How to secure a website

When people ask me how to secure a website with 100% certainty, I tell them it’s simple: just keep it offline.

Once they stop yelling at me, they’ll usually shift the conversation towards website builders and content management systems (CMS) to find out which option has the best security.

What they don’t understand is, it doesn’t matter whether you use a website builder for your blog, or a CMS to power your business; there’s always going to be an element of risk.

The real problem with that is, the responsibility for managing that risk is yours. If that wasn’t bad enough, things could go wrong if you try to do it all yourself. Really fast.

That’s why, in this article, I’m sharing my top-drawer tips for keeping a website secure. Don’t worry; these aren’t the kind of tips you need a Ph.D. to implement.

They’re simple, valuable strategies you can implement in the course of an afternoon. Better yet, they work. No matter which approach you take, each option has already earned its stripes in real-world battles against hackers and bots.

Let’s get started!

How to secure a website: Top risk-minimization strategies

There aren’t many guarantees when it comes to securing a website. With no simple fix to keep you safe from hackers forever, your best shot is to implement these strategies to reduce vulnerabilities while increasing your chances of a quick recovery.

  1. Install an SSL certificate
  2. Implement multi-level login security
  3. Maintain a regular backup schedule
  4. Keep all software up-to-date
  5. Use a web application firewall (WAF)
  6. Be an effective site administrator
  7. Stay alert

1. Install an SSL certificate and use HTTPS everywhere

If you’re in the process of building your first website, you might think data encryption is 007 stuff that only big businesses or investigative journalists need.

But, if you plan to get traffic from Google, you’re also going to need an SSL certificate to get a decent ranking. Heck, you’ll even need one to collect emails for a newsletter.

If this all seems like a bit much, keep in mind there are good reasons for all the cloak-and-dagger. In the past, any sensitive information your users sent to your server was in plain text. If anyone swooped up that information, they’d be able to read everything. That means passwords, bank details, email addresses, everything.

An SSL certificate wraps all that sensitive information in a layer of encryption to make it impossible to read. Using an SSL certificate is the starting point for having a secure website. Otherwise, your visitors see this warning:

Warning for users entering a website that isn't secured by an SSL certificate

That’s why all the major website builders, like Wix and Squarespace, enable HTTPS by default for every website on their network.

For the rest of us, getting an SSL certificate is easy.

Most web hosts nowadays offer simple tools to let you install an SSL certificate with just a few clicks. If so, ask them how to set it up. I’m sure it’s simple. Bluehost, for example, offers Let’s Encrypt certificates available right in the control panel.

Enabling SSL certification with Bluehost.

If your host doesn’t offer a simple tool for some reason, you can also generate a free domain validation certificate from Let’s Encrypt by following their guides. Once you’re done, head to cPanel or your host’s custom dashboard to install it.

Install an SSL certificate in the cPanel

If you’re on WordPress, you can use the Really Simple SSL plugin to properly configure your site to use the SSL certificate once you’ve installed it:

2. Secure your login page and process

When it comes to login security, there’s a lot of ground to cover. But you can travel a long way with just two simple implementations: strong passwords and multi-factor authentication.

That’s because strong login security is built on at least, two layers. For us, it will be something you know (strong password) and something you have (code send to email, phone, or call).

Strong passwords are fantastic; effectively impossible to brute force and nearly impossible to guess.

But first, do yourself a favor and grab a password manager. For the past three years, I’ve been using 1Password, and it’s been a game-changer. Why? Two reasons:

  • The password and passphrase generator makes it easy to create (and regularly change) passwords.
  • With a password database, I was able to stop with all the “remember this password” and automatic login business.

While all the above is great for taking care of your passwords, what about your users? I recommend using Password Policy Manager for WordPress to create enforceable strong password policies on WordPress sites.

Once you have a secure password, set up multi-factor authentication logins. All this means is that someone will need to enter a code, usually sent to a device, whenever they want to log in to your website.

Both Google Authenticator and Authy are easy to set up on most website builders. For example, with Squarespace, you can find the option in the Settings.

Turning on 2FA to secure a Squarespace website

For WordPress, I can recommend Wordfence, but you could also use miniOrange’s Google Authenticator plugin.

We also have a guide on two-factor authentication for WordPress.

If you built something from scratch, you can use Google’s Identity Platform to integrate Google Authenticator with your website.

3. Back up your site regularly

Learning how to secure a website can be as simple as creating a backup schedule.

You probably think that no hacker has ever been scared off by a backup. And, you’d be right; backups are a precautionary measure. However, they also give you a safe place to recover from in a crisis. Each of the popular website builders has a different approach:

  • Wix provides automatic weekly backups of your site.
  • Shopify’s popular Rewind app is one of a few backup apps.
  • Squarespace has limited backup options ranging from creating a duplicated site to exporting the XML file.
  • WordPress users can take advantage of any number of plugins designed to create safe backups.

For WordPress users, I recommend (and use) UpdraftPlus. With the free version, you can backup directly to the cloud, including Google Drive, Dropbox, Amazon S3, and more, without limitation. UpdraftPlus can even help you restore your site in a crisis.

