Essential Website Security: Guide on How to Secure Your Website

Many website get hacked because of preventable reasons: vulnerabilities, updates not done in time, insecure passwords, and so on. 

We have helped repair 100,000+ hacked sites.

From our experience, we put together this essential website security guide for people who want to take concrete steps to secure their sites. There is so much misinformation online that it is not surprising people get confused.

Install the right security plugin and you have taken the first, most powerful step towards website security.

In this article, we will explain how to think about website security in a holistic way. This way, you are equipped to make the right decisions for your website. 

TL;DR: The right security plugin is the quickest, easiest, and best way to secure your website. It automatically handles a lot of the steps we’ve listed in the article, without needed to dig into code, or configure multiple plugins. Simple and effective: the recipe for winning website security every time.

What is website security?

Website security is essentially taking steps to secure your website from hackers. It is vital to realise that website security is a continuous process. Hackers are a creative lot, therefore threats constantly evolve. 

Hackers want to get into sites for many reasons. They might use a site to send junk mail or send users to bad sites from SERP. No matter what they want, hackers are a danger to your site, your data, and your visitors.

A strong security plan for your site keeps it and your data safe. By taking a few simple steps, you can build a strong defence around your website.

💡 Good security plugins offer protection, like a firewall and bot protection, and they scan for harmful software.

1. Install a website firewall

Using a firewall is vital in your site security strategy.

A firewall stops attacks before they hit your site, reducing probability of malware, protecting your data and visitors, and saving a lot of server resources in the bargain.

Firewalls work by filtering the traffic that comes to your site. They check each request against rules and let only safe ones through. Anything not safe gets blocked. Good firewalls also get smarter over time. If an IP was used in an attack before, it’s marked and blocked.

Make sure to pick the right firewall for your site. A good firewall does not need many updates and can protect your site even if it has weak points. MalCare’s Atomic Security is made just for sites like yours. It shields your site from attacks as soon as it is installed.

2. Regular malware scans

Even with strong security, you can still end up with malware on your website. Leaked passwords or bad plugins can be the cause. We’ll talk more about those later.

For these issues, you need to keep an eye on your site. That eye is a website malware scanner.

Scan your site regularly to find hidden hacks on your site. A malware scanner checks everywhere—files, databases, or tasks on the site; quick detection is supremely important.

A scanner does more than just spot weak spots, warn about blacklists, or monitor file changes. It does all of that and much more. Its job is to find malware on a site with pinpoint accuracy.

3. Keep your site updated

Always apply the latest security updates for your site.

This may sound very obvious, but it is very easy to ignore update notifications, in favour of doing something more urgent. 

Occasionally, vulnerabilities are discovered in software. Responsible plugin and theme developers make an effort to plug these security holes in their products by releasing updates. Even if you choose to put off installing updates (but please don’t), at least do so after going through the release notes.

4. Scan for vulnerabilities

On websites, plugins and themes can have vulnerabilties that hackers might exploit. These include issues like SQL injection or cross-site scripting, which make sites open to attacks.

A website vulnerability scanner helps find these known problems in the core, plugins, and themes. It uses a database of plugins, themes, and their versions with security issues.

However, a scanner can’t find new vulnerabilities. That’s the job of penetration testing, which is a different process. So, a vulnerability scanner is just one part of your security plan and won’t completely protect your site on its own.

This is different from problems like weak passwords or not changing the login page URL. Those are separate issues or not vulnerabilities at all.

5. Limit login attempts 

A good way to thwart a brute force attack is to block attackers after multiple failed login attempts. This is an effective mechanism, since, this type of attack consists of hackers’ bots repeatedly trying different passwords.

MalCare firewall comes integrated with this feature. Limiting login attempts is a highly effective way to secure your website without many downsides

If an authorised user has inadvertently reached this point, they can click through the link to find a captcha confirming they are indeed human. CAPTCHAs are designed to prevent hacker bots from accessing an account.

6. Implement two-factor authentication 

There are several 2FA plugins, although they vary depending on the services they provide. 2FA comes integrated in MalCare’s security suite as well. 

Several services use 2FA during the login process, which essentially means you need to have two (ideally) separate tokens to access your account. Most commonly, these involve a combination of passwords and a limited-time token like a pin code or QR code sent to your email or a device. 

7. Use strong passwords

Strong passwords use a combination of letters, numbers, and symbols in random configurations, because those are hard to crack. It may take hacker bots years to get find the correct one. 

You could try creating a strong password on your own, or use a password generator. Then you can use plugins to enforce strong passwords. 

