Hosting Tutorial & Guide

How to Make Your Website Secure? – Best Tips and Practices

updated on Jul 15, 2015
How to Make Your Website Secure? – Best Tips and Practices Website security should be a big concern for every webmaster. If you don't secure your site, you are leaving it open to malware, spam and viruses. Since thousands of websites are identified by Google to be infected by malware every single day, how can you say that your website won't be one of them?

You may think there is no need to make much effort because your site does not include valuable information, but you should know that hackers do not always attack websites for direct benefits. In most cases, they get your website hacked and then insert malware to lure your visitors or do something illegal.

If you don't want your website to be damaged and blocked by search engines, you should now take actions to protect it against hackers. Below are the best website security tips that you can practice on your site.

Keep the Scripts, Themes and Plugins Up-to-Date

One of the easiest and also the most important things to do is to keep everything updated, including the CMSs, themes and plugins.

Nowadays, it is a fashion to build websites with third-party software like WordPress and Joomla. These applications offer great usability, but it is completely your task to ensure that they are up-to-date. Updates are released from time to time, and you have to get yourself well-informed. Fixing the known vulnerabilities in the old version reduces the possibility of hacking.

As for the themes and plugins used on your site, make sure that you can keep track of their updates. For those having not receiving updates for a long time, 1 year, for example, stop using them and find an alternative. Besides, you should delete the unused themes and plugins instead of just leaving them alone deactivated and un-updated.

Keep Scripts, Themes and Plugins Up-to-Date

Use Unpredictable Login Credentials

You must use unpredictable username and complicated password for the access to both the server and the website. Never use "admin" or your name as the username, and do not use "admin", "password" or "1234567" as the password. These weak credentials give an open door to hackers.

Besides, you'd better enforce strong passwords and regular change for all users. For example, the length must be no less than eight characters, and uppercase letters and special characters must be included. If your site is built with WordPress, this can be done easily by using a security plugin.

Another task, which is a little bit advanced, is that you need to make sure that all passwords are stored safely in the database. Here are two suggestions if you want to apply extra security to the passwords.
  • Use a one-way hashing algorithm like SHA to store passwords. In this case, the encrypted information cannot be decrypted by hackers.
  • Salt the passwords. Adding salts to hash a password is effective for fighting against dictionary attacks. By using a different salt for each password, the security can be further improved.
Use Unpredictable Login Credentials

Secure the Admin Area of Your Website

The admin area is the brain of your site, so you should try your best to prevent malicious access. Brute force attack is the most frequently seen method for hackers to break into the admin area of your site. To get rid of the risk, besides making sure the security of username and password, you can:

Limit failed login attempts

You can limit the frequency of failed access trials in a certain period of time. If the login failure hits the limitation, the user will be locked out, which makes it harder for brute force attacks to succeed.

Use the proper error messages

When a login attempt fails, some scripts return error messages telling the user that the username/password is wrong, which in fact helps hackers. So you should change the error messages to be vaguer like "The username or password entered is incorrect". If you do not know how to do this, read this custom login page tutorial.

Limit the IP

If your website has several contributors only, you can simply allow their IPs to access the admin area, and then ban all other IPs. This is quite an effective security method. But it is not a suitable option for sites with a large number of authors.

Secure the admin email

Just to prevent possible troubles, do not use the emails listed on the "contact us" page or any other obvious sections of your site as the admin email.

Secure the Admin Area of Your Website

Enhance the Database Security

Many attackers nowadays would like to target databases because they include the most valuable information of your site. Below are the best practices of database security.

Run databases on a separate server

If it is possible, you should keep the database server independent, without sharing the same server with the web server, so even if the web server is compromised, your databases are still safe. This is not controlled by you unless you are using dedicated servers, but you can ask the hosting provider before making a purchase.

Change the database table prefix

When you use 1-click installers to install third-party scripts like WordPress, a database is created automatically with a default table prefix which is highly predictable. If you haven't made a change in the installation process, then you should get into your database and give the tables a more secure prefix.

Avoid using a shared server

In the case that you are running a website with much sensitive or valuable information, do not use shared hosting. As is known, shared hosting is cheap but not secure enough. You need to consider VPS hosting at least for business sites.

Enhance the Database Security

Secure Files

There are a few things you can do to secure files, but the two tasks listed below should be paid much attention to.

Delete the install folder of scripts

After installing scripts successfully, you should delete the install folder as soon as possible. The folder is of no use for your site, but it leaves executable files and other information that can be used by attackers to damage your site.

Change file permissions

File permissions determine who can execute, read or write the files. You need to make sure that no file on your server is set with dangerous "777" permissions which allow anyone to read, write and execute the file. Generally speaking, the following rules are suitable for most websites.
  • Set "755" permissions to directories and folders.
  • Set "644" permissions to individual files.
You can change the file permission by using the File Manager in cPanel or an FTP client like FileZilla.

Secure Files

Secure the File Uploads

Allowing file uploads can be a serious website security issue because some files might contain an undetectable script which opens the door of your site to the hacker when it is executed. Then, what should you do?

Of course, you can completely disallow file uploads, but this is not the solution for most websites which need images for any reason. There are some better tricks you can try.

Limit upload file type

It is a basic step to prevent users from uploading executable files. You should only allow images to be uploaded by limiting the file types to "jpg", "jpeg", "png" and "gif". In this case, the files with extensions like .html will not be able to upload.

Change the file permissions of the upload folder to "666"

Doing so, all files in the folder are unable to be executed, so even if there is a hidden script, it cannot harm your website. This method is usually ignored, but you'd better take it serious.

Store uploaded files in a private folder

This is an advanced solution that requires coding skills. You can store all the uploaded files in a folder that is not located in the root of your website to make them not directly accessible to all. But you will need to build up a script to bring the files in the private folder to visitors' browsers. We are not discussing the how-to here, and you can search on Google for a detailed tutorial if you are interested.

Secure File Uploads

Use Website Security Tools & Technologies

Additional security tools can get you well-informed of the danger of your site and help you eliminate the troubles.

Sign up Google Webmaster Tools

Google Webmaster Tools is a great helper for enhancing website security. It will send notifications to you when your site is infected by malware, so you can make an immediate response and clean up the malware.


An SSL certificate is important for all websites doing business online. It secures the transfer of sensitive information between the web server and the website, which makes it less possible for the information to be stolen. After installing an SSL certificate, you will notice that the HTTP has been transformed to HTTPS, along with a symbol of lock in the address bar.

Consider SiteLock

Whether you are running a CMS based website or an HTML site, SiteLock can help with the security. It is a paid solution that provides daily monitoring of malware and vulnerability. The scans are performed automatically. SiteLock also includes a web application firewall.

Use a Web Application Firewall

Web application firewalls are used to control all traffic to your website and filter the traffic based on the configured policy. They can block most of the known attacks and the traffic from a number of blacklists. And they can also reduce the security risks caused by cross-site scripting (XSS) and SQL injection.

Use a security plugin/extension

Open source applications like WordPress and Joomla come with a large number of easy-to-use and rich-featured plugins which provide all-round protection to websites. You can read reviews and then select the one that matches your need best. But remember not to use more than one security plugin at one time.

Use Website Security Tools & Technologies

Keep Informed of New Technologies and Never Stop Learning

The Internet is an ever-changing place where hackers keep upgrading the skills and techniques. Therefore, you should also learn new things and apply the latest technologies to secure your site.

If you have found some great blogs about website security enhancement, subscribe to the newsletter. You will then be able to know the last viruses and bugs on the Internet and stay ahead in the fighting against hackers.