In this interview roundups, we will show you how to secure and protect a website, according to 38 experts.
Website hacking is one of the menacing cyber threats that occur daily on the cyberspace.
So, we consulted several cybersecurity experts, top executives, and even website owners who have experienced website hack in the past.
Then, we asked them the golden question: how to secure and protect a website?
And we got valuable responses from them.
Table of Contents
38 Ways To Secure And Protect A Website
1. Stuart Cooke from Evalian Cybersecurity Consultancy Firm
To secure and protect a website, it's important to limit the number of people who you give access to your website. The more individuals with access to your website, the more chance there are of their individual IP addresses being targeted by hackers.
Of course, for large organizations, it's often necessary for a lot of people to need to log in to the back end of a website and if that's the case then I would recommend being careful with the roles you grant.
Keep full admin access for the very few people who will actually require it on a regular basis and for the rest author, editor or read-only access should suffice.
2. Dusan Stanar From VSS Monitoring
My biggest piece of advice is to limit client access to the website. This means that you limit how many times a user can request a page over a duration. For example, maybe they can only access 10 pages every 30 seconds.
This helps prevent automated hacking and scripts that are meant to hack your website, which requires them to be able to access your site thousands of times a minute. Doing so will drastically increase your security and reduce the risk of being hacked.
3. Jeff Neal, Owner of The Critter Depot
I am a big proponent of 2-factor authentication. This is a great way to force anyone to verify their identity using 2 separate methods. However, sim swapping has recently caused a lot of problems for people. This proves that 2 FA is not a good method if people are relying on text messages or phone calls to verify their identity. Sim swapping is where a hacker will successfully switch the target's mobile number onto their own device.
Then, when the hacker logs into their target account, the hacker will receive the text message or phone call with the secret code, allowing the hacker access to the target's account. The best way to prevent this is by using a code generator app that changes the numbers every 30 seconds.
4. Saqib Ahmed Khan, Digital Marketer at PureVPN
In order to secure and protect a website, the first and foremost necessity is to install an SSL certificate. Any website without HTTPS doesn’t encrypt data. Keep the plugins or any software for your website up to date because vulnerabilities are discovered from time to time.
Use two-factor authentication for providing access to critical data because the website administrator requires more security than a normal user. Store passwords in a hashed form not as plain text, then if a data breach occurs the passwords will still be secured.
Always validate inputs on your website because cross-site scripting and SQL injections attacks are very common. Maintain some timely backup mechanisms for your website because anything can happen in the real world.
5. Ashley Simmons, Webmaster at Avoid the Hack!
I recommend that all websites should force its HTTPS version at the server level:
HTTPS encrypts data sent to and from your web server(s)
Forcing HTTPS on the server level (for example, Apache) ensures that all versions served are secure
HTTPS helps protects against eavesdroppers
Without HTTPS, many browsers will encourage visitors not to interact with your site
Using HTTPS improves SEO (search engine optimization)
Forcing HTTPS at the server level means all visitors get directed to the secure version
6. Per-Erik Eriksson, Author of VPNetic.com
Besides securing your website with proper hosting, firewalls, and anti-malware software, the best thing you can do for your website security are the following:
- Enable Multi-Factor Authentication.
- Use a strong password AND username.
- Never click links in e-mails.
People often overlook these things because they figure that they will never slip up. Social engineering is by far the most common hacking-method being used today, yet it rarely gets the attention it deserves.
7. Jessica Rose, CEO of Copper H2O
Now that many of us are working remotely and there is a greater chance of getting hacked due to less secure home office computers, it is more important than ever to make sure your online systems are secure.
Our #1 for businesses is to activate two-factor authentication on their website and related accounts. When activated, no one can log into your website or accounts unless they know your password as well as the security code sent to your smartphone at the time of log in. This method costs nothing and dramatically increases the security of your website and business.
8. Tom Winter Tech Recruitment Advisor & Co-Founder at DevSkiller
The strength of passwords is often neglected as an important security factor. Sometimes even experienced IT professionals will set weak passwords for admin accounts and thereby expose your entire website to outside attacks.