We understand that setting difficult-to-guess passwords is tricky, especially because they are often synonymous with difficult-to-remember. We can also imagine the dismay at being asked to change this most excellent password regularly.

Regularly can also mean different things to different people. Some financial institutions, like banks, mandate that passwords be changed every 90 days. Using a password manager is the way forward. 

The reason is that passwords are the weakest links in security; especially if you use the same passwords for multiple accounts. Even if one site experiences a breach, you can safely assume that all your accounts are potentially compromised. There are news stories about breaches every few weeks–and those are just the reported ones. Something to keep in mind. 

8. Review website users

Hackers often leave behind admin users—or they escalate privileges on their accounts—so that they can regain access to a site. Hence, reviewing admin users on a regular basis can improve website security. 

Secondly, website collaborators can change. If a user no longer needs access, it is best to remove their access. The reason is two-fold: you don’t want the user to make any more changes to your website; their inactive accounts can be compromised by hackers. 

Over time, as we build our site with newer content and design, we keep adding new users to our site. We should review these users periodically. You may be following good security practices yourself, but another user getting compromised will cause your site to be affected.

When adding users, give only necessary access levels as far as possible. For instance, If someone is only writing articles don’t give them admin access.

9. Set up activity log on your site

Website logs are invaluable for monitoring changes and identifying potential security breaches. Hackers don’t use core APIs to modify a website, therefore many of the changes they make will not reflect in an activity log. However, they can leave footprints behind, such as creating admin accounts for themselves to access the site. These unexpected actions can help detect hacks. 

Conversely, if changes are made by a collaborator, then activity logs can help avoid unnecessary panic, when you see changes made to your website. 

10. Install an SSL certificate

Install an SSL certificate on your website. It barely takes any time, and it is well worth the effort spent. 

Secure Sockets Layer, more commonly known as SSL, is a security protocol that encrypts all communication to and from a website. Once installed, it appears as a padlock at the beginning of your website’s URL. 

The benefits of using an SSL certificate are as follows:

• All data passing to and from your website is encrypted 
• It is a badge of trust for your website. In fact, most browsers will flag sites without SSL as ‘Not secure’ in the address bar. 
• Google loves websites with an SSL certificate and even rewards them with a higher ranking.

11. Block PHP in the Uploads folder

A whole class of vulnerabilities (Remote Code Execution, to be precise) lets hackers upload malicious PHP files to the Uploads folder. The hacker can then use it to execute any code they want on your website. In other words, they have complete control over your website.

The attack can be neutered effectively if you block the execution of PHP files in the Uploads folder. Don’t worry. Blocking PHP files in the Uploads folder is safe because they shouldn’t be present there, in the first place. Uploads folder is where you store your media, not scripts.

If you are using, MalCare’s security plugin, you can block PHP execution in the Uploads folder with the click of a button. For Apache/Litespeed based sites, we can add rules to htaccess to enforce this protection.

12. Choose good quality extensions

While there is unlikely to be a completely foolproof piece of software ever, there are key factors to keep in mind while choosing the right extensions for your website:

13. Take backups

Backups are the most underrated part of a security strategy. We cannot stress enough the importance of taking regular backups. They are your safety net, the only thing you can rely on when things go south. Backups help you get back on your feet quickly. 

However, not all backup plugins are built equally. Many fail when you need them most: at the time of restoration. There are several factors to choosing the right plugin. Keeping these criteria firmly in mind, we have reviewed the top backup plugins available. 

We don’t recommend restoring a backup to recover from malware. However, it is still better to have a backup of a hacked site than no site at all.

14. Choose a good web hosting provider

There is a tendency to assume that the web host is responsible for site security. Therefore, for anything that goes wrong with a website, the hosts get the blame. However, while web hosts are generally responsible for many aspects of a website, they are rarely at fault when a website gets hacked.

Of course, there are some web hosts who play a role in the compromise of websites hosted on their server. It rarely happens, but when it does, it’s a major incident that compromises thousands of websites.

Website security myths

A quick Google search will give you lots of advice on how to protect your website. Several security plugins will also present multiple options to protect your site against password crackers. Securing your website is a great deal about what you should do; however, there are also some things you should avoid. 

The reasons vary for each of the points we talk about below, but at its core, there should be a tangible security benefit to your measures—especially if you are asking your users to jump through additional security hoops. For example, if you apply both captcha and 2-factor authentication, getting into your site becomes trying, with little additional benefit.

You may get an additional sense of security from applying all available options, but in cost-benefit analysis, they don’t cut mustard. 

