How to Protect Your Website from Hackers
by
7-layers of Security for Your WordPress Site
Your website needs the most comprehensive security to protect it from the constant attacks it faces everyday.
Every day, small businesses become victims of cyber attacks. Hackers break into websites, steal customer data, and damage reputations. Your website, which is vital for your business, is at risk from these online criminals. They don’t care if your business is big or small—they attack any site they can.
Scan your website if you suspect your site has been hacked.
We’ve helped many business owners after their websites were hacked. It’s a scary and stressful situation. The good news is that you can protect your website, even if you’re not a tech expert. This article will show you how to make your website secure, step by step.
TL;DR: Hackers relentlessly attack websites of all sizes. Your strongest defence? A security plugin with a firewall. While there are many ways to boost security, this powerful shield is your best first step; easy to set up and incredibly effective against hackers.
While no security system is 100% foolproof, it is always better to have some modicum of security in place. You have a responsibility to your visitors, their data, and of course to yourself and your business.
We’ve compiled the list of security types, vetting each measure for security, practicality, and usability. It is our strongly-held belief that security should not be at odds with usability. You don’t want your users to jump through hoops to get to your content, because they certainly won’t.
1. Install a firewall with bot protection
Firewalls are the foremost defences against hackers. At its core, a firewall is code that identifies and blocks malicious requests. Every request for information made to your website first goes through the firewall. If the firewall detects that the request is malicious, or being made from an IP address that is known to be malicious, the request gets blocked instead of being processed.
As an added bonus, website firewalls should come with bot protection. Hackers create bots that sniffs out vulnerable websites and automates most of the process. A firewall blocks out bots like these and scrapers, while allowing the good ones like search engine bots and uptime monitoring ones through to the site.
Bad bots are especially detrimental to server resources, as we have seen numerous times with AI scraper bots.
🔥 In fact, firewalls like MalCare are designed specifically to protect websites in all these ways and more. They shore up the critical parts of a site, to ensure that hackers cannot exploit vulnerabilities to attack them—even if they exist.
2. Scan for malware daily
There are two truisms with website security: 1) no security is 100% attack-proof; and 2) the longer malware remains on a site, the worse the damages are.
This leads us nicely to our next critical aspect of website security: malware scanning,which is best accomplished with a vulnerability scanner.
You would think that if hackers had gotten through your site defences, you would know instantly. The reality is far from it. Hackers are interested in keeping you in the dark about malware for as long as possible. Your site is a treasure trove of resources for them to exploit, and as soon as you find out about the hack, you’re naturally going to try and get rid of it. No bueno for the hackers.
Scanning is the only definitive way to detect a hack on your site. Good malware scanners scrutinise every file and database entry to look for hacks. If there is something found, you can take action immediately. MalCare deep scans your site daily and automatically, keeping a vigilant eye on your site and data.
3. Get SSL on your website
A Secure Sockets Layer (SSL) certificate is a protocol that encrypts all communication to and from a website. Installing one will ensure that even if a hacker intercepts data from your website, they’ll never be able to understand what it is. It is what takes your site from HTTP to HTTPS.
Look for a host that provides one with your hosting package. Alternatively, you can set about buying and installing an SSL certificate for yourself.
⚡️ This is now old news, but an SSL certificate is no longer negotiable. Even search engines prioritise HTTPS results, so you’ll get SEO benefits too.
4. Update vulnerable software; and everything else
The vast majority of hacks occur because of vulnerabilities in a theme or plugin. Hackers exploit them to take over 1000s of websites.
So what is a vulnerability? Themes and plugins are software. Like any other software, they are pieces of code that will invariably have bugs. Some bugs are relatively harmless and may just cause a minor glitch while updating. Others can render the code vulnerable to exploitation.
For example, a common vulnerability is an SQL injection flaw in a contact form plugin. It lets hackers insert malicious database queries through form fields, potentially allowing them to access or manipulate your site’s data. It’s a simple coding oversight with serious security implications.
When vulnerabilities are discovered, mostly by security researchers, they are disclosed to the plugin developer for patches. Responsible developers will release a fix, and websites with the plugin installed will see that an updated version of the plugin is available.
Therefore, it is always best to keep everything—right from the CMS to plugins—updated at all times. We know that updates can sometimes break websites in unexpected ways, so to circumvent any inconvenience, use staging to update safely. But do please update everything.
