Website Security Guide

By | December 16, 2020

Your website is at risk.

I’m not saying this to try and scare you, but that’s the reality of the world we live in. More than 30,000 websites get hacked each day.

You can’t have an “it won’t happen to me” mentality. I encounter businesses all the time who feel this way. They think hackers have bigger fish to fry and don’t have any reason to target their website. That’s simply not the case. In fact, 43% of cyber crimes are against small businesses.

Roughly half of companies worldwide say they have experienced a cyber attack in 2019. Just 40% of businesses say they’re prepared to handle cyber attacks.

I don’t have a magic crystal ball or some way to see into the future, but my gut tells me that cyber criminals aren’t going to just wake up one day and decide to stop hacking websites. Bottom line: Hackers won’t stop trying to gain an edge. That means you need to regularly improve your website security.

That’s what inspired me to write this guide. I’ll show you what needs to be done to secure your website today, in 2020.

Common Website Security Threats

Websites get attacked in a lot of different ways. So before we proceed, I want to give you a brief overview of some of the most common threats to your website security. These are the things that you’ll want to be prepared for when taking security measures.


We’ve all been contacted by a Nigerian prince or had a distant, wealthy relative die and needed to claim our money. Usually, it’s annoying—but relatively harmless if you ignore it.

However, sometimes spam is more malicious. Spam in the form of comments is extremely common on websites. Bots can hammer the comments section of your website with links to another site as an attempt to build backlinks.

These comments harm your website because:

  1. They don’t look good on your site and might turn readers off who might otherwise engage with your content by commenting.
  2. Phishing links might contain malware, which can harm your website visitors if they click on them.

Furthermore, Google’s crawlers can often detect malicious URLs and penalize your website for hosting spam. This will crush your SEO ranking.

Viruses and malware

For those of you who don’t know, malware stands for “malicious software.” So malware and viruses are essentially the same thing. Malware is arguably the biggest threat to your website. As much as 350,000 malware samples are created each day.

According to Statista, these are the most common types of malware used in cyber attacks across the world:

Most Commonly Encountered Types of Malware Used in Cyber Attacks Worldwide in 2019

As you can see, malware comes in all different shapes and sizes. That’s why it’s such a big threat to your website.

These types of viruses are often used to access private data or use server resources. Criminals also use malware to make money with ads or affiliate links by hacking your website permissions. Hackers are able to introduce malware into your computer infrastructure in a variety of different ways including emails to employees, redirects, and direc ft hacking.

Our biggest piece of advice: Don’t click on weird links. That might seem like a, “Well, duh” moment, but it’s easier to fall for the trap than you think. Be sure to educate your employees and any other users who might be using your company’s computers on the importance of keeping vigilant online.

With malware, both you and your website visitors are at risk. Someone visiting your site could click a link that downloads a malicious file onto their computer. It’s your job to keep your website secure and prevent that from happening.

WHOIS domain registration

Buying a domain name is like buying a house. The company that sells the house must know who they’re selling to and be able to contact them. Plus, anyone can go to the county auditor and find information about any address.

The same goes for buying a website. Depending on the country you’re in, you’ll be required to release some information about yourself that is recorded on WHOIS data. Outside of your personal information, this also contains information about your URL nameservers (these are the servers that connect your domain name to your actual web server).

Hackers can use this information to narrow down the location of the server that you’re using. They can use this as a gateway to access your web server.

DDoS attacks

DDoS attacks deny access to users trying to visit a specific website. Basically, the hacker uses spoof IP addresses to overload servers with traffic. This essentially takes the website offline. Think of it as spamming website traffic to your site. Instead of you benefiting from more traffic though, your website crashes.

Now the host needs to scramble to get the server back up and running as fast as possible, which leaves the server vulnerable for malware—not to mention the loss of revenue and credibility for you.

These attacks are on the rise too. In Q3 of 2020, websites saw a 50% increase of DDoS attacks when compared to 2019.

Search engine blacklists

When you don’t keep your website safe, it’ll have a ripple effect in other key areas of your business. For example, if your website is attacked, Google might take notice and diminish your SEO rankings.

According to a recent study, 74% of hacked websites were attacked for SEO reasons such as adding backlinks to your website. They can also create new web pages on your website or display an entirely different site in order to bring your ranking down and boost the ranking of whatever site they want.

I briefly mentioned this earlier when we were discussing spam comments. If search engines detect malicious content on your website, your SEO ranking will suffer.

If lots of users are reporting your site as spam or unsafe, you could be added to a search engine blacklist. Once you’re on that list, it’s extremely difficult to get off.

