In this interview roundup, we will show you how to secure and protect a website, according to 38 experts.
Website hacking is a menacing cyber threat that occurs daily in cyberspace.
So, we consulted several cybersecurity experts, top executives, and even website owners who have previously experienced website hacks.
Then, we asked them the golden question: How do you secure and protect a website?
And we got valuable responses from them.
READ ALSO: Web Security Guide: Keeping Your Website Safe
Table of Contents
38 Ways To Secure And Protect A Website
1. Stuart Cooke from Evalian Cybersecurity Consultancy Firm
To secure and protect a website, you must limit the number of people you give access to. The more individuals have access to your website, the more likely their IP addresses are to be targeted by hackers.
Of course, for large organizations, it’s often necessary for a lot of people to log in to the back end of a website, and if that’s the case, then I would recommend being careful with the roles you grant.
Keep full admin access for the very few people who will require it regularly; for the rest, author, editor, or read-only access should suffice.
2. Dusan Stanar From VSS Monitoring
My most significant advice is to limit client access to the website. This means you determine how often a user can request a page over time. For example, maybe they can only access ten pages every 30 seconds.
This helps prevent automated hacking and scripts meant to hack your website, which requires them to be able to access your site thousands of times a minute. Doing so will drastically increase your security and reduce the risk of being hacked.
3. Jeff Neal, Owner of The Critter Depot
I am a big proponent of 2-factor authentication. Using two separate methods is a great way to force anyone to verify their identity. However, sim swapping has recently caused a lot of problems for people. This proves that 2FA is unsuitable if people rely on text messages or phone calls to verify their identity. Sim swapping is where a hacker successfully switches the target’s mobile number onto their device.
Then, when the hacker logs into their target account, the hacker will receive a text message or phone call with the secret code, allowing the hacker access to the target’s account. The best way to prevent this is to use a code generator app that changes the numbers every 30 seconds.
4. Saqib Ahmed Khan, Digital Marketer at PureVPN
The first and foremost necessity is to install an SSL certificate to secure and protect a website. Any website without HTTPS doesn’t encrypt data. Keep the plugins or any software for your website up to date because vulnerabilities are discovered from time to time.
Use two-factor authentication to provide specific data because the website administrator requires more security than a regular user. Store passwords in a hashed form, not plain text; if a data breach occurs, the passwords will still be secured.
Always validate inputs on your website because cross-site scripting and SQL injection attacks occur daily. Maintain timely backup mechanisms for your website because anything can happen in the real world.
5. Ashley Simmons, Webmaster at Avoid the Hack!
I recommend that all websites should force their HTTPS version at the server level:
HTTPS encrypts data sent to and from your web server(s)
Forcing HTTPS on the server level (for example, Apache) ensures that all versions served are secure
HTTPS helps protect against eavesdroppers
Without HTTPS, many browsers will encourage visitors not to interact with your site
Using HTTPS improves SEO (search engine optimization)
Forcing HTTPS at the server level means all visitors get directed to the secure version.
6. Per-Erik Eriksson, Author of VPNetic.com
Besides securing your website with proper hosting, firewalls, and anti-malware software, the best thing you can do for your website security are the following:
- Enable Multi-Factor Authentication.
- Use a strong password AND username.
- Never click links in emails.
People often overlook these things because they will never slip up. Social engineering is the most common hacking method today, yet it rarely gets the attention it deserves.
7. Jessica Rose, CEO of Copper H2O
Since many of us work remotely and there is a greater chance of getting hacked due to less secure home office computers, ensuring your online systems are protected is more critical than ever.
Our #1 for businesses is to activate two-factor authentication on their website and related accounts. When started, no one can log into your website or accounts unless they know your password and the security code sent to your smartphone at the time of login. This method costs nothing and dramatically increases your website’s and business’s security.
8. Tom Winter Tech Recruitment Advisor & Co-Founder at DevSkiller
The strength of passwords is often neglected as an essential security factor. Sometimes, even experienced IT professionals will set weak passwords for admin accounts, exposing your entire website to outside attacks.
To prevent this from happening, insist on strong passwords for your admin panel and external users. If you have any logging option on your website, require all users to use different characters when creating a password. That way, you can secure and protect a website.
9. Hary Toledo, Strategic Partner at CenturyLink
Distributed denial-of-service (DDoS) attacks, the weapon for cybercriminals targeting Internet-based business sites, can cause prolonged outages for services like eCommerce, online bill pay, or VoIP telephony. These attacks can be devastating if you rely on web-based transactions to generate even a tiny portion of your revenue.