⚠️ Once the fix is released, the vulnerability is disclosed publicly. If you were one of the websites that updated the plugin or theme with the security fix, that’s excellent. If not, your website will become the target of amateur hackers (called script kiddies) looking to make a quick buck.
5. Always use strong passwords
Everyone knows this, because password security is important everywhere. Yet, you’d be surprised to know how many websites are hacked simply because the password was weak. Easy-to-guess passwords are used by hundreds of thousands of websites.
On the other hand, hackers have lists of these passwords called rainbow tables. Rainbow tables, combined with a brute force bot, will hammer login pages with combinations to unlock accounts.
Strong passwords are a combination of letters, numbers, and symbols. Uncommon combinations are hard to crack and can take hacker algorithms years to decode. Also, the longer a password, the more difficult it is to crack—and remember. Therefore, we strongly recommend using a good password manager.
It will generate an appropriately fiendish-looking password for your account, and save you the trouble of remembering it. This way, you can also adhere to the second cardinal rule of passwords: never ever reuse them.
💡 You can also use plugins to enforce strong passwords from all your users with the plugin Password Policies Manager. This plugin will help you create policies that force all your users to create strong passwords when creating their accounts.
6. Implement 2FA
Two-factor authentication (2FA) is a security measure that adds another device or token that you must have access to in order to login, in addition to your password.
There are several paid and free 2FA plugins that can be used to harden your login page, and they support the most popular protocols. If you have many contributors to your website, it’s definitely a good idea to implement this security feature.
There are a few protocols that are used for 2FA, like TOTP (time-based one-time password) or HOTP (HMAC-based one-time password). They each have their pros and cons, but for the purposes of login security, we don’t need to delve into those details.
7. Limit login attempts
Limiting login attempts is a highly effective way to secure your website without many downsides. It is an easy way to block brute force bots and attackers by denying them entry to an IP address after 3 failed attempts. MalCare’s firewall comes integrated with this feature. Even if an actual user is accidentally locked out, all they need to do is solve a simple captcha to regain access again.For additional protection, you can implement a WordPress CAPTCHA on login forms, which adds another layer of security to prevent automated attacks from accessing your site.
8. Set strong file permissions
A stock install of a CMS has fairly open file permissions, so we recommend strengthening those to be considerably less permissive.
It is important to strike a balance between security and usability with file permissions though, because it is entirely possible to lock out all access and make the site inaccessible to everyone. The only advantage is that even hackers are stopped in their tracks, along with everyone else.
We do recommend hardening the uploads folder, however, because it is a common target for hack scripts. We’ll come to that point later on in this list.
9. Implement security headers
Security headers are special directives used by browsers and applications to mitigate certain types of attacks. They can be quite effective in preventing attacks like XSS and clickjacking. They can also be used to enforce transmission of data over encrypted channels only.
Rather than dive into code, it is easier to implement security headers with plugins. It becomes a matter of flipping a switch on and off. This is especially useful, as security headers can sometimes be restrictive, and therefore it is good to have the flexibility to toggle them on and off.
10. Block PHP execution in the uploads folder
There’s an entire class of vulnerabilities called Remote Code Execution vulnerabilities that allow hackers to upload malicious PHP code to the uploads folder on your site. Typically, the folder is not meant to contain any executable code. It’s meant to contain your media files. But the nature of the folder is that it allows files and folders to be stored within it.
Once the code is uploaded to your website, a hacker can run it and gain effective control over your website. However, if you block PHP execution altogether, then the attack can never take place.
If you’re using MalCare you can block PHP execution in the uploads folder with the click of a button as part of the hardening measures.
11. Change security keys
Security keys are unique codes that add an extra layer of protection to your website logins. They work alongside passwords, making it much harder for hackers to gain access to your site, even if they otherwise get your password.Updating your WP salts regularly can provide an extra defense against potential attacks, ensuring that even if someone gains access to your login information, it becomes significantly more difficult to exploit.
🚨 If you have been hacked recently, you should change your security keys as a part of your recovery process. This is a string that is hashed along with your username and password to manage logged in sessions for users. You can set this string to anything at all, however like with passwords, it is best to use a randomly generated alphanumeric string.
12. Take regular backups
Taking backups is quite possibly one of the most underrated website security tactics you can have. Always take daily backups so that you can quickly restore your website in the event of a catastrophic failure. In fact, backups are the only defence against ransomware attacks.