Here are a few ways people can report your website for security issues on Google:

  • Web page spam. These are websites that attempt to get better placement on Google results through black hat methods such as hidden text, redirects, and cloaking.
  • Paid links spam. This is the purchase and sale of links that pass PageRank.
  • Rich snippets spam. If you give leaders false or misleading information such as fake reviews.
  • Malware. This is when sites are infected with malware and present a harmful user experience as a result.
  • Phishing. These are websites and pages designed to steal your personal information by posing as another page (e.g. setting up a fake PayPal landing page to get bank information).

The best way to avoid being reported is to play by the rules and do right by your website visitors. That starts with keeping your website safe.

How to keep your website safe

Now that you’re familiar with some of the most common security threats, you need to get serious about preventing them from ever happening on your website.

You can’t just assume that your website is secure. If you haven’t done anything to beef up the security, it’s probably vulnerable for attacks. Even if you have done something, you need to keep updating your site and making sure that it’s still secure. The Internet moves fast. There’s no room for “probably” here.

These are the steps you need to take to improve your website security in 2020.

Use HTTPS protocol

If your website isn’t currently using HTTPS protocol, that needs to jump to the top of your priority list. This essentially tells your website visitors that they’re interacting with the proper server and nothing else can alter or intercept the content they’re viewing.

Without HTTPS a hacker can change information on the page to gather personal information from your site visitors. For example, they could steal login information and passwords from users.

HTTPS protocol will also improve your search ranking. Google rewards websites that use this security measure.

This is comforting to people who visit your website as well. When they visit your site, they’ll see this next to the URL:

It’s secure and trustworthy. Now, compare it to a site that’s not using HTTPS protocol. The URL in the web browser will look like this:

Do you feel safe when you’re browsing on a website and see this? I don’t.

Furthermore, you can improve this security measure even more by combining your HTTPS with an SSL (secure sockets layer) certificate. This is required for ecommerce websites since users are submitting sensitive information like credit card numbers, names, and addresses.

SSL certificates encrypt the communication between the server and the user’s web browser. This is a very nice added layer of encryption to keep your website safe (though it doesn’t prevent attacks or malware distribution). Even if you’re not selling anything on your website, I strongly recommend using HTTPS protocol and adding an SSL certificate to add security.

Update your software

If you own a computer, you know how often you have to update the software to keep it running smoothly. They might be annoying, but they’re necessary. The same goes for your website. Make sure you have the most recent version of WordPress software, plugins, CMS, and anything else that needs an update.

In addition to fixing bugs or glitches, software updates typically come with security improvements. No software is perfect. Hackers will always be looking for ways to take advantage of their vulnerabilities.

Lots of cyber attacks are automated. Criminals use bots to just scan for websites that are vulnerable. So, if you’re not staying up to date on the latest software versions, it will be easy for hackers to identify and target your site before you can do anything about it.

Choose a safe web hosting plan

In theory, if your web hosting provider has security on its servers, you’ll benefit from those same levels of protection. However, that’s not always the case.

Going with a shared hosting plan might be appealing because of the price, but it’s not the most secure choice you can make. As the name implies, you’re sharing servers with other websites if you choose this type of hosting plan.

If one of those other sites gets attacked, a hacker can gain access to the server that you’re using as well. That means hackers might hurt your website even though you’re not directly targeted.

It’s like if you shared an apartment with roommates—but one of your roommates accidentally leaves the door unlocked one day. Then a burglar came in and stole the apartment television. Even though it wasn’t your fault and you weren’t necessarily the target, you still suffer from it.

I’m not trying to steer you away from a shared hosting plan, but if you want to boost your website security, you’ll be better off with another option such as Cloud or VPS.

Check out my list of the best web hosting services, which can help guide you in the right direction.

Change your password

Change your password—and do so regularly (every 6 months to a year). I can’t stress this enough.

All too often I speak to people who have the same password for everything they own, and it’s something they’ve been using since they were in college ten years ago.

Here’s the problem with that: if hackers get access to your password, they’re going to try on other things such as bank accounts, social media accounts, and more. If you’ve kept the same password over multiple different accounts, you’re essentially handing them the master key to your Internet life.

Shockingly, 25% of passwords can be hacked in just three seconds.

The information from this graph was obtained using an open source software called John the Ripper. Anyone can use this tool to crack passwords.

If software like this can figure out more than half of passwords in just two hours, I can promise you that the best hackers are cracking passwords even faster.

That’s why you need to constantly update your password. You can use a password manager like 1Password to help you generate long passwords with special characters that are nearly impossible to solve. These password managers also leverage powerful encryption that keeps your passwords safe from hackers. You can rest easy knowing that your passwords are safe.

