How secure is your (company) website? Test it now!

Type
Knowledge
drupal website security

Many companies assume that their website is secure—until they run an independent test themselves. That’s when the first problems often come to light: missing DNS protection, weak email settings, open ports, missing security headers…

How strong is the security of your domain, hosting, and CMS?

Learn how to quickly test your website for vulnerabilities and what a modern multilayer security architecture looks like.

1. Domain & DNS Security (the basics)

We start with the layer that almost everyone forgets: DNS and domain security. Your website may be perfectly protected, but still remain vulnerable due to poor DNS configuration.

We check and configure:

  • DNSSEC (protection against DNS manipulation)
  • No orphaned DNS records (old records that could be exploited)
  • SPF records (which servers are allowed to send email?)
  • DKIM (cryptographic email signing)
  • DMARC – preferably policy: reject

With proper DNS configuration, you protect your domain against spoofing, phishing, and identity abuse.

Tip: Test your domain’s security via internet.nl:

www.internet.nl

2. Secure Hosting (high availability)

Even if you use a secure CMS, your website remains vulnerable if the hosting environment is weak.

For a secure website, it’s recommended to choose Belgian managed servers, fully GDPR-compliant and monitored 24/7 by a specialized team that ensures stability, security, and uptime.

A solid hosting environment ideally provides:

  • automatic OWASP filters
  • advanced security signatures
  • redundant infrastructure with no single points of failure
  • DDoS protection
  • continuous 24/7 monitoring by experienced engineers
  • daily backups (for incident recovery)

This way, hosting becomes a reinforcing component in your security architecture, rather than a liability.

3. The CMS: Drupal (security by default)

Drupal is one of the most secure CMS platforms in the world. It’s no coincidence that it’s used by governments, banks, and universities.

Key best practices include:

  • Antibot and Captcha on forms and logins
  • Security Kit for Content Security Policies (CSP)
  • Regular core & module updates by the Drupal security team
  • Limited attack surface thanks to standardized Drupal distributions

Drupal thus forms an exceptionally strong foundation upon which further security layers can be built.

Tip: Check your website’s security and see how it scores:

observatory.mozilla.org

4. Additional Security Layers (multilayered protection)

When your domain, hosting, and CMS are secure, it’s essential to add additional layers that actively block threats and detect anomalies.

WAF Rules Directly via .htaccess

Use a Web Application Firewall layer that you manage yourself. By defining WAF rules in .htaccess, you can:

  • protect specific endpoints
  • limit brute-force actions
  • block malicious payloads before they reach Drupal
  • remain independent of external providers

CrowdSec (community IP blocking)

Avoid an endless “whack-a-mole” strategy. CrowdSec provides a dynamic blocklist based on global threat intelligence.

  • automatic blocking of suspicious IPs
  • benefit from worldwide community signals
  • integration with Drupal login flows and forms

SOC Dashboard (Security Operations visibility)

A central dashboard helps you detect suspicious patterns at an early stage:

  • suspicious login activity and brute-force attempts
  • sudden traffic spikes
  • calls to vulnerable endpoints
  • suspicious payloads

Uptime Monitoring & real-time notifications

Use uptime monitoring so you are immediately alerted to:

  • downtime
  • delays
  • unusual response times

5. Checklist: For Every Professional Website

Basic Layer (minimum)

  • secure DNS and email configuration (DNSSEC, SPF, DKIM, DMARC)
  • high availability hosting with OWASP filters and 24/7 monitoring
  • Drupal hardening & up-to-date configuration
  • proper caching, permissions, and best practices
  • basic security headers (X-Frame-Options, HSTS, etc.)
  • WAF rules for common attacks

Recommended Additions

  • extended CSP configurations via Drupal Security Kit
  • dynamic IP blocking via CrowdSec
  • SOC monitoring for payloads, brute-force, and anomalies
  • shorter and more detailed uptime monitoring

This checklist indicates which security layers are essential and which can be added optionally.

Conclusion

Your website security doesn’t consist of a single solution, but multiple layers and systems that complement and reinforce one another. Those who properly build this foundation create an infrastructure that can withstand errors, attacks, and the ongoing evolution of the internet.

Security is not a product. It is an architecture.

Drupal
Website security
Crowdsec

Don't be a stranger

Curious about what we can do for you? Get in touch. Call or email for an initial introduction and discover how we make a difference.
 

MAKe an appointment