The key is to choose a good backup plugin that is reliable, because manual backups are difficult to execute correctly without considerable expertise. A good backup plugin is one with automatic backups, stored securely offsite, and usable even if your site is completely down.
🔥 In fact, before you proceed with any of the steps in this article, take a full backup of your website and set up daily backups immediately. This is always good practice when making any changes to your website.
13. Choose a good web host
Most people hold web hosts responsible for the security of their website—and we don’t blame them because you see security being relentlessly flogged on every single host’s pricing page. If you dove a little deeper, you’ll see they are mostly talking about SSL certificates and domain privacy. This is such a superficial level of website security, it is almost laughable. Almost.
However, the truth is that it’s rarely the web host’s fault if your website gets hacked. In fact, in the rare cases that a web host is responsible for a security breach, the ramifications are enormous. Thousands of websites are affected.
That being said, you should still choose a good web host, who invests in network and hardware security. Most will also regularly scan your site for malware. If they provide backups, that is a great bonus too. Finally, opt for good customer service. This is you choosing your site’s home; choose wisely.
14. Conduct regular site audits
A website security audit can mean a lot of things, and you will find many, many variations of a checklist online. Apart from the measures we’ve listed above, there are few things you can stand to keep an eye out for from time to time.
Users
Plugins and themes
15. Educate all stakeholders about website security
The sad truth is that the weakest link of any security system is the human element. This also stands true in your website’s case.
Make sure to train users to beware of phishing emails. They can look surprisingly legitimate in some cases. Learn not to click on links, and not to respond to manufactured urgency. Urgency is used as a psychological tactic to frighten a target into suspending critical thinking.
You may follow great security practices for your passwords, but if one of your admins falls prey to a phishing scam, for instance, then your website will also be affected.
16. Have a disaster recovery plan
Always be prepared. Things can and will go wrong, it is only a question of when. Have a well-thought contingency plan on how you propose to deal with a hack if it happens.
In our considered opinion, regular backups can be the lion’s share of this plan. You can also identify developers to turn to in case of crisis. We also recommend planning PR and communication to deal with the situation as it arises.
Your disaster recovery plan is wholly dependent on you. A good rule of thumb is to try minimising disruption and confusion to the greatest extent possible.
Myths about website security
We advocate being security conscious, but not paranoid. Also, we have seen that there is a great deal of bad advice for website owners out in the wild. The advice may come from a good place, however it can have unintended consequences, like creating a poor user experience, or locking you out of your own website!
Don’t hide your login page
Many people still believe that this trick works. If the hacker can’t find the login page, they can’t carry out brute force attacks, right? No, not really. Instead:
This option achieves nothing in the end and can cause quite a bit of trouble.
Don’t use geoblocking
Geoblocking is essentially blocking out traffic from countries where your product or service is not available or relevant. It’s quite possible that you think that traffic from Gabon isn’t helping your business. But blocking all traffic from Gabon solves nothing at all. With a good VPN, anyone can bypass even Netflix’s geoblocking.
Also, you run the risk of blocking Googlebot and yourself out as well.
How websites are hacked
Hackers use several methods to break into websites. Understanding these can help you protect your site better:
Exploits of vulnerabilities
Vulnerabilities are weaknesses in your website’s code or software that hackers exploit. These can allow unauthorised access, data theft, or malicious changes to your site, putting your business and customers at risk. Some examples of critical vulnerabilities include:
Poor password practices
Many people use simple, easy-to-remember passwords across multiple sites, not realising the danger. This makes it easier for hackers to compromise more than one of your accounts. If one account has been hacked, others using the same password are at risk—even if it is on a different system.
People often use meaningful passwords, which might include birthdays, pet names, or common words, which hackers can guess quickly or uncover through social media research.
On a related note, weak passwords in general leave your site vulnerable to brute force attacks. Hackers can use automated tools to try many passwords quickly.
Recurring hacks
If a hack isn’t cleaned up properly, hackers can leave backdoors. These hidden entries allow them to return and attack again at any time.
Backdoors are hard to detect and can cause repeated security breaches. Your site remains at risk even after you think it’s been fixed.
Symptoms of a hacked site
Recognizing a hacked website early can help you act quickly. While this is by no means an exhaustive list, we’ve pulled together some of the most common signs.