When users access websites, their requests are routed to the corresponding servers as appropriate during legitimate web use. However, the infrastructure (servers, routers, firewalls, switches, and circuits) can only process a finite amount of traffic. When that limit is reached, additional requests cannot be processed.
In a DDoS attack, hackers overwhelm targeted servers with many requests from a host of separate computers, blocking legitimate server access. A DDoS attack can be so enormous that it completely overwhelms routers, network links or servers — rendering the location unavailable for all Internet use.
10. Artur Yolchyan, Expert Software Engineer & Owner of Coding Skills
To develop a secure website, you should measure 10 OWASP protection for your website. To successfully do it, you should use a mature web development library such as Spring Security to reduce the risk of your website being attacked.
I recommend using already existing and well-tested security frameworks to protect your website and hiring experts to configure these frameworks.
11. Greg Scott, Author and Cybersecurity Professional at Infrasupport Corporation
My Ukrainian friend, Ihor, offered to penetrate my website a few years ago, and I agreed. What could he possibly find? After all, I am a professional… Every time I get cocky, I learn a lesson in humility. It took him only a few minutes to find a directory I had neglected to lock down from directory listings. I was embarrassed and angry and considered not fixing it. And so I can identify with people faced with the same stress on a larger scale. But after feeling sorry for myself, I did my homework and fixed it. I’m grateful to Ihor for his work. Embarrassment is better than penetration.
12. Stacy Clements, Owner of Milepost 42
Keeping the software updated is one of the most essential actions to secure and protect a website. This is especially important if you’re running a CMS like WordPress, Joomla, or Drupal, as these systems depend on multiple software packages for functionality. However, any website runs on a web server, and it’s just as important (and often overlooked) to ensure the software on that server is updated.
Another crucial component of securing a website is protecting access to the site. Use the principle of least privilege to ensure access is restricted to the lowest possible level and enforce strong passwords and two-factor authentication.
13. James LePage, Founder & CEO of Isotropic Design
The most effective thing a WordPress website owner can do to secure their site is install a plugin called Wordfence. Wordfence is a free web application firewall and malware scanner. This tool blocks all IP addresses the company has maliciously by logging in to your WordPress website’s admin dashboard, preventing brute force attacks.
You can set up two-factor authentication and incorporate Google’s reCAPTCHA bot protection system. The tool will also periodically scan the files that make up your website for any malicious code. If it identifies any files that shouldn’t be there, it will automatically delete them.
As an agency, we use this WordPress plugin on all our websites. It’s a free tool, is automatically installed and configured, and is the most comprehensive security solution for WordPress websites.
14. Rahul Gulati, Founder of GyanDevign Tech Services
This is a no-brainer, but people pay little attention to this. It is still a pity to find people having passwords like “987654321†or “admin12345â€. A WordPress user with a weak password is an open door for hackers. The lowest point on a website is your password; the stats are apparent. A Linux-based computer produces 350 billion guesses/second. So, there are a lot of chances for your password to be one of them.
Wordfence has to say that there have been six million attacks on WordPress websites in 16 hours. A strong password will keep you out of reach of such malicious threats. You can also see why WordPress emphasizes a stronger password as well.
Password strength meters are a simple add-on you can opt for. Just add the following line to your functions.php file.
wp_enqueue_script( ‘password-strength-meter’ )
Usually, the combination of 2FA is a username with a password or username with a HOTP. This OTP usually lasts for a minute, keeping the window very short.
The real advantage of 2FA is the integrated device to secure the WordPress website. Hackers cannot get through without the OTP, even when they get hold of your credentials,
15. Pushpraj Kumar, Business Analyst at iFour Technolab
You can add a security socket layer (SSL) to your website with HTTPS, a protocol that allows you to send secure communication over your computer network. You can shield your website against SQL injection.
Regularly watch your email transmission ports; you can also check your communication ports under email settings. Don’t allow highly suspicious file uploads. Invest more in website vulnerability scanners that will identify technical weaknesses on your website. Confidentiality refers to access control of information to ensure user authentications and access control components.
16. Samuel David, Founder of Smart Home Vault
For WordPress users (who represent about 20% of self-hosted websites globally), I’d recommend installing the Wordfence plugin. Wordfence plugin is a security plugin and has free and paid plans. Besides being an automated tool, Wordfence is straightforward hence ideal for users who aren’t tech-savvy.
