Every year, the Internet changes — new frameworks, methods of interaction, services and integrations appear. But along with this, the number of vectors for attacks also increases. If yesterday simple protection at the login and password level was sufficient, today it is not enough. A modern approach to security is a whole set of actions: from correct server configuration to the awareness of the site owner.
New technologies — new threats
Technologies do not stand still: AI, API integrations, WebSockets, SPA, microservices. All this opens the door to new types of attacks:
- Artificial intelligence has learned to find vulnerabilities faster than humans.
- APIs open data to third-party services — and therefore to potential attackers.
- PWA, WebSocket connection, voice assistants are convenient, but not always safe.
Therefore, already at the design stage, you need to think not only about UX, but also about protection.
Security on the server
The server is the heart of any website. Its vulnerability = full access to the project.
Modern security methods:
- SSH access only by key, not by password. And preferably only from a white IP.
- CSF + LFD — monitoring of suspicious actions, automatic blocking.
- Fail2Ban is a great brute force protection app.
- HTTPS + HSTS is a mandatory standard.
- Auditd or similar — to control who and what is running on the server.
- Regular updates of kernel, PHP, database.
No less important: setting access rights, limiting resources, protecting cron, logging logins and suspicious requests.
Security at the front The frontend is the first point of interaction with the user, and therefore with a potential hacker. What you need to consider:
- XSS and CSRF are the main enemies. Use CSRF tokens and validate input.
- Security headers: Content-Security-Policy, X-Frame-Options, Referrer-Policy.
- Prohibit inserting content from other sites into the frame (Clickjacking).
- Validate all data both on the front end and on the back end. - Don't forget about secure file handling, drag-and-drop, rich text editors, etc.
Security measures for the site owner
And even if everything is done technically correctly, the human factor remains. Therefore, the site owner should:
- Enable 2FA for login to admin.
- Restrict access to the admin panel (VPN, IP whitelist).
- Backups are automatic, stored in a separate location.
- Do not give access to third parties unnecessarily. And if necessary, create temporary accounts with limited rights.
- Regularly review user activity logs.
Security practices for developers
The developer is not only the author of the functionality, but also the first line of defense. What should be in the arsenal:
- Saving passwords only through bcrypt or Argon2.
- Protection of sessions, correct work with cookies (HttpOnly, Secure).
- Use of middleware and rate-limiters.
- Regular check on OWASP Top 10.
- Working with API — checking tokens, IP, CORS, throttle.
Security features depending on the system
- WordPress: update plugins, hide wp-admin, change table prefix in DB.
- Laravel: don't keep .env open, use CSRF, queue for complex tasks.
- Opencart: change path to admin, enable SSL, control modules.
- Custom solutions: here everything depends on you. Regular audit, access logic, automatic tests are a must have.
Conclusion
Security is not "set it once and forget it." This is an ongoing process. But the right approach allows you to reduce the risks several times.Owners should take care of access, developers should take care of the code, and administrators should take care of the server. Only teamwork = reliable result.
Do you want a security audit of your site or a consultation? Contact us - we will check all vectors, give clear recommendations and help implement everything in practice.