Google blacklist warnings
Google may display a warning to users trying to visit your site. This means Google has detected something suspicious and is protecting visitors from harm. Unfortunately the “harm” is on your site.
Google Search Console warnings
You might receive alerts in GSC about security issues. These warnings indicate Google has found potential problems on your site, and is strongly suggesting you resolve the issues quickly. It is good practice to review Search Console errors regularly. It is also where you need to file a report to get off the blacklist.
Strange behaviour on the site
Unexpected redirects, like sending visitors to a pharmaceutical site, are a clear sign of trouble. Your site is being used to promote spam or malicious content.
Unrelated search results
If your site appears in search results for unrelated terms (like Japanese keywords) but the pages don’t seem to exist, it’s likely hackers have created hidden content on your site. The pages are hidden, but do indeed exist. If you visit your site from an incognito browser or using a VPN, you’ll see the offending pages.
These symptoms often mean your site has been compromised. Don’t ignore them; they’re crucial warnings that your site needs immediate attention and security measures.
Why protection is better than cure
Stopping hackers before they attack is better than fixing problems later. Let’s see why it’s important to protect your website now.
Ultimately, protecting your website from hackers is essential. It safeguards your business, your users, and your reputation. With the right approach, you can achieve strong security without sacrificing the user experience.
Impact of hacks on a website
A hacked website can have serious consequences for your business. Apart from the actual hack itself, there are lots of other things that can go severely wrong.
Why hackers target websites
We’ve already mentioned this a few times, but it bears repeating: Your website is valuable.
When we say it is valuable, we aren’t just talking about you and your visitors. Maybe you have a small online shop or a hobby blog that a small group of people visit regularly. The deal is that even if the direct monetary gain from hacking your website is not large, the benefits of having a clean website to hawk illegal or grey market wares still makes the hack worth it for the hacker.
So a small website is not protection against nefarious intent.
Secondly, there is just outright maliciousness. It can be anyone from a disgruntled employee or a contractor, to an unscrupulous competitor. Who knows?
Conclusion
You can stop a hacker by being vigilant and taking a proactive approach to security. It is important to realise that protecting your website is an ongoing process. There are steps you can take once, but mostly you need to be aware of the changes in the threat landscape.Regularly implementing security updates, especially for your WordPress core, plugins, and themes, is crucial to stay protected against emerging threats. These updates patch known vulnerabilities and are essential for keeping your site secure.
Furthermore, there is no one-stop, definitive article that can help you stop all possible hacks against your website. Any article or website or expert that claims to do so is not being truthful.
So, while we can’t really promise that this article will keep your website safe and secure forever, we have provided you with some best security measures and general tips that will make your website pretty difficult to hack.Using the tips in this article, you will be able to patch several flaws in your website security.
FAQs
How to protect my site from attacks?
There are several steps you can take to protect your website. Here are some top tips:
Good security shouldn’t compromise usability. Your users shouldn’t face obstacles to access your content. The goal is to protect your site without creating a frustrating experience for visitors.
Why do hackers target websites?
Hackers always have a lot of gain from attacking websites. Apart from the actual monetary gain, your visitors’ data is a gold mine. Websites do not have to be big to be lucrative. There are many nefarious and illegal activities that can be done on a small hacked website just as well.
How many measures should I take to protect my website?
It is a common misconception that doing everything makes your website as secure as possible. One of the reasons we have left out a great deal of commonly found information from this article is because doing everything does not actually make your website more secure. On the contrary, for little additional benefit, you will end up making your website harder to use.
This article contains the measures you can safely take to amp up website protection, without sacrificing too much on the user experience front.
Share it:
You may also like
WordPress Site Not Loading: 7 Easy Fixes
You’ve probably experienced a small business’s website crashing during a Black Friday sale. Eager shoppers flood the site all at once causing it to become unresponsive. This is one of…
Solve: The Site Is Experiencing Technical Difficulties
“The site is experiencing technical difficulties” error can feel frustrating. Just when you’re about to update a plugin or upgrade your PHP, this pesky problem appears. And sometimes, it locks…
What the CleanTalk Vulnerability Revealed About Virtual Patching
Last week, we were helping a new MalCare customer with their site. To secure sites and prevent reinfection, you need to plug all the backdoors and resolve vulnerabilities. Otherwise sites…
How can we help you?
If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.
My site is hacked – Help me clean it
Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.
Secure my WordPress Site from hackers
MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.