How to Protect Your Website from Hackers

by

Every day, small businesses become victims of cyber attacks. Hackers break into websites, steal customer data, and damage reputations. Your website, which is vital for your business, is at risk from these online criminals. They don’t care if your business is big or small—they attack any site they can.

Scan your website if you suspect your site has been hacked. 

We’ve helped many business owners after their websites were hacked. It’s a scary and stressful situation. The good news is that you can protect your website, even if you’re not a tech expert. This article will show you how to make your website secure, step by step.

TL;DR: Hackers relentlessly attack websites of all sizes. Your strongest defence? A security plugin with a firewall. While there are many ways to boost security, this powerful shield is your best first step; easy to set up and incredibly effective against hackers.

While no security system is 100% foolproof, it is always better to have some modicum of security in place. You have a responsibility to your visitors, their data, and of course to yourself and your business. 

We’ve compiled the list of security types, vetting each measure for security, practicality, and usability. It is our strongly-held belief that security should not be at odds with usability. You don’t want your users to jump through hoops to get to your content, because they certainly won’t. 

1. Install a firewall with bot protection

Firewalls are the foremost defences against hackers. At its core, a firewall is code that identifies and blocks malicious requests. Every request for information made to your website first goes through the firewall. If the firewall detects that the request is malicious, or being made from an IP address that is known to be malicious, the request gets blocked instead of being processed.

As an added bonus, website firewalls should come with bot protection. Hackers create bots that sniffs out vulnerable websites and automates most of the process. A firewall blocks out bots like these and scrapers, while allowing the good ones like search engine bots and uptime monitoring ones through to the site. 

Bad bots are especially detrimental to server resources, as we have seen numerous times with AI scraper bots.  

🔥 In fact, firewalls like MalCare are designed specifically to protect websites in all these ways and more. They shore up the critical parts of a site, to ensure that hackers cannot exploit vulnerabilities to attack them—even if they exist.

2. Scan for malware daily

There are two truisms with website security: 1) no security is 100% attack-proof; and 2) the longer malware remains on a site, the worse the damages are

This leads us nicely to our next critical aspect of website security: malware scanning,which is best accomplished with a vulnerability scanner.

You would think that if hackers had gotten through your site defences, you would know instantly. The reality is far from it. Hackers are interested in keeping you in the dark about malware for as long as possible. Your site is a treasure trove of resources for them to exploit, and as soon as you find out about the hack, you’re naturally going to try and get rid of it. No bueno for the hackers. 

Scanning is the only definitive way to detect a hack on your site. Good malware scanners scrutinise every file and database entry to look for hacks. If there is something found, you can take action immediately. MalCare deep scans your site daily and automatically, keeping a vigilant eye on your site and data.

3. Get SSL on your website 

A Secure Sockets Layer (SSL) certificate is a protocol that encrypts all communication to and from a website. Installing one will ensure that even if a hacker intercepts data from your website, they’ll never be able to understand what it is. It is what takes your site from HTTP to HTTPS. 

Look for a host that provides one with your hosting package. Alternatively, you can set about buying and installing an SSL certificate for yourself. 

⚡️ This is now old news, but an SSL certificate is no longer negotiable. Even search engines prioritise HTTPS results, so you’ll get SEO benefits too.

4. Update vulnerable software; and everything else

The vast majority of hacks occur because of vulnerabilities in a theme or plugin. Hackers exploit them to take over 1000s of websites. 

So what is a vulnerability? Themes and plugins are software. Like any other software, they are pieces of code that will invariably have bugs. Some bugs are relatively harmless and may just cause a minor glitch while updating. Others can render the code vulnerable to exploitation. 

For example, a common vulnerability is an SQL injection flaw in a contact form plugin. It lets hackers insert malicious database queries through form fields, potentially allowing them to access or manipulate your site’s data. It’s a simple coding oversight with serious security implications.

When vulnerabilities are discovered, mostly by security researchers, they are disclosed to the plugin developer for patches. Responsible developers will release a fix, and websites with the plugin installed will see that an updated version of the plugin is available. 

Therefore, it is always best to keep everything—right from the CMS to plugins—updated at all times. We know that updates can sometimes break websites in unexpected ways, so to circumvent any inconvenience, use staging to update safely. But do please update everything. 