4. Keep all software up-to-date

I’ll be honest; I love tools like WordPress because themes and plugins make everything easy. Do you want to showcase recipes on your website? There are probably a few hundred plugins built specifically for that purpose. It’s not just WordPress; in Wix and Shopify, apps help you achieve a lot without typing a single line of code. Sounds great, right? Kinda.

They also make it hard to secure your code. Just one poorly coded third-party product can increase the attack surface of your website. And, if you’re not updating regularly, you’re creating a lot of vulnerabilities.

But, you can reduce the vulnerabilities if you:

  • Remove programs you don’t use.
  • Continually update programs you do use.
  • Only use programs, plugins, and themes from developers who’ve proven they can maintain their products.
  • Research any networks you plan to integrate with.

If you’re using WordPress, you’ll get notifications in the dashboard when there’s an update for the software itself and any themes and plugins you use. You can also take advantage of the auto-update feature, which covers all of the above.

For the safest option, check out a managed hosting plan. Not only will you enjoy hardened security, but you’ll also have someone handling the updates for your entire WordPress site. You can learn more about managed WordPress hosting anytime you’re ready for the leap.

5. Use a web application firewall (WAF) for proactive protection

If you want to secure a website with the power of Arnold Schwarzenegger, get a web application firewall (WAF).

If you’ve used the internet in the last 25 years, then you’re familiar with firewalls. A web application firewall is similar to the firewall on your computer because it uses pre-defined rules to identify and block attacks. This makes them particularly good for rooting out common attacks like cross-site-scripting (XSS), cross-site forgery, and SQL injections, among others.

Even with the ever-changing threat horizon, a WAF is an essential tool. One thing you’ll notice, most modern WAFs can modify and deploy rules rapidly as new vulnerabilities are discovered.

As the first line of defense, WAFs come in three main forms:

  • Network-based backed by a hardware firewall – Easily the strongest firewall which you get from elite hosts like Kinsta and website builders like Squarespace.
  • Host-based – Covers any WAFs that are integrated into the application itself via a plugin or an app.
  • Cloud-based – the most popular and easy-to-integrate security option.

For WordPress users, Wordfence, again, is probably the best solution.

6. Be an effective site administrator

As the administrator of a website, there are many fiddly things to track, but keeping on top of them will have a significant impact on how secure a website is.

Let’s have a quick look through them all:

  • User roles: Keep track of user roles so you know who has access to data, who can make changes, and what other privileges they have. Only provide users with roles they need to complete their tasks. Anything more than that is a vulnerability.
  • Monitor what users are doing and clean out inactive users: WP Activity Log can help you track the behavior of your users to guard against malicious activity.
  • Moderate all comments manually by removing automatic approvals.
  • Reject any comment that includes a link or code. While no longer common, malicious code in comment sections was once a thing.
  • Restrict the file types that can be uploaded whether in comments or forms.
  • Implement scanning and verification of any upload. Sucuri is the best option for this.

7. Stay alert

If you’ve implemented the above solutions, you’ve already significantly reduced the attack surface hackers can use to take over your site.

However, if you plan to keep it that way, you need to perform regular scans of your website and any external content you publish on it, like ads.

For example, protect against malvertising by working with trusted ad networks and scanning and testing all ad creatives before they go live on your site.

One of the market leaders, Sucuri SiteCheck, also happens to be free and will flag any viruses, malware, and malicious code that’s affecting your site’s frontend.

Keep a website secure with Sucuri Site Checker

For mission-critical sites, it would be best if you also created a regular security audit incorporating a two-layer approach:

Use penetration testing tools like the Pentest Tools website scanner to reveal the size of your attack surface. With over 25 different scanning tools, you’ll uncover problems with your network, sensitive pages indexed by Google, and even the strength of your SSL connection.

Perform vulnerability assessments crosschecked to a checklist that covers common security weaknesses:

  • Regularly check for inactive plugins, themes, or other third-party products.
  • Confirm tools are updated with a recent update.
  • Filters users by recent activity and consider removing inactive users.
  • Build a list of users with special access like FTP access and SSH access, and determine if they need and for how long.

These tactics might be overkill for a simple hobby blog, but they can help you prevent issues on important sites.

Secure your website today!

If you’re running a website, you’re not just responsible for the security of your data but also for the data of your visitors, customers, and colleagues. But, no pressure.

In the past, it might have seemed overwhelming to provide a secure website. But today? You don’t need a huge budget or years of coding experience to secure a website and keep your users safe.

In fact, with our seven-step risk minimization approach, you already know how to secure a website effectively:

  • Install an SSL certificate
  • Implement multi-level login security
  • Maintain a regular backup schedule
  • Keep all software up-to-date
  • Use a web application firewall (WAF)
  • Be an effective site administrator
  • Stay alert

Do you still have any questions about how to secure a website? Let us know in the comments!

Free guide

4 Essential Steps to Speed Up
Your WordPress Website

Follow the simple steps in our 4-part mini series
and reduce your loading times by 50-80%. 🚀

Free Access

0 Comments
Inline Feedbacks
View all comments

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!