Today, website security is not a luxury, but a necessity. Even if you just have a cozy recipe blog or a small business website, cyber threats can do a lot of damage. A hack can lead to data breaches, virus infections, or even a complete loss of trust with your audience.
That's why we, as experts in hosting and web security, have prepared 10 simple but crucial rules for you that will really help to make your website more secure.
1. Use complex passwords and two-factor authentication (2FA)
🔴 Problem: Simple and predictable passwords make your site vulnerable to brute-force attacks - it's like a door lock with the «1234» code.
✅ How to protect yourself:
- Make passwords at least 12 characters long, including letters, numbers and special characters.
- Use password managers so you don't have to keep all the combinations in your head (or write them down on post-it notes).
- Turn on two-factor authentication (2FA) so that even if your password is stolen, access isn't so easy.
- Disable direct SSH or FTP access for root user — use key authentication instead.
2. Update your CMS, plugins and themes regularly
🔴 Problem: Outdated software contains vulnerabilities that can be exploited by hackers.
✅ How to protect yourself:
- Install the latest updates for CMS (website management system), plugins and themes.
- Check if your plugin is supported by the developer. If it has not been updated for a long time, look for an alternative.
- Test updates on a separate server before rolling them out to a working site.
- Get rid of unnecessary extensions, remove plugins and themes that you haven't used for a long time — dead weight only hurts.
3. Install an SSL certificate
🔴 Problem: Without encryption, transmitted data can be intercepted as easily as eavesdropping on someone else's conversation on the bus.
✅ How to protect yourself:
- Attach an SSL certificate and move your site to HTTPS (instead of HTTP).
- Configure automatic certificate renewal to avoid unexpected «Insecure connection» message in users' browser.
- Check that encryption works correctly on all pages.
- Enable HSTS (Strict Transport Security) so that browsers automatically use HTTPS.
4. Make regular backups
🔴 Problem: Loss of data due to attacks, bugs or glitches can result in complete loss of site uptime.
✅ How to protect yourself:
- Set up automatic backups.
- Store copies in multiple locations: cloud, local, external media.
- Check backups periodically to make sure they are working properly.
- Use incremental backups (they save space by saving only changed files).
5. Limit the number of attempts to log in to the admin panel
🔴 Problem: Attackers use bruteforce attacks (they can brute force passwords until they guess them).
✅ How to protect yourself:
- Set a limit on the number of failed login attempts.
- Use CAPTCHA or reCAPTCHA.
- Change the default URL of the login page to make it harder for hackers.
- Configure access by IP address.
- Disable XML-RPC if not in use (relevant for WordPress).
6. Remove unnecessary plugins and themes
🔴 Problem: Old and unused plugins may contain vulnerabilities, an ideal entry point for cybercriminals.
✅ How to protect yourself:
- Regularly check and remove plugins that are no longer in use.
- Select only actively supported plugins.
- Check code for malicious scripts.
- Audit installed extensions.
7. Use a firewall and antivirus software
🔴 Problem: Malicious attacks and unauthorized access can disrupt the site or infect it with viruses.
✅ How to protect yourself:
- Install a web application firewall (WAF).
- Use antivirus scanners to monitor traffic and files.
- Customize an alert system for suspicious activity.
- Close unnecessary open ports on the server.
8. Set up the correct file permissions
🔴 Problem: Incorrect permissions can allow attackers to modify or delete files on the server.
✅ How to protect yourself:
- Set permissions to 644 for files and 755 for directories. These values mean that the owner can edit files, but other users can only read and execute them.
- For important configuration files, set permissions to 400 or 440 so that they can only be read.
- Disable the ability to execute PHP code in the downloads directory.
- In SSH or terminal, use chmod 644 filename to change file permissions and chmod 755 directoryname for folders.
9. Control file uploads
🔴 Problem: Open download — a loophole for viruses and malware.
✅ How to protect yourself:
- Limit the formats of allowed files.
- Use server-side antivirus scanners (e.g. ClamAV) to scan uploaded files.
- Limit the maximum size of uploaded files.
- Store uploaded files outside the public_html directory and check them before posting.
10. Keep an eye on the activity on the site
🔴 Problem: Without monitoring, hacking can only be noticed when it's too late.
✅ How to protect yourself:
- Include activity logs and check them regularly.
- Use monitoring tools: Google Search Console, hosting security systems.
- Set up alerts on hacking attempts and suspicious code changes.
- Connect security tools: Sucuri Security, Wordfence, OSSEC, Fail2Ban.
- Analyze user behavior with ModSecurity.
In conclusion
Site security — is not a one-time tweak, but an ongoing process. Follow these 10 simple rules and your site won't be an easy target for hackers
Remember: data protection is your responsibility. Let your site be a fortress, not a shack with a sign that says «Come one, come all you want!