⚠️ Once the fix is released, the vulnerability is disclosed publicly. If you were one of the websites that updated the plugin or theme with the security fix, that’s excellent. If not, your website will become the target of amateur hackers (called script kiddies) looking to make a quick buck. 

5. Always use strong passwords

Everyone knows this, because password security is important everywhere. Yet, you’d be surprised to know how many websites are hacked simply because the password was weak. Easy-to-guess passwords are used by hundreds of thousands of websites

On the other hand, hackers have lists of these passwords called rainbow tables. Rainbow tables, combined with a brute force bot, will hammer login pages with combinations to unlock accounts. 

Strong passwords are a combination of letters, numbers, and symbols. Uncommon combinations are hard to crack and can take hacker algorithms years to decode. Also, the longer a password, the more difficult it is to crack—and remember. Therefore, we strongly recommend using a good password manager

It will generate an appropriately fiendish-looking password for your account, and save you the trouble of remembering it. This way, you can also adhere to the second cardinal rule of passwords: never ever reuse them. 

💡 You can also use plugins to enforce strong passwords from all your users with the plugin Password Policies Manager. This plugin will help you create policies that force all your users to create strong passwords when creating their accounts.

6. Implement 2FA

Two-factor authentication (2FA) is a security measure that adds another device or token that you must have access to in order to login, in addition to your password. 

There are several paid and free 2FA plugins that can be used to harden your login page, and they support the most popular protocols. If you have many contributors to your website, it’s definitely a good idea to implement this security feature.

There are a few protocols that are used for 2FA, like TOTP (time-based one-time password) or HOTP (HMAC-based one-time password). They each have their pros and cons, but for the purposes of login security, we don’t need to delve into those details.  

7. Limit login attempts

Limiting login attempts is a highly effective way to secure your website without many downsides. It is an easy way to block brute force bots and attackers by denying them entry to an IP address after 3 failed attempts. MalCare’s firewall comes integrated with this feature. Even if an actual user is accidentally locked out, all they need to do is solve a simple captcha to regain access again.For additional protection, you can implement a WordPress CAPTCHA on login forms, which adds another layer of security to prevent automated attacks from accessing your site.

8. Set strong file permissions

A stock install of a CMS has fairly open file permissions, so we recommend strengthening those to be considerably less permissive. 

It is important to strike a balance between security and usability with file permissions though, because it is entirely possible to lock out all access and make the site inaccessible to everyone. The only advantage is that even hackers are stopped in their tracks, along with everyone else. 

We do recommend hardening the uploads folder, however, because it is a common target for hack scripts. We’ll come to that point later on in this list. 

9. Implement security headers 

Security headers are special directives used by browsers and applications to mitigate certain types of attacks. They can be quite effective in preventing attacks like XSS and clickjacking. They can also be used to enforce transmission of data over encrypted channels only.

Security Headers all HTTP headers set

Rather than dive into code, it is easier to implement security headers with plugins. It becomes a matter of flipping a switch on and off. This is especially useful, as security headers can sometimes be restrictive, and therefore it is good to have the flexibility to toggle them on and off. 

10. Block PHP execution in the uploads folder

There’s an entire class of vulnerabilities called Remote Code Execution vulnerabilities that allow hackers to upload malicious PHP code to the uploads folder on your site. Typically, the folder is not meant to contain any executable code. It’s meant to contain your media files. But the nature of the folder is that it allows files and folders to be stored within it. 

Once the code is uploaded to your website, a hacker can run it and gain effective control over your website. However, if you block PHP execution altogether, then the attack can never take place.

If you’re using MalCare you can block PHP execution in the uploads folder with the click of a button as part of the hardening measures.

11. Change security keys

Security keys are unique codes that add an extra layer of protection to your website logins. They work alongside passwords, making it much harder for hackers to gain access to your site, even if they otherwise get your password.Updating your WP salts regularly can provide an extra defense against potential attacks, ensuring that even if someone gains access to your login information, it becomes significantly more difficult to exploit.

🚨 If you have been hacked recently, you should change your security keys as a part of your recovery process. This is a string that is hashed along with your username and password to manage logged in sessions for users. You can set this string to anything at all, however like with passwords, it is best to use a randomly generated alphanumeric string.

12. Take regular backups 

Taking backups is quite possibly one of the most underrated website security tactics you can have. Always take daily backups so that you can quickly restore your website in the event of a catastrophic failure. In fact, backups are the only defence against ransomware attacks.

