Website Security – 9 Tips on How to Make Your Website Secure

Our independent research projects and impartial reviews are funded in part by affiliate commissions, at no extra cost to our readers. Learn more

Task time:

Did you know that 30,000 websites are attacked globally every single day? *

Don’t leave the front door of your site wide open! You need to secure your website, which means putting protection in place to keep out hackers, bugs, and other online nasties. Otherwise, your data could be at risk, your site could crash, or you could even lose money.

Here’s how to make a website secure:

  1. Install SSL – buying a simple Secure Sockets Layer certificate is a crucial first step.
  2. Use anti-malware software – to scan for and prevent malicious attacks.
  3. Make your passwords uncrackable – 123456 won’t cut it!
  4. Keep your website up to date – using out-of-date software is like leaving your back door unlocked.
  5. Don’t help the hackers – look out for phishing emails and other scams.
  6. Manually accept on-site comments – keep control over potentially dodgy comments.
  7. Run regular backups – to prepare for the worst case scenario.
  8. Protect against cross-site scripting and injection attacks – understand what they are and how to protect yourself.
  9. Implement web application firewalls – form a shield between your website and the internet.

Security is important for everyone…

…and our research confirms that. We spoke to 425 users, some choosing their first web host and others switching providers, about which features they value the most. 25% of all respondents named security as their number one priority.

But I’m not even making money through my website. It’s just a small blog. Why would anyone hack me? Why does it even matter if a hacker gets in anyway? 

Apart from losing money, hacking can result in huge losses in traffic, your site being suspended or crashing, and even identity theft. Your personal data, and that of your visitors, could be at risk.

But how am I supposed to fight off hackers? I’m not that technically skilled! 

This is another common worry, but luckily, you don’t need fearsome tech skills in order to secure your website. All of these steps are simple to implement, and we’ll walk you through each part of the process.

How Do Websites Get Hacked?

Before we get into the details of how to prevent your website getting hacked, we should probably talk about what a hacked website looks like.

While there’s no set way that a website will look after being hacked, there are patterns. And we should tell you now, if your site has been hacked, you’ll be in no doubt about it because something will be very wrong. If you’re worried, you can use free tools to check your website’s security, but it’s still good to know what signs to look out for, so here are some common ways hacking presents itself:

  • Ransomware. The hacker will threaten to publish your data and/or withhold access to your site unless a ransom sum is paid.
  • Gibberish hack. You’ll spot loads of auto-created pages filled with keywords and gibberish, with the aim of getting them to rank on Google for key terms. When clicked on, they’ll redirect to a dodgy site.
  • Cloaked keywords hack. As above, but slightly more sophisticated – at first glance, these will look like your site’s pages, as only the written content is altered.
  • Japanese keywords hack. Creates random pages in Japanese full of affiliate links to stores selling fake merchandise.
  • Malicious code/viruses. If malicious code or a virus is inserted into your site, your site may well go down, or you could be unable to access it. You may find that all your hardware is also affected.
  • Denial of Service (DoS). Hackers use bots to overload a website with requests and crash the server it’s on.
  • Phishing. Scammers contact your clients pretending to be part of your business and using your branding in the hope of finding personal information.


krs lambiase headshotWe asked Krys Lambiase, Senior Product Marketing Manager at Endurance International Group (EIG), the parent company of web hosting giants Bluehost and HostGator, to share his insights on website security with us and our readers. You’ll find quotes and tips from Krys throughout this guide – first off, though, Krys reveals the biggest security risks to new websites:

“Outdated software. Website owners need to stay on top of updates to WordPress and other CMS’, plugins, and anything else that requires an update. In addition to fixing bugs or glitches, software updates typically include security improvements or patches. Hackers will always be searching for ways to capitalize on software vulnerabilities. These days, many cyber attacks are automated. Criminals use bots to scan websites that are vulnerable. So, if you’re not staying up to date on the latest software versions, it will be easy for hackers to identify your website before you can do anything about it.”