1. Hide the login page

You’ll see this one on a lot of forums: change the the site’s login page to a custom URL for your site. The logic is, if the hackers can’t find the login page, they can’t use brute force attacks to gain entry to your site. 

There are a few flaws with this:

• You can also log in using XML-RPC
• It will make your site difficult to use. If you forget the special URL you have created for yourself in lieu of wp-login, then recovering from this can be difficult. 
• If you use a common URL or the default one that comes with the security plugin, it will be easy for the hackers to guess anyway, therefore defeating the purpose entirely. 
• Hiding this page involves applying complicated settings to your site which can have other unexpected side effects.

Therefore, in our opinion, it is just not worth the effort.

2. Geo-blocking

Another commonly recommended security measure is geo-blocking. You may not need or expect legitimate traffic from certain countries, and hence decide to restrict access. MalCare supports this feature, but we don’t recommend you do this because: 

• IPs for regions are not perfect and can have errors.
• If you block yourself out by mistake, reverting this will be difficult.
• You might end up blocking good bots such as Google which can harm your site.

A good firewall can and will protect your website against malicious bots and undesirable traffic. We’ve covered the benefits of firewalls in a previous section. 

3. Password protect key site directories

The wp-admin folder is one of the most crucial folders on your website. Naturally, it attracts a lot of attention from hackers. Therefore, protecting it with a password may seem like a brilliant move, but it’s counterproductive. 

Password protecting your wp-admin directory breaks AJAX functionality on your website. AJAX is a coding technique that loads parts of your website from the server without changing the currently displayed page. 

If this sounds like gobbledegook, it essentially means that it makes your website dynamic, without constantly reloading it for users every time something changes. 

Think about scrolling on the newsfeed of a social networking site. New stories or tweets load while you are still reading the ones already on your screen, and you can refresh the newsfeed when you want to load the new content. 

4. Hide CMS version

The logic behind hiding the CMS version of your website is related to security updates. If your website doesn’t have the latest version, a hacker may be able to exploit a vulnerability that exists in an older version. 

However, hiding your version has no benefit whatsoever. There are several ways to determine a website’s CMS version: inspecting the site’s frontend code, checking the RSS feed, etc. All of which are legitimate, incidentally. 

The way to combat vulnerabilities in older versions is to keep your version updated to the latest one. Many website administrators are afraid that updating a live site may cause something to break. Therefore, it is best to do so on a staging site first. 

Recover from a website security breach

If the worst happens, and your website is hacked, you now need to think about how to fix the hack.

• Remove malware from your website: Use a good security plugin, like MalCare, to automatically remove malware without a trace. 
• Update everything: As we said before, software updates are vital. Make sure you have the latest versions of core, themes and plugins. If you don’t, there is a good chance this is the reason your website got hacked in the first place. 
• Review every admin user: Scrutinise every admin account carefully. We’ve said this already in this article, but hackers create admin accounts to regain access to a website that they have hacked, in case the malware has been discovered. 
• Change all passwords: Assume your credentials have been compromised and change passwords. Hopefully you do not use the same password for different products and services, otherwise you should change those passwords as well. 
• Change DB credentials (if possible): The wp-config.php file contains the credentials the site uses to connect to the database of the site. In many cases, access to the database is restricted even if the DB credentials are compromised. However, with some hosts, hackers can use this information to directly modify the database. This can cause the site to be reinfected.
• Change security keys: Security keys are used to manage sessions for logged-in users.
• Set up a website firewall: We’ve already covered this in detail in this article. A firewall is your best defence against malicious bots and bad traffic.

If your site has been hacked, it is even more important for you to be extremely diligent about the security of your site. If not done correctly, it can lead to the site getting hacked repeatedly and the whole situation becoming a total nightmare.

Hacks possible on an unsecured website

Website attacks take many forms. Here are the most common attacks that websites experience: 

How websites get hacked

To have an actionable plan to secure your website, the first step is to understand how websites get hacked. As per our research, websites are primarily hacked through the following 3 methods:

• 90+% → Vulnerability in a plugin or theme 
• 5+% → Compromised username and/or password
• <1% → Poor web host services

This distribution should form the basis of how you plan your website security, and where to allocate the most time and resources.

Conclusion

We started this article on how to secure a website with a clear signpost: the first step is to think about website security in the right way. It is an ongoing process. A good standard practice to have in any organization is to conduct periodic website security audits.

The threat landscape is constantly changing, and hackers will find more creative ways to defeat defences. Security experts remain constantly vigilant, and this is the main takeaway from all of what we have learned in our years of research: don’t get complacent. 

FAQs