard, but because patching is always seen as something that can be postponed.
The best approach to making sure that your web server software is constantly updated is to find a system or routine that works for you or whoever is tasked with updating your web server and operating system software. Most of the time it boils down to a periodic reminder (for instance setting up a repeated calendar event) that you will make time for.
2. Remove unnecessary software and modules
While it may not always seem like it, web servers are complex pieces of software. Some web servers, such as Apache HTTP Server, ship with a series of “modules” (similar to what plugins are to WordPress) which you can enable or disable depending on your use case. Malicious attackers are known to leverage a web server module’s features and vulnerabilities to gather more information about your web server. While this may not be the sole reason for a successful attack, the whole point of web server hardening is to take a defense-in-depth approach and make it hard for malicious actors to gain even the tiniest of footholds.
A practical example of this is modules such as Apache HTTP Server’s mod_status. This module is designed to obtain an overview of the server’s activity and performance (current hosts, number of requests being processed, number of idle workers, and CPU utilization) via the /server-status URL. Such a feature may provide an attacker with a pretty good indication of how well your web server is performing—a pretty useful tool in the event of a Denial of Service (DoS) attack.
Similarly, other unused software running on your web server might be posing an unnecessary risk. For instance:
- Are you running an FTP server, such as vsftpd that you do not need?
- Is there a mail transfer agent such as Sendmail or Postfix you no longer need? If you use a third party service to improve WordPress email deliverability, you won’t need such a service.
These applications / services and many others on the server are all components that have their own security quirks, vulnerabilities, and patching requirements.
In summary—run less software where possible. If you are not using a module or a service, you should look into disabling or removing it. Naturally, don’t just disable modules or applications without thorough testing in a development or staging environment (sometimes it may not be fully clear that a web server module or application is being used).
3. Tighten access control
Controlling access to your web server is essential to get right. After all, you want to minimize the chance of access to your web server falling into the wrong hands. The following are a number of best practices to follow in relation to maintaining proper access control.
- Do not use the root user. If you need to perform administrative tasks, make use of sudo instead;
- Use strong system (and WordPress) passwords;
- Use SSH keys in favor of password when using SSH;
- Consider restricting SSH/RDP access from specific IP addresses;
- Enable Two-factor Authentication (2FA) on any cloud provider accounts;
- Ensure that each person accessing the web server has their own user—do not share user accounts between users;
- Limit shell/SSH/Remote Desktop access explicitly to the people who need it.
4. Set-up File Integrity Monitoring (FIM)
File Integrity Monitoring (FIM) helps system administrators identify when files change on a web server. While some files change pretty frequently as part of normal web server operations, files such as a WordPress installation should never change unless an administrator is making changes (for example updating the wp-config.php file) or updating WordPress itself.
While there is a multitude of options you can choose to use when it comes to File Integrity Monitoring, it is advised to stick with something that is specific to the application you are running, is simple to set up and operate, and does not require a lot of tuning. Otherwise, you’re going to be drowning in meaningless notifications and before you know it, alert fatigue will set in, erasing your effort to being with. In short, more alerts and features does not equal better when it comes to FIM, instead look for a solution which delivers the most value with the least amount of overhead.
5. Use a DDoS mitigation and WAF service
Instead of exposing your web server directly to the Internet, you should consider using a service such as Cloudflare, Fastly, Akamai or similar in order to protect yourself against a vast array of attacks including Distributed Denial of Service (DDoS) attacks. A Denial of Service (DoS) attack is a type of attack in which an attacker aims to overwhelm a website with requests, and as a result, prevent your web server from serving requests to legitimate users.
In addition to Denial of Service mitigation, such cloud services typically also offer Web Application Firewall (WAF) capabilities which are able to stop many run-of-the-mill web application attacks such as basic SQL injection (SQLi) and simple Cross-site Scripting (XSS). While WAFs are not a solution to web application vulnerabilities, they offer some protection against exploitation—especially with WAF rules which are optimized for WordPress websites.
What are the next steps?
While this article covers some common web server hardening techniques, nothing in security is a silver bullet. As such, no one method of defending a system is foolproof, especially in the face of a determined adversary. Hence, why you need to secure every component that makes up your WordPress website. You cannot secure your web server and ignore WordPress security, or your own computer.
However, constant patching, and following good security practices and hygiene can drastically raise the effort an attacker needs to put in to successfully pull off an attack—which, most of the time, means frustrating the attacker, forcing them onto a softer target.