So now you know what a hacked website looks like, it’s time to look at the seven ways to prevent yours becoming one:

Install SSL

One of the easiest things you can do to protect your website, yourself, and your users, is to install an SSL (Secure Sockets Layer) certificate. You may not realize it, but you come across SSL all the time when you browse the web – it’s the reason for the “s” in “https”, and the padlock in the address bar.

securing a website https
Good to know…

SSL stands for Secure Sockets Layer. You install an SSL certificate on your website, and it encrypts data (such as login details) passing between your site and your visitors. There are different levels of SSL – ecommecre sites processing payment details, for example, should use a more advanced version.

Want more? Get more detailed insights into what an SSL certificate is with our dedicated guide.

SSL encrypts information passing between your website and your visitors. Google now warns visitors when they’re entering a site without SSL, and even “discriminates” against those sites in its search results.

It’s especially important to have SSL security if you’re accepting payments through your site, asking for login details, or transferring files. Without it, the data is unprotected, and vulnerable to hackers. 

Krys Lambiase emphasizes the importance of SSL for securing websites – especially online stores:

“An SSL certificate is a must-have if you run an eCommerce store or collect visitor information, like emails, on your site. In addition to boosting SEO, SSL certificates prove that any data your visitors send to your site is using an encrypted channel, so hackers can’t see it while it’s in transit.”

how to secure a website hostgator free ssl
The hosting provider HostGator includes free SSL security on all its plans. Here, it shows the importance of SSL.

It’s not important for you to know the technical ins and outs of SSL security, so don’t worry if you don’t really get how it works. The most important thing is to know that your site needs SSL, and how to go about getting it.

There are multiple ways to install SSL. The three main ways we suggest are:

  1. Choose a good quality website builder that includes SSL for free
  2. Choose a hosting provider (such as HostGator) that provides a free SSL with all plans (if you’re building your site with a content management system, such as
  3. Install a basic Let’s Encrypt SSL for free yourself

If you want a much higher level of security, you’ll need to pay for an advanced SSL certificate. These vary in price, and you can buy them from hosting providers, or domain registrars. Unless you’re running a large online store, or handling large amounts of sensitive data, the free version of SSL will probably be sufficient.

For more details about how to get an SSL certificate for your website, explore our dedicated guide.

It’s also important to renew your SSL certificate when it runs out (usually after one year), in order to keep your site secured consistently, so be sure to set a reminder for when your SSL expires!

Did you know? 

Hacking is the number one method of data breaches online, accounting for 61.9% of lost information. More than 8 billion records have been lost because of hacking.

Further Information

Use Anti-Malware Software

“Anti-malware software” might sound like a lot of jargon, but the good news is that anti-malware software actually does the hard work for you – so you don’t need to worry about any of the technical stuff.

There are plenty of different anti-malware options out there. Some have free plans – like Bitdefender Antivirus Free – while others you have to pay for, such as SiteLock.

SiteLock is used by over 12 million websites, and offers different packages that provide varying levels of protection. This means you can tailor your security to your site’s needs, as well as your budget. Some of the security services it provides include:

  • Web scanning
  • Malware detection and removal 
  • Web application firewall
  • Vulnerability patching
  • DDoS protection 
  • PCI compliance

If you don’t know what all this means, that’s okay – that’s what anti-malware software is there for!

how to secure a website sitelock anti-malware software
SiteLock is the global leader in website security, and is a popular anti-malware software that often comes included in hosting plans.

A good quality website builder or hosting provider should look after your site’s security for you. Hosting providers often include anti-malware software as part of their plans – some even throw in paid services like SiteLock for free!

Other providers include a built-in set of tools – InMotion, for example, includes a security suite on its cheapest plan. This is made up of:

  • Free SSL
  • Hack protection
  • Automatic backups
  • DDoS protection 

These are the security basics for your site, and the features you should look for whenever you’re looking at picking a hosting provider. Whether your provider comes with tools built-in, or offers extra freebies such as SiteLock, anti-malware software gives you a welcome extra layer of protection.

Good website security starts with a good web host, as Krys Lambiase points out:

“Web hosts are the backbone of your website.  They help you get online and often provide additional tools for your website giving you the power to build a website with the look and feel you need. Quality website hosting providers have protocols in place to protect WordPress, and other content management systems, they host such as automatic security patches and updates. It’s the hosting provider’s job to maintain their servers and to implement essential security monitoring.”

