Protecting your website from security threats is essential. This guide covers practical steps you can take to keep your website and hosting account secure.
Use Strong, Unique Passwords
- Use passwords with at least 12 characters including uppercase, lowercase, numbers, and symbols.
- Never reuse passwords across different accounts.
- Use a password manager to generate and store complex passwords.
- Change passwords regularly, especially after granting temporary access.
Enable Two-Factor Authentication
Add an extra layer of security to your client area login by enabling 2FA. Even if someone obtains your password, they cannot access your account without the second factor. See our 2FA setup guide for instructions.
Keep Software Updated
Outdated software is the number one cause of website compromises:
- Update your CMS (WordPress, Joomla, etc.) as soon as new versions are released.
- Update all plugins and themes promptly.
- Remove plugins and themes you are not using.
- Use the latest PHP version your application supports.
Install and Configure SSL
- Enable SSL on all domains and subdomains.
- Force HTTPS using .htaccess or your CMS settings.
- Fix mixed content warnings (HTTP resources loaded on HTTPS pages).
- SSL encrypts data between your visitors and your server.
Use a Web Application Firewall (WAF)
A WAF protects against common web attacks:
- SQL injection
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Brute force login attempts
Consider using Cloudflare (free tier includes basic WAF) or a WordPress security plugin like Wordfence or Sucuri.
Set Correct File Permissions
- Files: 644 (owner can read/write, others can read)
- Directories: 755 (owner has full access, others can read/execute)
- Configuration files (wp-config.php, .env): 600 or 640
- Never use 777 permissions, which allows anyone to read, write, and execute.
Regular Backups
- Enable automatic backups in your control panel.
- Keep copies in multiple locations (server, local, cloud storage).
- Test restoring from backups periodically.
- Back up before making any changes to your site.
Monitor for Malware
- Scan your website regularly for malware and suspicious files.
- Monitor your site for unexpected changes or new files.
- Set up uptime monitoring to detect if your site goes down.
- Review server access logs for suspicious activity.
Limit Login Attempts
- Install a plugin or use .htaccess rules to limit failed login attempts.
- This prevents brute force attacks on your admin panel.
- Consider changing the default admin login URL (e.g., /wp-admin).
Secure Your Email
- Set up SPF, DKIM, and DMARC records.
- Use strong passwords for email accounts.
- Be cautious with email attachments and links.
- Enable spam filtering.