The key is to choose a good backup plugin that is reliable, because manual backups are difficult to execute correctly without considerable expertise. A good backup plugin is one with automatic backups, stored securely offsite, and usable even if your site is completely down. 

🔥 In fact, before you proceed with any of the steps in this article, take a full backup of your website and set up daily backups immediately. This is always good practice when making any changes to your website. 

13. Choose a good web host

Most people hold web hosts responsible for the security of their website—and we don’t blame them because you see security being relentlessly flogged on every single host’s pricing page. If you dove a little deeper, you’ll see they are mostly talking about SSL certificates and domain privacy. This is such a superficial level of website security, it is almost laughable. Almost. 

However, the truth is that it’s rarely the web host’s fault if your website gets hacked. In fact, in the rare cases that a web host is responsible for a security breach, the ramifications are enormous. Thousands of websites are affected. 

That being said, you should still choose a good web host, who invests in network and hardware security. Most will also regularly scan your site for malware. If they provide backups, that is a great bonus too. Finally, opt for good customer service. This is you choosing your site’s home; choose wisely.

14. Conduct regular site audits

A website security audit can mean a lot of things, and you will find many, many variations of a checklist online. Apart from the measures we’ve listed above, there are few things you can stand to keep an eye out for from time to time.

Users

  • Check users, especially admin accounts: Most people assume that hackers will only install malware on their website and leave. That’s not true. The really smart hackers will create a ghost account with administrator privileges so that they can waltz back in whenever they want—essentially a backdoor. Reviewing and removing users on a regular basis can resolve this issue.
  • Employ the principle of least privilege: Make full use of user roles to restrict access as far as possible. For instance, if someone is only writing and uploading articles, give them ‘Author’ access, and not ‘Admin’ access.
  • Use an activity log: Seeing something unexpected on your website can raise a timely alarm in several situations. Consider if an admin account was created without your knowledge; or a plugin deactivated. These are all examples of legitimate website admin actions, however they can also be symptomatic of unauthorised access.

    Activity logs will tell you what is happening on your website, and you can then evaluate whether these actions are legitimate or not. MalCare comes bundled with an activity log on the dashboard, and there is no configuration necessary to set it up.
Popup Builder plugin hacker activity

Plugins and themes

  • Remove unused ones: Don’t need a plugin or theme? Get rid of it. Yes, every website needs extensions and add-ons for features and functionality, but they also increase the surface area for attacks. If a plugin is deactivated for months, you just don’t need it any more.
  • Check that the ones in use are regularly maintained: If you notice in a previous section, we talked about developers that release regular updates and patches are responsible and actively maintain their software. If there is no update for a few months, or years, time to find a replacement. 
  • More active installs are generally a safer bet: A popular plugin with millions of installs will always have a target on its back. The flip side is that popular plugins also tend to be more secure because they usually have a bigger and better team working to improve the product. So choose wisely, after doing adequate research.
  • Install add-ons from a vetted marketplace: Avoid installing a plugin or a theme developed by freelancers that no one has heard of. Only use plugins and themes developed by reputed developers and brands.
  • Premium is safer: Typically, paid plugin vendors spend more time and money on finding and patching vulnerabilities. If you’re on a very tight budget, then a free plugin will make more sense. But if you’re worried about your website’s security, we highly recommend using premium themes and plugins instead.
  • Nulled is a no-no: You may be tempted to use nulled plugins and themes. Don’t do it. The risk is just not worth it. Nulled software spreads malware. That’s why you’re getting a premium product for free. But even if the zip file doesn’t contain any obviously malicious code, any nulled plugin or theme user knows that they can’t update the software. That makes the website vulnerable to a hack, as we said in the previous section.

15. Educate all stakeholders about website security

The sad truth is that the weakest link of any security system is the human element. This also stands true in your website’s case.

Make sure to train users to beware of phishing emails. They can look surprisingly legitimate in some cases. Learn not to click on links, and not to respond to manufactured urgency. Urgency is used as a psychological tactic to frighten a target into suspending critical thinking. 

You may follow great security practices for your passwords, but if one of your admins falls prey to a phishing scam, for instance, then your website will also be affected. 