Did you know? 

A DDoS attack could cost a small business up to $120, 000 – and if you’re in finance or retail then you’re especially at risk. Nobody is safe, though – Cloudflare reported that in Q2 of 2022, network-layer DDoS attacks increased a whopping 109% compared to the previous year!

Make Your Passwords Uncrackable

Passwords. They’re so familiar that we can sometimes forget just how important they are. It’s easy to overlook the fact that often, your password is all that’s standing between a hacker and your personal information.

Not only are passwords a vitally important step, but they’re also one of the easiest things you can change to increase the security of your website. Spend just 20 minutes today making your passwords stronger, and you’ll be on your way to a more secure site. 

Did you know? 

40% of surveyed small business respondents said that their company suffered an attack due to employees’ passwords being compromised. The average cost of each attack was just over $380 thousand!

A survey carried out by the UK’s National Cyber Security Center analyzed the most common passwords used by accounts that had been breached across the world. They then put together a list of the top 10 most hacked passwordsif you’re using any of the following, it’s time to change it (like, right now)!

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 111111
  6. 12345678
  7. abc123
  8. 1234567
  9. password1
  10. 12345

Instead of using easy to guess phrases, here are some things you should do instead:

  • Combine three random, unrelated, but memorable phrases
  • Use a randomly generated sequence of characters
  • Don’t reuse passwords – use a password manager to keep track of them all
  • Make your password long
  • Never use personal information in your password – it’s the first thing hackers will try!

There’s a seemingly endless list of password tips out there, and you should combine a few of these tactics to create uncrackable passwords. Once you’ve got your shiny new bulletproof passwords, be careful with them – do not share them around, even with friends, and do change them regularly (about once every quarter).

Keep Your Website Up to Date

We’re not talking about posting the latest gossip, or keeping your visitors in the loop with your newest product. This is about the importance of keeping your website’s software up to date.

If you use a website builder, you don’t need to worry about this so much, because most builders will handle software updates and security issues for you. However, if you’re using a platform such as WordPress, you need to be totally on top of things and running updates when necessary.

You need to run updates for your WordPress core software, as well as any plugins you’ve installed. If you don’t, then it can all become outdated and vulnerable to bugs, glitches, and – worst of all – hackers wielding malicious code.

Did you know?

Cybercrime will cost the world $10.5 trillion annually by 2025!

The good news is, you should be able to set these updates to happen automatically in your dashboard – but it’s still worth keeping an eye on and making sure everything is running smoothly. Letting your site become outdated can be a fatal blow in terms of security, so it doesn’t hurt to be vigilant about staying on top of updates.

Good to Know… When you’re choosing plugins for your WordPress website, be careful about the quality. Plugins can be built by anyone, and poor quality ones can contain bugs or malicious code. Read reviews, look for trusted developers, and check out the plugin thoroughly before clicking Install.

Find out more

  • If you’re using WordPress, it’s essential to keep your site up to date and secure. Discover the Best WordPress Hosting Providers to give your site the best start in life.
  • Read our detailed Bluehost Review to find out why WordPress itself recommends it for your WordPress website – and why we do, too!
  • Explore our comprehensive guide to securing your WordPress website from threats and malicious attacks – among other things!

Don’t Help the Hackers

We know, this sounds like a total “duh” moment. Well, obviously I’m not going to hand over my details and let my site get hacked – that’s the whole reason I’m reading this article! The trouble is, people are still – through no fault of their own – falling prey to scammers and unknowingly giving away important information about themselves.

Did you know that 92.4% of malware is delivered via email? That makes it the number one method of attack, and means you should always be on the lookout for anything unusual in your inbox.

There’s always more tech you can put in place to protect your website, but you mustn’t forget that 95% of cybersecurity breaches are due to human error. Protect your website by being on your guard, and being suspicious of texts, emails, or phone calls asking for personal information.

It sounds simple enough, but scams are growing ever-more sophisticated. Here are five things you can do to make sure your website doesn’t open the door to unwelcome visitors: 

  1. Beware of public or open internet connections if you’re working in a shared space like a cafe – they won’t be secure!
  2. Never click on links in emails that seem suspect – delete the email straight away! This is still important if you’re using a professional email connected to your website, rather than a personal one.
  3. Be careful who you grant access to your website – check admins are people you can trust, and make sure they’re security-conscious.
  4. Change the default settings, passwords, and usernames of your site as soon as you’ve set up your account – this is especially important for WordPress sites.
  5. Only trust verified professionals to access your site. For example, scammers sometimes want to take control of your screen under the pretense of fixing a technical issue.

You get the idea. We know this seems like common sense, but phishing emails are becoming increasingly realistic – so stay on high alert!

Manually Accept On-Site Comments

Is there a better feeling than hitting publish on your site and then seeing comments start to roll in? It’s proof that people have actually visited your site – and enjoyed it.

Comments are the perfect way to measure engagement, provide social proof to other visitors, connect with other people in your niche, and even take on constructive feedback. We love receiving comments, and you should too!

However, there are always those comments that aren’t quite so fun. Bots, fake accounts, and trolls are ready and waiting with a silly comment or spammy link. At best, it’s annoying – at worst, it can pose a security risk to you and your users. 

If people can post comments directly to your website, there’s a chance that malicious links might sneak into the comments section. This is particularly dangerous for your website’s visitors, who might click on the link and risk exposing personal data or accidentally install malware.

Website Builder Expert comments
Comments sections are a key way to build an online community but they can also be an easy way for hackers to target your website too.

To combat this, you can change your site’s settings so that you need to manually approve comments before they appear on your site, giving you the chance to delete any spam. Other ways to reduce these malicious links include:

  • Use an anti-spam software or plugin (such as Akismet for WordPress users)
  • Ask visitors to register before they can start commenting
  • Turn off comments on posts after a month or two

These tactics should keep your comments section a safe, fun, and happy place for both you and your visitors, and keep hackers and their malicious links on the outside.

Run Regular Backups

Following each of the steps we’ve outlined so far will help you to stop hackers in their tracks. But don’t take your site’s security for granted – just like having a safety net beneath you is a good idea when walking a tightrope, running regular backups of your site just makes sense.

Creating backups of your website ensures that if the worst were to happen, you’d still have a recent version of your site stored safe and sound, and ready to be relaunched.

A backup is essentially a copy of your website data – such as files, content, media, and databases. If you have a large or complicated website, you’ll need a larger amount of backup storage to save all of your data.

Krys Lambiase explains why backups are a good idea:

“If your business website site is hacked, you need a way to get up and running again fast so you don’t miss out on customers. Get an automatic site backup service like CodeGuard, and you can quickly restore the most recent uncorrupted version of your site if something goes wrong. Make sure that whichever service you choose runs daily backups, so you don’t have to go back to an out-of-date site version in case of a crash.”

So, how can you go about backing up your site to keep things running smoothly? Well, there are multiple ways to backup your website, including:

  • Use a backup service such as CodeGuard or Sucuri, which does the work for you at a price.
  • Use a web host that includes backups in its plans, like A2 Hosting. Some hosts have backup software built-in, or available as add-ons. However, these can have limited storage, so we usually recommend not relying on them for all your backup needs.
  • Use a WordPress plugin such as UpdraftPlus or VaultPress. WordPress users can simply install their chosen plugin and manage their own backup preferences.
CodeGuard is a great tool to keep your website backed up.

Using a backup service is usually the safest and most reliable way to go. Still, whichever backup method you choose, there are some important things that you should always look for: 

  1. Off-site backups – this keeps your data far away from hackers in a secure, off-site location rather than in a normal server. This also protects your backups from hardware failure.
  2. Automated backups – remember when we said that 95% of security breaches were through human error? Don’t forget to create backups and pay the price – by automating this process you can simply sit back and relax.
  3. Redundant backups – this means your website’s data is stored in not just one, but multiple server locations. Think of it like having backups or your backups!
  4. Regular backups – it’s no good if you’re only running backups once per year. If a hack attack strikes, you’ll be left with an outdated version of your site. You should aim for weekly backups at the very least. 

The more frequently you update your website, the more frequent your backups should be. We recommend erring on the side of caution, though – if you come under attack, you’ll never be sorry that you backed up your site too much!

Protect Against Cross-Site Scripting (XSS) and Injection Attacks

Cross-Site Scripting (XSS) is a vulnerability that allows attackers to compromise interactions users have with a vulnerable application.

XSS vulnerabilities will usually allow the hacker to pose as the victim, carrying out all of the actions the user is able to perform and accessing their data.

This is a particularly worrying type of attack if the user has admin powers on your website, because the hacker may be able to mimic these too, gaining full control of the website’s function and data.

XSS attacks occur by manipulating a vulnerable website so that it returns malicious JavaScript to users. Once this is executed in the user’s browser, the hacker is able to totally infiltrate the user’s interactions with the website.

There are three main types of XSS attacks:

  • Reflected XSS – malicious script comes from the current HTTP request.
  • Stored XSS – malicious script comes from the website’s database.
  • DOM-based XSS – the vulnerability exists in the client-side code rather than the server-side code.

Injection attacks allow attackers to inject code into a program or query or inject malware into a computer in order to execute remote commands.

The impact of these attacks depends on the nature of the application and user that has been breached. For example for websites that host large amounts of data or users who have full admin controls, the impact can be catastrophic.

In order to protect against XSS and injection attacks, you need to:

  • Encode data on output
  • Validate input on arrival
  • Use prepared statements or parameterized queries

Implement Web Application Firewalls (WAFs)

A Web Application Firewall (WAF) helps protect websites by filtering and monitoring HTTP traffic between the website and the internet.

A WAF will usually be used as part of a suite of tools to offer robust cyber-security and while they don’t protect from all types of attacks they can stop cross-site forgery, XSS, file inclusions, and SQL injections.

A WAF is effectively a shield that is placed in front of the web application, protecting the server by having users pass through it before they reach the website.

WAF’s will usually operate on either a blocklist, allowlist, or a hybrid of both. A blocklist works by blocking known attacks while an allowlist operates by only admitting traffic that has been pre-approved.

There are things to consider when implementing a WAF however. Network-based WAFs, for example, are installed locally to minimize latency, however they are the most expensive option and require extensive storage.

A host-based WAF, meanwhile, is integrated into an application’s software making this a less expensive option and giving you more customization options. The downside to this option, however, are the extensive maintenance requirements.

Then there are cloud-based WAFs that are affordable and easy-to-implement. Users will pay an upfront cost and then a monthly fee to a third-party.

Whichever option you chose, you’ll need to weigh up the pros and cons to find the right solution for you.

Why Cybersecurity Is Important – 3 Case Studies

#1. Twitter Bitcoin Phishing Scam

In 2020 Twitter faced a major problem when its employees became the victims of a phishing scam.

Hackers managed to gain access to 130 corporate accounts, each with at least a million followers. They weren’t just any accounts either. Accounts belonging to Barack Obama, Elon Musk, Apple, and Uber were all breached.

The hackers used 45 of these accounts to promote a Bitcoin scam which resulted in Twitter users transferring the equivalent of  $180,000 in Bitcoin to scam accounts. Following the attack Twitter’s stock price fell by 4%.

This was an example of an insider threat and highlights the importance of rigorous staff training. The hackers took advantage of Twitter staff working from home and contacted them posing as the Twitter IT department.

The hackers were able to use compromised staff accounts to gain admin controls and reset major Twitter accounts and post the scam message.

#2. Microsoft Remote Code Execution Attack

Microsoft is the company behind the email systems of some of the world’s biggest organizations  and in 2021 a cyber-attack saw the email server attacked via four separate vulnerabilities.

The hackers had managed to identify four zero-day vulnerabilities that the server and its security services hadn’t spotted, allowing them to totally compromise the full server.

They were able to access sensitive data, inject ransomware, and deploy backdoors in a way that was almost untraceable.

The whole attack was a total headache for Microsoft and shows that even one of the biggest tech brands in the world can fall victim to an attack.

The hackers were able to compromise the accounts of more than 60,000 private businesses and nine government agencies. Yikes.

