SSL – Check your cypher suites and SSL rating

For any website running SSL and HTTPS with a security certificate you can check your public facing rating by using a handy tool from Qualys.

Check HTTPS Website rating

this domain is currently A rated, yay!!!

I have achieved this by making sure I am using more secure and strong cipher suites with the server that is running the site (disabling the less secure cipher suites on the server).  I have also disabled all protocols on my server other than TLS 1.2 (SSL3, TLS 1.x etc is not secure at all!!)

Using only TLS1.2 mitigates a few attacks like POODLE, Zombie and GOLDENDOODLE.

This makes the SSL much more compliant and secure. All website owners should check what cipher suites and protocols are enabled on their servers and get them changed for better security all round.

ssl rating 800x444 - SSL - Check your cypher suites and SSL rating

 

 

Adding Security Headers to a WordPress Blog

After reviewing the default wordpress headers that are sent in a browser they are not secure enough for my liking.

To modify wordpress that you host yourself, served by an apache web server, logon to your server and navigate to the .htaccess file in your wordpress directory. If you cant see one (they are hidden files), maker sure to enable view hidden files in WINSCP or whatever software your using for the file system of your server. I also force my site from http to https for good measure (but make sure that you can already access your site on https before doing this lol)

add the following lines into your .htaccess file at the end –

———————————————————————————————–

#ADD SECURITY HEADERS TO ALL PAGES

Header always append X-Frame-Options SAMEORIGIN

Header set X-XSS-Protection “1; mode=block”

Header set X-Content-Type-Options nosniff

Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload”

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301,NE]

———————————————————————————————–

Now you can check how secure your blog is now, by visiting this website to check it – Security Headers Checker and enter your public facing website url.

As you can see from the below image, guypearce.co.uk is now A rated and much more secure. Have fun securing your own wordpress blog (or any other website running on Apache for that matter, all websites should have these options as a matter of course!!!!)

securityheaders 790x800 - Adding Security Headers to a Wordpress Blog

If you notice in the image above, you will see there are two other security headers also – Content-Security-Policy and Feature-Policy.

Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.

You can also add those policies in the same manner as the code I shared above for your .htaccess file. This would make your site have even better security policies coming from its pages.

Have fun with security.