Depending on settings, Wordfence will block an IP address for 4 hours after five failed attempts. For every failed attempt – and other issues detected (like plugins with security risks) – Wordfence will notify by email. Still talking about email alerts, I like that Wordfence is big on updates/news about the vulnerability and risks of Wordpress and Wordpress plugins. That way, users can act just in time.
17. Abdul Rehman, Cybersecurity Editor at VPNRanks
The one website security tip I’d like to give you is setting up a web application firewall like Sucuri on your website. A WAF is essential for your website security as it filters and blocks malicious and harmful traffic.
You can also block and allow specific types of traffic as you desire. It’s essential since it prevents harmful injections and hack attacks that can harm your site and the data it holds.
18. Bruce Sigrist, Web Developer + WordPress Specialist at Phase Three Goods
To secure and protect a website, be thorough and uncompromising.
On thoroughness… it’s easy to disregard crucial parts of website security because the jargon is new or the setup looks cumbersome. From 2-factor authentification to firewalls and IP-limited logins, these steps might seem overwhelming to non-specialists. Hackers and spambots are determined; every obstacle you throw at them will reduce the likelihood of a breach.
On being uncompromising… while searching for security improvements, you might find limitations in your site’s build or hosting environment. Don’t be afraid to switch hosts or frameworks if circumstances limit your site security.
19. Noman Nalkhande, Founder of WP Adventure
I take the utmost care to ensure no gaping loopholes for a security breach to occur. Since WordPress is hugely popular, some fantastic plugins are built primarily to serve this purpose.
Sucuri and WordFence are extremely popular and do a great job. Besides using a security plugin, I’d also advise keeping your WP themes and plugins up to date with the latest versions. Changing the default login URL from /wp-admin to something more unique using a plugin like ManageWP or adding a few lines of code directly in the .htaccess file is also wise.
20. Juan Pineda, Partner at Sofyma
Most attacks on business websites are happening because three aspects are disregarded: hosting security, website software maintenance, and password strength.
If possible, you should opt for a robust hosting platform that isolates the live environment from any server access. This guards against unauthorized updates that can result in compromise.
Independently of the hosting provider, it would be best to use strong passwords to access your server, control panel, or website management system.
Another essential aspect to consider is keeping your platform software updated. If you are not using a managed hosting provider, you should stay current with security releases for the operating system, SSL software, programming language, and database you use.
If you use a content management system or framework for your website, you should also keep it updated with the security releases published by the community.
21. Chris Love, Owner of Love2Dev
Using HTTPS for all communications is a no-brainer today. It was once complicated and expensive. Today, it takes about 30 seconds and is free.
A common mistake I see is improper use of identity for authentication. Many websites incorrectly use identity to block access to sensitive account data. Often, applications are brought to me. API APIs are not secured, and direct access to the database can be had with direct calls to the exposed API endpoints.
Another recommendation I am making more and more is using biometrics and passwordless authentication. Here, only verified tokens are made available to the application. The user’s device verifies the identity with facial recognition or fingerprint analysis. It is hard to crack, and storing a password hash is unnecessary.
22. Jessica Rhoades, Owner and Designer at Create IT Web Designs
Most people think that web security is just installing a WordPress plugin.
It is more than that. It is forming a plan around your website. First, do you take regular backups of your website and keep them off the webserver? Keeping a backup is critical to protecting your data.
Secondly, are you updating your plugins on a regular schedule? Vulnerabilities in plugins are constantly being discovered.
Lastly, do you have any subdomains, and are you updating and scanning those regularly?
An old test server on a subdomain that a customer forgot about was how one of my customers was hacked. The subdomain plugins were not updated for over two years and were hacked. Since they could get into the subdomain, it affected the main website. We quickly resolved the security with the subdomain, but the main website was down for about 6-8 hours.
23. Nir Kshetri, Professor at the University of North Carolina-Greensboro
Many strategies must be used to secure and protect a website, but I would emphasize two things. First, companies should practice extreme precautions and safeguards if they allow others to upload files through their websites to ensure that no malicious files are uploaded.
Moreover, if users upload too big files, they can bring the website down. An option to keep the website secure would be not to allow file upload.
However, this is not a practical strategy for many companies. Companies should allow uploads to support only one or a few file types. They can set up an email address and list on their Contact Us page to submit other file types. They should also limit the file size to avoid DDoS attacks and scan received files for viruses and malware.