#3. Costa Rica Government Forced to Call a National Emergency

Highlighting just how big cyber attacks can be, in 2022 one of the most talked-about cyber attacks took place.

The Costa Rica Government was targeted by a huge attack that impacted the finance ministry, government institutions and private import-export firms. The attack was so large it was the first time a country declared a national emergency in relation to a cyber security incident.

The hackers set a ransom of $20 million and the attack is the perfect reminder that vulnerabilities can end up being very costly indeed.

Find Out More

Check out our full report on Cybersecurity Statistics for more information on cyber attack risks, costs, and trends by industry and attack type.

How to Secure a Website: Summary

Good website security starts with you – choosing a reliable website builder or hosting provider, making sensible choices about how you run your site, and putting in the extra effort to make passwords secure.

And we’re here to help you along the way!

Hopefully you’ve learned how to secure a website, and have found it’s not as hard as you first thought. You don’t need tech skills or a huge budget to make your website secure – as our list has shown!

We’ve outlined the nine steps you can take to start securing your website. This is by no means an exhaustive list, however – there are plenty more tips, tricks, and tools you can use to better protect your website. You can find easy, actionable steps to follow in our website security checklist next!

If you’re a WordPress user, you can find plenty of security tips in WordPress’ support pages. Sucuri is another great resource, with a huge wealth of guides, infographics, and courses to help you confidently secure your website.

For now though, start out by following our simple steps…

How to Secure a Website: 9 Simple Steps

  1. Install SSL. An SSL certificate is an essential for any site. It encrypts information passing between your website and your visitors.
  2. Use anti-malware software. Use a software like SiteLock to scan and protect your site from malicious code.
  3. Make your passwords uncrackable. Use a random combination of letters, numbers and symbols when possible.
  4. Keep your website up to date. Install any software or plugin updates as soon as they become available.
  5. Don’t help the hackers. Watch out for phishing emails.
  6. Manually accept comments. This allows you to trash any that are spam before they go live.
  7. Run regular backups. If your site does get hacked, this way you’ll have a recent version to reinstall.
  8. Protect against cross-site scripting and injection attacks – understand what they are and how to protect yourself.
  9. Implement web application firewalls – form a shield between your website and the internet.

If you already have a website, the first step now is to check if you have an SSL certificate installed. You’ll know if you don’t, because your web address will start “http” instead of “https”. You should also check your passwords, and make sure they’re strong enough to stand up against attacks!

Fortunately, SSL certificates are easy to obtain, and relatively cheap to purchase – although we’d recommend finding out exactly how much an SSL certificate costs before reaching for your wallet!

If you haven’t started building your website yet, then the most important step for you to take next is to choose a good quality website builder or hosting provider, depending on how you want to build your site.

If you need help choosing the right one, we can help – we have reviews of the Best Website Builders and the Best Web Hosting Providers to make sure you find your perfect match.


Frequently Asked Questions

Yes! Even if your site is small and doesn’t make any money, securing your site is essential. It’s a question of protecting your own data, and that of your visitors.
Website builders are typically far more low maintenance when it comes to security. That’s because you’ll automatically get any updates, and most throw in an SSL certificate for free. That said, they’re certainly not invincible, and it’s important to still create strong passwords and watch out for phishing emails.
We’ve outlined some specific types of attack above, but essentially a hacked website could lead to: denied entry to your site, data breaches, identity theft, fraud, your site going down, the content of your pages being altered, and the list goes on.
Written by:
Lucy Carney is a Content Manager at Website Builder Expert, specializing in website building, ecommerce, and digital marketing. Previously working as a Writer and then Senior Writer on the brand, Lucy has 6 years of hands-on experience testing web building platforms including Wix, Squarespace, and Shopify. Lucy is passionate about using her knowledge to help small business owners build their online presence and achieve their goals. She’s reported on industry trends over the years, attended events such as the eCommerce Expo, and advised readers directly with over 400 comment replies on the site to date. Her work has also featured on other online publications such as the Shopify Partners Blog, Usability Geek, Serpstat, and Open Source, and has over 100 articles published on the Website Builder Expert blog.


Your email address will not be published. Required fields are marked *