16. Have a disaster recovery plan

Always be prepared. Things can and will go wrong, it is only a question of when. Have a well-thought contingency plan on how you propose to deal with a hack if it happens. 

In our considered opinion, regular backups can be the lion’s share of this plan. You can also identify developers to turn to in case of crisis. We also recommend planning PR and communication to deal with the situation as it arises. 

Your disaster recovery plan is wholly dependent on you. A good rule of thumb is to try minimising disruption and confusion to the greatest extent possible.

Myths about website security

We advocate being security conscious, but not paranoid. Also, we have seen that there is a great deal of bad advice for website owners out in the wild. The advice may come from a good place, however it can have unintended consequences, like creating a poor user experience, or locking you out of your own website

Don’t hide your login page

Many people still believe that this trick works. If the hacker can’t find the login page, they can’t carry out brute force attacks, right? No, not really. Instead:

  • It makes your website very difficult to use. If you forget the new login URL, then recovering your account can be difficult.
  • If you use the default URLs that come with the security plugin, it’s easy for the hackers to guess your new URL.
  • Even if hackers can’t find the login page, they can still hack your website in other ways.

This option achieves nothing in the end and can cause quite a bit of trouble.

Don’t use geoblocking

Geoblocking is essentially blocking out traffic from countries where your product or service is not available or relevant. It’s quite possible that you think that traffic from Gabon isn’t helping your business. But blocking all traffic from Gabon solves nothing at all. With a good VPN, anyone can bypass even Netflix’s geoblocking.

Also, you run the risk of blocking Googlebot and yourself out as well.

How websites are hacked

Hackers use several methods to break into websites. Understanding these can help you protect your site better:

Exploits of vulnerabilities

Vulnerabilities are weaknesses in your website’s code or software that hackers exploit. These can allow unauthorised access, data theft, or malicious changes to your site, putting your business and customers at risk. Some examples of critical vulnerabilities include: 

  • SQL injections: Hackers use this to access your database. They can steal sensitive data or modify your site’s content.
  • XSS attacks: These allow hackers to insert malicious code into your site. Visitors might then have their data stolen or be redirected to harmful sites.
  • Privilege escalation attacks: Hackers gain more access than they should have. This lets them take control of your site or install malware.

Poor password practices

Many people use simple, easy-to-remember passwords across multiple sites, not realising the danger. This makes it easier for hackers to compromise more than one of your accounts. If one account has been hacked, others using the same password are at risk—even if it is on a different system. 

People often use meaningful passwords, which might include birthdays, pet names, or common words, which hackers can guess quickly or uncover through social media research.

On a related note, weak passwords in general leave your site vulnerable to brute force attacks. Hackers can use automated tools to try many passwords quickly.

Recurring hacks

If a hack isn’t cleaned up properly, hackers can leave backdoors. These hidden entries allow them to return and attack again at any time.

Backdoors are hard to detect and can cause repeated security breaches. Your site remains at risk even after you think it’s been fixed.

Symptoms of a hacked site

Recognizing a hacked website early can help you act quickly. While this is by no means an exhaustive list, we’ve pulled together some of the most common signs.

Google blacklist warnings

Google may display a warning to users trying to visit your site. This means Google has detected something suspicious and is protecting visitors from harm. Unfortunately the “harm” is on your site. 

Google Search Console warnings

You might receive alerts in GSC about security issues. These warnings indicate Google has found potential problems on your site, and is strongly suggesting you resolve the issues quickly. It is good practice to review Search Console errors regularly. It is also where you need to file a report to get off the blacklist. 

Strange behaviour on the site

Unexpected redirects, like sending visitors to a pharmaceutical site, are a clear sign of trouble. Your site is being used to promote spam or malicious content.

Unrelated search results

If your site appears in search results for unrelated terms (like Japanese keywords) but the pages don’t seem to exist, it’s likely hackers have created hidden content on your site. The pages are hidden, but do indeed exist. If you visit your site from an incognito browser or using a VPN, you’ll see the offending pages. 

These symptoms often mean your site has been compromised. Don’t ignore them; they’re crucial warnings that your site needs immediate attention and security measures.

Why protection is better than cure

Stopping hackers before they attack is better than fixing problems later. Let’s see why it’s important to protect your website now.

  • You’re responsible for safeguarding user data. This isn’t just ethical; it’s often a legal requirement, especially for sites handling financial transactions.
  • Your visitors trust you by using your site. Protecting their data and identities is part of maintaining that trust and showing you value their security.
  • Protection is cheaper and easier than recovery. Fixing a hacked site can be complex and costly. Early detection through a security plugin helps, but it’s not guaranteed. That’s why a firewall and regular scanning are so important.

Ultimately, protecting your website from hackers is essential. It safeguards your business, your users, and your reputation. With the right approach, you can achieve strong security without sacrificing the user experience.

Impact of hacks on a website

A hacked website can have serious consequences for your business. Apart from the actual hack itself, there are lots of other things that can go severely wrong. 

  • Loss of data: Hackers will steal sensitive information from your site. This could include customer details, financial data, or your own business information.
  • Brand and reputational damage: When visitors see warnings or experience issues on your site, they lose trust. Your brand’s image and credibility takes a massive hit from which it is hard to recover.
  • Financial losses: A hacked site can lead to lost sales and customers. You might also face costs for fixing the site and dealing with any legal issues.
  • Search engine penalties: Google will most certainly lower your site’s ranking or remove it altogether from search results. Say goodbye to your online visibility which you probably worked very hard to build.
  • Malware spread: Your hacked site might be used to spread malware to visitors, or even other websites. Being the website equivalent of a Typhoid Mary will further damage your reputation and can lead to legal problems.

Why hackers target websites

We’ve already mentioned this a few times, but it bears repeating: Your website is valuable. 

When we say it is valuable, we aren’t just talking about you and your visitors. Maybe you have a small online shop or a hobby blog that a small group of people visit regularly. The deal is that even if the direct monetary gain from hacking your website is not large, the benefits of having a clean website to hawk illegal or grey market wares still makes the hack worth it for the hacker. 

So a small website is not protection against nefarious intent. 

Secondly, there is just outright maliciousness. It can be anyone from a disgruntled employee or a contractor, to an unscrupulous competitor. Who knows? 

Conclusion

You can stop a hacker by being vigilant and taking a proactive approach to security. It is important to realise that protecting your website is an ongoing process. There are steps you can take once, but mostly you need to be aware of the changes in the threat landscape.Regularly implementing security updates, especially for your WordPress core, plugins, and themes, is crucial to stay protected against emerging threats. These updates patch known vulnerabilities and are essential for keeping your site secure.

Furthermore, there is no one-stop, definitive article that can help you stop all possible hacks against your website. Any article or website or expert that claims to do so is not being truthful. 

So, while we can’t really promise that this article will keep your website safe and secure forever, we have provided you with some best security measures and general tips that will make your website pretty difficult to hack.Using the tips in this article, you will be able to patch several flaws in your website security.

FAQs

How to protect my site from attacks?

There are several steps you can take to protect your website. Here are some top tips: 

  • Install a security plugin with a good firewall
  • Implement two-factor authentication
  • Limit login attempts
  • Keep your plugins and themes updated
  • Install SSL
  • Select a reputable web host

Good security shouldn’t compromise usability. Your users shouldn’t face obstacles to access your content. The goal is to protect your site without creating a frustrating experience for visitors.

Why do hackers target websites?

Hackers always have a lot of gain from attacking websites. Apart from the actual monetary gain, your visitors’ data is a gold mine. Websites do not have to be big to be lucrative. There are many nefarious and illegal activities that can be done on a small hacked website just as well. 

How many measures should I take to protect my website? 

It is a common misconception that doing everything makes your website as secure as possible. One of the reasons we have left out a great deal of commonly found information from this article is because doing everything does not actually make your website more secure. On the contrary, for little additional benefit, you will end up making your website harder to use. 

This article contains the measures you can safely take to amp up website protection, without sacrificing too much on the user experience front.

Category:

,

You may also like


WordPress Site Not Loading: 7 Easy Fixes
WordPress Site Not Loading: 7 Easy Fixes

You’ve probably experienced a small business’s website crashing during a Black Friday sale. Eager shoppers flood the site all at once causing it to become unresponsive. This is one of…

Solve: The Site Is Experiencing Technical Difficulties
Solve: The Site Is Experiencing Technical Difficulties

“The site is experiencing technical difficulties” error can feel frustrating. Just when you’re about to update a plugin or upgrade your PHP, this pesky problem appears. And sometimes, it locks…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.