Second, if the website stores passwords, it is critical to hash passwords and employ a more muscular hashing function (e.g., bcrypt) rather than a simple function (e.g., SHA1). In this way, even if hackers can penetrate a company’s network, it will make it difficult to steal passwords and use them for nefarious purposes.
24. Michael Miller, CEO of VPN Online
As a security evangelist, one tip I always preach is to update everything! Your first line of defence will always be your antivirus, operating system, hardware, and passwords. Make sure you religiously update them. As an added insurance, keep offsite backups. The easiest way to fix a problem is by restoring to a previous backup.
25. Nelson Sherwin, Manager of PEO Companies
Did you know your domain name is a target?: My one tip is to not forget about your domain name. It can be a massive attack target, so you must prioritize its security. A registrar with security as a primary focus is a great first move. It would be best to look into adding a domain lock and setting up multi-factor authentication for extra steps to ensure it is kept safe.
26. Chase Higbee, Lead IT Strategist at Atlantic.Net
The key to website security is to minimize the attack surface of the website infrastructure and place controls over how network traffic reaches the website.
Exposing only the front-end web server(s) to the public Internet using a DMZ is critical in logically positioning application and database servers behind additional firewalls.
Protect the front end by proxying TLS traffic through a secured web gateway and create strict security policies to manage end-to-end traffic inside the perimeter network.
27. Jon Rasiko, Managing Director at DeepCode
Starts with the basics. Ensure you take the time to carefully configure your web server using cryptographic solid parameters, a necessity for many frameworks such as PCI-DSS or HIPAA.
Learn and implement web security headers like the Content-Security-Policy header to mitigate some of the top 10 OWASP security issues. Secure your cookies with the proper flags, such as ‘HttpOnly’ and ‘Secure’.
One last piece of advice: protect your code repositories by removing passwords and tokens and cleaning up non-essential files on your production web servers.
28. Kyle Hrzenak, President & CISO at Green Shield Security
Some of the best ways to secure a website are as follows.
SSL – An SSL is essential because it ensures data safety if you protect SSLv3 Poodle.
Use website penetration software such as Acunetix Web Vulnerability Scanner. Tools similar will provide errors currently on your website or web server and provide documents to fix those issues.
29. Alex Artamonov, Cybersecurity Specialist at Infinitely Virtual
If a website is hosted in a shared environment, back-end server security is the hosting company’s responsibility. Security lies with the owner if the server is hosted within a private environment.
Special attention must be paid to front-end and back-end code in both cases. Many interactive websites have opted to use both pre-written and custom JavaScript libraries. It’s essential to ensure the code doesn’t include unwanted functionality when using public libraries.
With a website hosted on a private server, additional vigilance – e.g., an effective patch management policy – is essential. Likewise, close any unused ports, turn off filtering of any remote management ports, use secure passwords, and run regular vulnerability tests.
30. Nicholas McBride, Cybersecurity Consultant at Ecuron
When securing a website, four basic steps will prevent most attacks.
First, check that all permissions are correctly set. One of the most common avenues of attack is via improperly set file permissions, allowing attackers to view sensitive files or upload their own.
Second, ensure that HTTPS is adequately enabled and strictly required for all domains and subdomains.
Third, configure DNS properly to prevent the possibility of DNS hijacking.
And finally, patch your server and operating system software promptly. These four steps will do the most to keep your website secure.
31. Lumena Mukherjee, Cybersecurity Consultant at SectigoStore
Website security is often assumed to be the responsibility of hosting providers. However, that’s not the case. Securing the site is the site owner’s responsibility. The tips below can get you started in the right direction:
Run regular vulnerability scans and perform manual web application security assessments to identify and fix security weaknesses before a breach.
Use an SSL/TLS certificate to encrypt the communication between client browsers and your webserver to guarantee that no data is transmitted in plaintext.
Back up your website automatically using a third-party platform regularly to minimize the impact of any issues.
32. Vladlen Shulepov, CEO at Riseapps
It’s true that to provide website security, there should be a strategy in place. First, data encryption is one of the most important ways to protect a site, so such a well-known measure as an SSL certificate must be used.
Any framework, cloud service, firewall, etc., used in the development process should be trustworthy and safe, and the same applies to servers. Multi-factor authorization is the most secure choice if there is a login option. If an intrusion occurs, a data breach protocol can help minimize the damage.
