Your site is unhackable

More than 70% of all WordPress sites are vulnerable to hacker attacks. Being popular makes you a popular target. Other than that, WordPress and all its plugins simply also have a lot of vulnerabilities. By contrast, a site built with the Lean Web Kit is unhackable. That’s a bold statement. The reason we can state this with confidence is the fact that the Lean Web Kit produces static sites. This means your site is turned into static files on each code change and whenever you publish new content. And with static files there is simply nothing to hack.

A+ security rating

Your website is always served over a secure connection, called HTTPS.

HTTPS brings a lot of advantages:

  • HTTP/2 - Boost your sites’ performance β€” HTTP/2 requires HTTPS.
  • SEO - Google search results prioritize sites with HTTPS enabled.
  • Analytics - HTTPS-enabled sites will not send referral data to sites without HTTPS enabled.
  • Content Integrity - Without SSL, free Wi-Fi services can inject ads into your pages.
  • Security - If you have a login on a Single Page App or accept form submissions, HTTPS is essential for your users’ security and privacy.

Your site is hosted on Netlify which automatically provides you with an HTTPS certificate from Let’s Encrypt. This grants you an A+ rating for your HTTPS (SSL) connection:

The Kit has an A+ rating for HTTPS (SSL) on SSL Labs

Likewise your CMS and API are always served over a secure HTTPS connection.

In addition your website is configured to:

  • Force HTTPS - HTTP connections are automatically upgraded to HTTPS (using Strict-Transport-Security).
  • Prevent clickjacking - by restricting your site from being loaded in iframes (using X-Frame-Options).
  • Prevent mime-sniffing - which prevents malicious uploads from being executed (using X-Content-Type-Options).
  • Prevent cross-site scripting - which prevents other sites from messing with your site (using X-XSS-Protection).
  • Prevent referrer leaks - by restricting what info linked sites receive about your site (using Referrer-Policy).

This configuration adds additional security which grants you an A rating on secure headers:

The Kit has an A rating for secure headers on securityheaders.com

By comparison, by default Wordpress.com has a D rating for secure headers. A Content Security Policy (CSP) and Feature Policy are specific to your site and can be configured by your development team to achieve an A+ rating for secure headers.

Two-factor authentication (2FA)

If you want an extra layer of security you can enable two-factor authentication for both your code and your CMS: