The correct process — security hardening checklist before every deployment:
A written checklist of every setting to verify before a server goes live. Applied by a second person, not the developer who built it. Automated where possible using Infrastructure as Code security scanners.
Specific hardening steps:
Change all default credentials immediately on deployment
Disable debug mode, verbose errors, and directory listing in production
Remove all sample applications, default pages, and test endpoints
Restrict admin interfaces to internal networks only
Use security headers: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options
Run automated config scanners: Lynis (Linux), ScoutSuite (cloud), Trivy (containers)
Notable incidents:
2017 — MongoDB default open access — 27,000 databases wiped and ransomed in 2 weeks
2019 — Elasticsearch default open — 1.2 billion records exposed publicly
2020 — Twitch source code leaked via misconfigured internal server
2017 — MongoDB Ransomware Wave: Attackers wrote a script that searched Shodan for MongoDB instances with no authentication (the default). They wiped the databases, left a ransom note, and moved on. 27,000 databases were affected in 2 weeks. No CVE. No sophisticated attack. Default settings, automated targeting, mass destruction.