33. Joe Tuan, CEO of Topflightapps
Our WordPress site has been recently hacked multiple times. In response, we are applying Cloudflare rate limiting. It can help determine excessive requests for specific URLs or an entire domain.
On top of that, we took stock of all external plugins we installed on our site and removed those posing a threat: no longer updated and used.
34. Maxim Ivanov, CEO of Aimprosoft
Besides standard website security measures, such as reliable hosting, patching all applications on the webserver to the latest version, etc., use more enhanced precautions.
Firstly, choose a firewall to secure your servers and restrict access to all undesirable ports except those that should be available (e.g., 80 and 443).
Secondly, use WAF (web application firewall) to secure your app from outside attacks, such as SQL injections, XSS (Cross-Site Scripting) attacks, file inclusion, etc. Remember that there are special services, such as Cloudflare, that function like reverse proxy, provide WAF and DDoS mitigation, and take care of website security for you.
Finally, security audits of a web application code are conducted to minimize its vulnerability and configure fuzzing using a tool like Fail2ban.
35. Swapnil Bhalode, Co-founder and CTO of Tala Security
Client-side vulnerabilities are the web’s weakest link, resulting in data breaches at leading global brands – and the biggest GDPR OK to date (BA, $230m). Known as Magecart or credit card skimming, these attacks succeed because only 1% of website owners deploy security policies that protect the client side.
The best strategy to secure websites against these attacks is to deploy browser-native security controls such as CSP, SRI, and other advanced standards.
Developed by the world’s leading web experts, like Google and GitHub, they’re constantly refined with the latest web developments. They provide the most comprehensive, future-proof protection against client-side attacks.
36. Rob Shavell, CEO of Abine/DeleteMe
To secure and protect a website as much as possible, you must use strong passwords for your server and website admin area. In addition, if your site requires a sign-in, you should encourage your users to use best password practices to protect their data.
37. Laura Fuentes, Operator of Infinity Dish
Keep your software up to date. Outdated software may prevent a leak of information. Strong passwords. Enforce a firm password policy and have users change them regularly. Every 3-4 months at most. Do not use cookies to secure susceptible information. Hackers easily manipulate them. Hold web security training for your employees. It helps them understand the importance of security and the ability to spot vulnerabilities readily.
38. Heinrich Long, Privacy Expert at Restore Privacy
There are three leading protective technologies to consider when implementing a solid web security strategy to secure and protect a website.
First and foremost, you should invest in a tremendous cloud-based firewall; Norton is a great provider with a range of products to suit almost any website. The firewall protects your website by evaluating visitors and blocking potential hackers from gaining unauthorized access to your data.
Secondly, support this with an application-level firewall that explicitly protects your site from vulnerabilities created by apps or services linked to your site.
Finally, invest in technologies to support application hardening. Application hardening is a crucial aspect of your security strategy and is required to prevent hackers’ efforts to tamper with an app and compromise your site.
Bottom Line
There you have it! Thirty-eight ways to secure and protect a website!
According to Webarx Security, about 30000 new websites were hacked daily in 2019. The most popular CMS, WordPress, is reportedly the most hacked CMS in cyberspace.
Thankfully, the interviewees have provided helpful website security tips that you can apply to secure and protect your websites.
Note: This was initially published in July 2020, but has been updated for freshness and accuracy.
RELATED POSTS
- Most Effective Cybersecurity Strategy For A Small Business [We Asked 45+ Experts]
- How To Be A Badass Front-end Developer
- Top Cybersecurity Trends Every Web Developer Should Expect
- 15 Best Cybersecurity Practices for Website Owners
- The Ultimate WordPress Security Guide
- Top Reasons Why Your Company Needs Custom Software To Thrive
About the Author:
Daniel Segun is the Founder and CEO of SecureBlitz Cybersecurity Media, with a background in Computer Science and Digital Marketing. When not writing, he's probably busy designing graphics or developing websites.
Christian Schmitz is a professional journalist and editor at SecureBlitz.com. He has a keen eye for the ever-changing cybersecurity industry and is passionate about spreading awareness of the industry's latest trends. Before joining SecureBlitz, Christian worked as a journalist for a local community newspaper in Nuremberg. Through his years of experience, Christian has developed a sharp eye for detail, an acute understanding of the cybersecurity industry, and an unwavering commitment to delivering accurate and up-to-date information.
Thanks for sharing this wonderful post. On my wordpress blog i use Wordfence plugin to secure my site.