Advertisement
  1. Code
  2. Security
Code

How to Secure Your Website With Imperva Incapsula

by
Difficulty:BeginnerLength:MediumLanguages:
This post is part of a series called Securing Your Website with Incapsula.
Protecting Your AWS Website From a DDoS Attack
Sponsored Content

This sponsored post features a product relevant to our readers while meeting our editorial guidelines for being objective and educational.

What You'll Be Creating

Introduction to Imperva Incapsula

This is the first of a sponsored, three-part series covering Incapsula performance and security services, brought to you by Imperva. Incapsula provides relatively low-cost services that often only large companies can afford to build; it puts the rest of us back on secure ground with Fortune 100 web publishers.

In this tutorial, I'll introduce you to the Incapsula solution's basic security services and walk through how easy it is to integrate your website with their systems.

Upcoming tutorials will review Incapsula protections, from guarding against distributed denial of service attacks (DDoS) to their performance optimization with a content delivery network (CDN) and other features such as compression and image optimization.

Incapsulacom The Website Home Page

I've been quite impressed with the Incapsula network's simple integration steps and the sophistication of its resulting secure, high-performance hosting operations—so much so that I've added them to my Internet services directory. With Incapsula, you can have basic security protections and performance enhancements for free, or a robust set of protective services for $59 monthly.

If you have any requests for future episodes in this series or questions and comments on today's, please post them below. You can also reach me on Twitter @reifman or email me directly.

What Does Incapsula Provide?

When you sign up for Incapsula, your website traffic will be seamlessly routed through its globally distributed network of powerful servers. Your inbound traffic is intelligently profiled in real time, blocking the latest web threats (e.g., SQL injection attacks, scrapers, malicious bots, comment spammers), and with higher-level plans, thwarting DDoS attacks. Meanwhile your outbound traffic is sped up with the Incapsula CDN and Optimizer. A lot of these features are provided for free, and you can try all of it without cost during their 14-day trials.

Here's a fun image of how Incapsula protects your site, sending visitors to web pages quickly and bots and intruders to dev/null:

Incapsulacom How the network protects your site

In addition to the front-end firewall protections for your website, Incapsula also has developed special software to monitor outbound traffic and help you detect any pre‑existing backdoors in your website. It's called Backdoor Protect:

Incapsula also offers Two Factor Authentication for any set of pages on your site, via Login Protect:

As I'll cover in the next tutorials, Incapsula offers a wide variety of robust security and performance enhancements, from DDoS Protection to CDNs, Load Balancing, and even real-time health monitoring and notifications.

If you have specific questions already, check out the Incapsula FAQs.

Getting Started With Incapsula

Let's begin by choosing a plan for our free trial. If you're running a serious website and have a solid budget, try the most popular Business account. Otherwise, I suggest starting your trial with the Pro account to walk through our tutorial:

Incapsulacom Plan Options and Pricing

Click the green Free Trial button for the appropriate plan and fill out the sign-up form:

Incapsulacom Sign up for your free trial

After you create your account, you'll be greeted with a friendly confirmation with links to the Incapsula FAQ and Knowledge Base:

Incapsulacom Welcome email message

The Incapsula Demonstration Site

If you're not quite ready to sign up, Incapsula offers a complete demonstration site which you can browse. The site is a copy of an actual Incapsula account showing all of its services and functionality, but does not allow you to actually use the interface.

Incapsulacom The Product Demonstration Tour

Integrating Your Website With Incapsula

It's amazing how easy it is to integrate your website with Incapsula once you've signed up. To add your website, enter your domain name in the Incapsula Add Site form:

Incapsulacom Add your website

You can also preview these steps with the Incapsula Setting Up Your Website video:

For this tutorial, I chose my Lookahead Consulting website. It's a fairly simple WordPress website which I currently host at Digital Ocean and optimize with Varnish and W3 Total Cache; I've written about this in earlier tutorials. Incapsula can be a fantastic enhancement to run fast, secure, scalable hosting off any low-cost hosting provider's basic plan.

Incapsulacom Add your website domain name

Incapsula quickly scans your site and identifies the hosting infrastructure you're using: 

Incapsulacom Scanning your records

Then, it provides you instructions to Change your DNS records:

Incapsulacom Instructions for changing your dns records

Using my domain registrar, I complied with their DNS setting requests. It was a bit odd having two root A records, and I actually hadn't seen that before—but it worked fine:

Example of My DNS Zone Record

Since DNS can sometimes be slow, Incapsula has a pending DNS change page showing the status of your changes:

Incapsulacom Waiting for my pending DNS changes

Once your DNS changes are confirmed, you'll receive a notification email with further information on how to begin to use the site:

Incapsulacom Email notification when setup is complete

As you use the service over time, Incapsula will gather statistics about the typical (and nefarious) visitors to your site:

Incapsulacom The Sites Listing Page

Using the Incapsula Dashboard

The Incapsula Dashboard monitors traffic, shows you where it's coming from, tracks bandwidth and more:

Incapsulacom Dashboard After One Day of Operations

Here's a close-up example (apparently my consulting site gets a high ratio of bot traffic): 

Incapsulacom Dashboard Visits by Humans and Bots

Incapsula Security

When you visit the Security page, you'll see a further summary of nefarious traffic:

Incapsulacom Security

Incapsula will also email you whenever it observes attacks—but you don't have to get out of bed in the middle of night to respond, because it's handled it for you:

Incapsulacom Email notification of threat alerts

Imperva constantly studies the inbound and outbound traffic of all of their customers to become quicker at detecting backdoors and new kinds of attacks. Here's an incident summary that Incapsula provides:

Incapsulacom Incident Reporting

Here are the kinds of threats that the Incapsula Web Application Firewall (WAF) will track:

Incapsulacom Web Application Firewall Threat Detection

Using Two Factor Authentication (2FA)

While I've written at Tuts+ before about using Google's 2FA, Incapsula Login Protect is more flexible, enabling instant activation of two-factor authentication to websites and Web applications of all kinds. Furthermore, it doesn't require any coding, application changes, or third-party authentication service integration.

Why Use Incapsula Two Factor Authentication?

You can use Incapsula 2FA with great flexibility. For example, it's perfect for:

  • protecting administrative access to websites and applications (e.g. login to administrator areas)
  • protecting remote access to your corporate web applications such as web mail, employees’ portal, etc.
  • restricting access to any part of a web application or any webpage (e.g. your resume or a staging site for a client design)

Here's an example of how easy it is to set up Login Protect:

Incapsulacom Login Protect

This video will also guide you through how easy the setup is for Two Factor Authentication:

Read more about Login Protect here.

Given the steps outlined in this article, here's how you can ensure the security of your site. Why not see how Incapsula works out for you and/or your team?

Incapsula Shirt

What's Next?

I hope you've enjoyed this tutorial enough to give Incapsula a try. I've written a number of sponsored tutorials for Tuts+ but I was uniquely impressed with the ease of integration that the Incapsula solution provides while offering an affordable yet rich set of vital services. 

Next up, I'll walk you through the Incapsula network's AWS protections from DDoS attacks.

Please feel free to post your questions and comments below. You can also reach me on Twitter @reifman or email me directly. You can also browse my Tuts+ instructor page to read the other tutorials I've written.

Related Links

Advertisement
Advertisement
Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.