Crescentek

Security Hardening

Defense in depth. Not a single wall.

No single security measure is enough. Good hardening layers defenses — edge WAF absorbs volume attacks; server firewalls block obvious bots; application hardening stops abuse; file integrity catches malware; data encryption protects what's left. If one layer fails, the next catches it.

DDoS surge incoming...
100k requests/s from botnet absorbed at CF edge.
L1 · Edge CDN + WAFL2 · Server firewallL3 · Application hardeningL4 · File integrityL5 · Encrypted data
Vector: DDoS surge
Blocked attacks · sample log
DDoS surge
@ L1
SQL injection
@ L1
Brute-force login
@ L3
XSS payload
@ L1
Malware upload
@ L4
Bot scraping
@ L2
What we harden

The baseline every production site should pass.

Not exotic zero-days. Just the fundamentals — the things that catch 95% of actual attacks. This is the checklist we run on every client site.

Cloudflare in front
Free-tier handles DDoS, bot traffic, known exploit patterns. First layer before server even sees requests.
HTTPS everywhere, HSTS on
No plain HTTP. Let's Encrypt auto-renewing. HSTS preload prevents downgrade attacks. Baseline.
Remove default admin usernames
WordPress: delete 'admin' user, create new with non-obvious name. Half of brute-force attempts fail immediately.
2FA on all admin logins
WordPress 2FA plugin, hosting panel 2FA, email 2FA. Every admin account. Non-negotiable.
Limit login attempts
5 failures → 15 min lockout. Cuts brute-force attack effectiveness by 99%. Built into WP security plugins.
Disable XML-RPC (mostly)
Legacy WordPress API used by bots for brute-force. If you don't use Jetpack/mobile app, turn it off entirely.
File permissions locked
Directories 755, files 644, wp-config.php 600. No world-writable anywhere. Standard Unix hardening.
Daily malware scanning
Wordfence/Sucuri scan filesystem + DB for known malware signatures. Catches compromises early before damage spreads.
Offsite backups, tested
Daily backup to separate provider (not same host). Monthly restore test — unused backups have a 30% failure rate in restoration.
Tools per layer

Specific tools for each defense layer.

L1 · Edge
Tools we use
Cloudflare (WAF + DDoS + bot management), AWS Shield, Sucuri Firewall
Cost
€0-200/mo
Covers
Volumetric attacks, bot traffic, known CVE payloads, bad IP lists, rate limiting by geography/path
L2 · Server
Tools we use
fail2ban, ufw, OSSEC, CSF, ImunifyAV
Cost
Free / built-in
Covers
IP-level blocking, SSH brute-force protection, port lockdown, log monitoring + alerts
L3 · Application
Tools we use
Wordfence, Sucuri Security, Patchstack, MainWP
Cost
€60-300/yr
Covers
WP-specific: login lockdown, 2FA, file change monitoring, hardening of XML-RPC/admin pages, IP-level blocking from plugin
L4 · File integrity
Tools we use
Wordfence scanner, Sucuri SiteCheck, MalCare, ImunifyAV
Cost
Included in L3 usually
Covers
Malware signatures, file-change detection, shell detection, vulnerability database matching
L5 · Data + backups
Tools we use
UpdraftPlus, BackupBuddy, host-provided snapshots, BorgBackup (VPS)
Cost
€0-150/yr
Covers
Offsite backups, encrypted at rest, restore-tested monthly. DB encryption at rest for compliance.
Meta · Monitoring + alerting
Tools we use
UptimeRobot, Sucuri alerts, Cloudflare analytics, logs → SIEM
Cost
€0-50/mo
Covers
Know when something's happening. Without monitoring, a breach can go undetected for months.
When something does go wrong

The compromised-site playbook.

Even with good hardening, sites get compromised. The difference between "noticed in 2 hours + cleaned in a day" vs "undetected for 6 months + SEO destroyed" is having a response plan.

01
Isolate
Put site in maintenance mode. Disable all external access except admin. Takes 5 minutes; prevents further damage. Your SEO won't die from 24h of maintenance.
02
Snapshot
Full backup of compromised state before cleaning. Evidence for understanding what happened. Log files, DB dump, filesystem. Don't skip this step.
03
Identify
Compare against known-clean backup. Check for: unknown admin users, modified core files, suspicious plugins, backdoor files, DB records with malicious content.
04
Rotate credentials
Every password: WP admin, DB, SFTP, hosting panel, any API keys in config. Assume everything is compromised. Force-logout all users.
05
Restore or clean
If you have a clean pre-infection backup — restore. Otherwise, clean each suspicious file individually + patch vulnerability. Restoration is usually faster.
06
Patch the entry point
Whatever got exploited, update/replace/fix. Likely an outdated plugin. If you don't know — audit until you do.
07
Monitor post-recovery
Extra-aggressive monitoring for 30 days. Log everything. Re-infection is common if attackers have scheduled tasks still running.
08
Post-mortem
How did they get in? What would prevent it? Harden that layer. Most breaches happen to the same site twice if lessons aren't applied.
Reality check

What actually attacks Irish SMB sites.

Outdated WordPress plugins (60% of incidents)
Outdated plugins with public CVEs are scanned for constantly. Auto-update when possible; review before updating major versions.
Credential stuffing (password reuse)
LinkedIn breached → your admin used same password → pwned. Use unique passwords everywhere + 2FA as safety net.
Supply-chain compromise
Legitimate plugin gets hijacked + pushes malicious update. Rare but happens. Monitor plugin change logs + file integrity.
SEO spam injection
Attackers inject viagra/casino links into your footer/sidebar to boost their sites. Hurts your SEO. Detection: check rendered HTML for suspicious anchors.
Cryptojacking
Attacker installs crypto miner on your server. Your CPU maxed; hosting bill spikes. Monitor CPU baseline; alert on anomalies.
Ransomware on shared hosting
Less common on hosted WP but real. All files encrypted; demand payment. Mitigation: offline-held backups you can restore without paying.
Frequently asked

Security hardening questions.

Yes — typical audit: 1-2 weeks. We review current stack + configs, test common attack vectors, harden what's needed, document everything. Ongoing retainer from €400/mo for monthly review + patch management + monitoring.
Hardening + compliance overlap but aren't the same. We cover technical safeguards (encryption, access controls, breach response). For full GDPR-compliance programmes (DPIA, data processing agreements, DPO consulting), we partner with Irish GDPR specialists and coordinate.
Signs: unexplained slowdowns, unknown admin users, modified core files, SEO ranking drop, Google Search Console warnings, customers reporting weird pop-ups, odd inbox email patterns. If unsure — run Sucuri SiteCheck (free) as first pass. Suspicious? Get a proper audit.
Cloudflare in front (free) + 2FA on every admin + auto-updates on plugins. Three things, big impact. Takes an hour to set up properly. Kills 70% of automated attacks most SMB sites face.
Partly. Oversold shared hosts have worse baseline (outdated PHP, weaker WAF, less monitoring). Noisy neighbours + weak isolation. If budget constrains you to €5/mo cPanel, compensate with Cloudflare + aggressive plugin hygiene + external monitoring.
Related

Related topics

Cloudflare
Your edge security layer
Managed WordPress Hosting
Managed hosts handle baseline
VPS / Cloud
Self-managed defense ownership

Let's harden your site before something bad happens.

45-minute security review. Share your stack; we audit against the baseline, identify gaps, propose a harden-and-protect plan. Most Irish SMB sites fail 4-7 of our baseline checks — better to find out from us than from Google's "this site may be hacked" warning.