Getting started

How to secure a website

Online, trust is essential. Users new to your website as well as longterm, repeat visitors want to know that they can trust you. If you’re selling products and services, they want to know that they can trust you with their credit card number and their address. Even if you’re just providing information, they need to know that visiting your site isn’t going to infect their machine with some terrible computer virus.

An essential part of building that trust, then, is having a secure website. If you’re running a website that may not be the most secure, or if you’re starting a new website, you may not know everything that goes into keeping your website secure. But we’re here to help.


It used to be that you were just as likely to stumble on an HTTP website as an HTTPS one, but these days, not having HTTPS on your website is scarcely even an option.

An SSL, or TLS, certificate is what enables you to be able to activate HTTPS for your website. And it’s not just about looking secure. Not only does having HTTPS active on your website ensure that any information your website’s visitors provide you is sent to you and can’t be seen by any third parties, it also means that if you have to log in to your website’s back end, say to post content on your CMS, your username and password can’t get stolen either.

Purchase an SSL certificate

Passwords and permissions

Having a strong password policy and setting good permissions for your website’s backend is also essential for keeping your website secure.

A strong password policy doesn’t mean that the password should be changed every 90 days, but it should be at least eight characters long, if not longer.

This also means that when you set up your site, you should change the default passwords for access to your site as well as to your database.

If you can limit the allowed number of login attempts, you can also prevent brute force attacks, where an attacker tries every possible password in rapid succession.

For an added layer of security, you can password protect any admin and login pages at the server level. That way, an attacker can’t even get to the login page to try to brute force attack your site.

If you have multiple people editing your site, you should make sure that the permissions you give to them are adequate to the work that they’ll be doing, but not excessive. When someone leaves the project, be sure to remove their permissions so that they can’t login after they’ve left.

Keep software updated

No software is perfect, and attackers are constantly figuring out new ways to crack into the software used to run websites. Especially if you use a popular CMS like WordPress, it’s critical that you keep your software up to date. And if we’re talking about WordPress, that means keeping your plugins up to date as well.

That doesn’t just mean being sure to update plugins and themes as they become available but proactively ensuring that you’re using only plugins and themes that are actively maintained and updated by their developers.

Manually accept comments

Comments on your posts are a great way to build engagement with your audience, but they can also attract spam and bots.

Some of these might trick your site’s visitors into following a link that leads to a fraudulent or malicious site. Sometimes comments can also be used to inject code into your website.

A good way to avoid these potential pitfalls is to require that all comments must be manually accepted on your website.

At the very least, you should use a CAPTCHA on any type of form submission to keep spam bots from posting.

Install security-related plugins

If you’re using a CMS like WordPress that uses plugins and add-ons, you can often find good security related plugins that can help you keep your site even safer.

For example, plug-ins might allow you to enable two-factor authentication on logins, scan your website for vulnerabilities, or automatically log out users from inactive sessions.

Lock down directories

Directory browsing lets anyone browse the file structure of your website, which can sometimes reveal information about vulnerable files on your website, or could be used to glean information about your website’s directory structure.

Luckily, you can disable this in a directory’s .htaccess file. You can edit your .htaccess file via sFTP and add the following at the end of the file:

Options -Indexes

To prevent indexing.

Similarly, some directories can be further locked down by preventing code from being executed in them. You’ll need to know which directories don’t need code execution in them. For example, if you’re using WordPress, you can disable PHP execution in your /wp-includes/ and /wp-content/uploads/ directories.

You can do this by adding the following to the .htaccess files in those directories:

<Files *.php>
Require all denied

Finally, you can secure file and folder permissions. This will be displayed differently depending on how you’re looking at your files and folders, but permissions boil down to some combination of: read, write, execute.

The simplest is to find where you can enter your permissions as a numeric value and use 644 for files and 755 for directories. 644 means the owner of the file has permissions to read and write to this file, and other users on the system only have read access. 755 means read and execute access for everyone plus write access for the owner.

Usually, a CMS will also have specific instructions for how you can “harden” your install, such as the one provided by WordPress. For advice that’s specific to the CMS you’re using, these are good resources to follow.

Keep backups

If something does happen to your website, whether it was malicious or accidental, having a recent backup is critical to getting back up and running.

Remember the 3-2-1 rule with backups: three backups, two mediums, one off-site. That means you should make three copies of backups, they should be stored in two different ways, and one of them should be kept off-site.

How to backup your website

Use a secure hosting provider

Ultimately, you can take all of these precautions, but without a secure hosting provider, it will be all for naught.

In particular, your hosting provider should be one that continuously monitors their network, and that keeps server software up to date. When shopping around for hosting companies, these are the basics, but the security of your account with your hosting provider is critical as well.

For example, you should be sure to use a hosting provider that has multi-factor authentication to access your account with them.

A secure website is critical to building trust with your website’s visitors, and implementing the above advice can help you not only protect your website and your website’s visitors, but build trust with those who matter most to your website—the people who are viewing it.