Furthermore, you should pick a web host that’s using two-factor authentication. This is a feature that requires you to confirm a login on a separate device (most commonly a smartphone). This will add an extra layer of security for password protection. If your web host doesn’t offer this, there are other ways for you to enable it on your own using apps or third parties.

Secure your personal computer

Don’t allow your own devices to threaten your website.

Hackers can inject malicious files into websites by stealing FTP logins via your personal computer. That’s why you need a good antivirus software on your computer (yes, even if those McAfee popups annoy you).

The last thing you want is to be careless while you’re browsing online on personal devices and have that mistake end up hurting your own website. This is especially important if you use a personal device for your work.

If you’re a business owner, be sure to educate your employees to protect their personal computers from bad actors. In either case, scan your machine on a regular basis.

Use tools to monitor your security

You can’t manually prevent attacks on your website. Instead, look for online tools and resources that will monitor your site’s security for you.

If you use WordPress, I highly recommend looking at my guide on the best WordPress security plugins. The plugins on this list add a firewall to your website while simultaneously fighting malware, spam, and other threats in real time.

If you don’t use WordPress, check to see if your website’s content manager offers good security add-ons. Otherwise, check out this list of good endpoint security software that’ll keep your IT infrastructure safe no matter what your CMS.

You can run security audits that will highlight your vulnerabilities so you can take preventative measures to stop an attack before it happens.

Limit user access

Don’t blame yourself, but 95% of cyber security attacks are the result of human error. That’s why it’s so important to educate yourself and your employees about the importance of cybersecurity.

The best way to prevent this is to limit the number of humans who can make an error. Not every employee of your business should have access to your website.

If you’re hiring an outside consultant, designer, or guest blogger, don’t automatically give those people access to change settings on your website. Implement the principle of least privilege.

Let’s say you assign a project to someone who requires a certain level of access to your website. By applying this principle, you only give them the absolute minimum level of access for they need to complete the task. Once complete, the person goes back to their regular access abilities.

Make sure each user has their own login credentials. If multiple people are sharing a username and password, it doesn’t give them any accountability and makes it harder to trace a security breach. Your team is much more likely to be careful with sensitive information if an error or change can be traced back to them.

Backup your website

When it comes to securing your website, you should always prepare for the worst. Obviously, you never want to be in a situation where your website is compromised. But in the event that something goes wrong, your life will be much easier if your content is completely backed up.

So try using a backup plugin, like BackupBuddy, to make sure you don’t lose anything on your website as the result of an attack.

BackupBuddy is one of the five best WordPress backup plugins that I reviewed for this year. Check out the full list to see which option is best for your situation.

Some of these backup plugins also come with built-in security measures as well, which can help you prevent an attack.

Adjust your default CMS settings

So many cyberattacks these days are automated. Hackers program bots to find sites with default settings. This way they can target a wider range of websites and gain access using the same type of malware or virus. Don’t make it so easy for them.

Once you install your CMS, make sure you change some of the default settings:

  • Comments settings
  • User controls
  • Visibility of information
  • File permissions

These are all examples of some of the settings that you can change quickly and right away.

Restrict file uploads

Letting website visitors upload files to your website can be risky. That’s because any file could potentially contain a script that exploits vulnerabilities on your website when it’s executed on the server.

In some instances, the nature of your website might require file uploads. For example, you may want users to add photos of your products when they’re writing a review. In this case, you should still treat all uploads as a potential threat.

You could also set it up so that any files that get uploaded are stored in a folder or database in another location. This typically looks one of three ways:

  • DIY. You can create a script that will fetch those files from a private and remote location to deliver them to a browser. This will require some coding and is a bit complex to set up, so I won’t go into too much detail on this right now.
  • Third party software. There are third-party software such as Filestack and Transloadit that offer a secure file upload system with high grade security and virus protection. This can get pretty expensive though.
  • Avoid it. The simple solution is to avoid file uploads altogether, or at least restrict the types of files that can be uploaded to your site.

Choose the best for you. The important thing is to choose one and protect your website.


Website security needs to be one of your top priorities.

If you haven’t taken any steps to secure your website, you’re currently at risk while you’re reading this. Even if you have taken the steps, you need to do so regularly and often in order to keep your website secure.

Being vigilant and implementing the right systems will help set you, your website, and your business up for success when it comes to avoiding bad actors. But you can make this difficult on them by taking the security measures that I’ve outlined above.

At the end of the day, if cyber criminals are having a tough time hacking a website, they’ll just move on to other sites that haven’t implemented the website security tactics that we talked about. You don’t want your website on that list.


Leave a Reply

Your email address will not be published. Required fields are marked *