To prevent this from happening, insist on strong passwords, both for your admin panel and for external users. If you have any type of logging option on your website, require all users to use different types of characters when creating a password. That way, you can secure and protect a website.
9. Hary Toledo Strategic Partner at CenturyLink
Distributed denial-of-service (DDoS) attacks the weapon of choice for cybercriminals who target Internet-based business sites can cause prolonged outages for services like eCommerce, online bill pay, or VoIP telephony. These attacks can be devastating if you rely on web-based transactions to generate even a small portion of your revenue.
During legitimate web use, when users access web sites, their requests are routed to the corresponding servers as appropriate. But the infrastructure (servers, routers, firewalls, switches, and circuits) can only process a finite amount of traffic. And when that limit is reached, additional requests are unable to be processed.
In a DDoS attack, hackers overwhelm targeted servers with a massive number of requests from a host of separate computers, blocking legitimate access to the servers. A DDoS attack can be so enormous that it completely overwhelms routers, network links or servers — rendering the location unavailable for all Internet use.
10. Artur Yolchyan, Expert Software Engineer & Owner of Coding Skills
To develop a secure website you should measure 10 OWASP protection of your website. To successfully do it, you should use a mature web development libraries such as spring security to reduce the risk of your website being attacked.
My recommendation is to use already existing and well-tested security frameworks to protect your website and hire experts to configure these frameworks.
11. Greg Scott, Author and Cybersecurity Professional at Infrasupport Corporation
My Ukrainian friend, Ihor, offered to penetrate my website a few years ago and I agreed. What could he possibly find? After all, I am a professional… Every time I get cocky, I learn a lesson in humility. It took him only a few minutes to find a directory I had neglected to lock down from directory listings. I was embarrassed and angry and considered not fixing it. And so I can identify with people faced with the same stress on a larger scale. But after feeling sorry for myself, I did my homework and fixed it. I'm grateful to Ihor for his work. Embarrassment is better than penetration.
12. Stacy Clements, Owner of Milepost 42
One of the most important actions you can take to secure and protect a website is keeping the software updated. This is especially important if you're running a CMS, such as WordPress, Joomla, or Drupal, as these systems depend on multiple software packages for functionality. However, any website runs on a web server, and it's just as important (and often overlooked) to make sure the software on that server is updated.
Another crucial component of securing a website is protecting access to the site. Use the principle of least privilege to ensure access is restricted to the lowest possible level, and enforce strong passwords and two-factor authentication.
13. James LePage, Founder & CEO of Isotropic Design
The single most effective thing a WordPress website owner can do to secure their site is to install a plugin called Wordfence. Wordfence is a free web application firewall and malware scanner. This tool blocks all IP addresses that have been identified as malicious by the company. It secures the login to your WordPress website’s admin dashboard, preventing brute force attacks.
You can set up two-factor authentication and incorporate Google’s reCAPTCHA bot protection system. The tool will also periodically scan all of the files that make up your website for any malicious code. If it identifies any files that shouldn't be there, it will automatically delete them.
As an agency, we use this WordPress plugin on all of our websites. It's a free tool, is automatically installed and configured, and is the most comprehensive security solution out there for WordPress websites.
14. Rahul Gulati, Founder of GyanDevign Tech Services
You know this is a no brainer but people pay little attention to this. It is still a pity to find people having passwords like â€œ987654321â€ or â€œadmin12345â€. A WordPress user having a weak password is an open door for hackers to walk through. The weakest point on a website is your password and the stats are very clear about it. A linux=based computer produces 350 billion guesses/second. So there are a lot of chances for your password to be one of them.
6 million attacks on WordPress websites in 16 hours is what Wordfence has to say. A strong password will keep you out of reach from such malicious threats. You can also see why WordPress emphasizes a stronger password as well.
Password strength meters are a simple add-on you can opt for. Just add the following line in your functions.php file.
wp_enqueue_script( ‘password-strength-meter' )
Usually, the combination of 2FA is a username with a password or username with a HOTP. This OTP usually lasts for a minute, keeping the window very short.
The real advantage of 2FA is the extra device that is integrated to secure the WordPress website. Hackers even when they get hold of your credentials cannot get through without the OTP.
15. Pushpraj Kumar, Business Analyst at iFour Technolab
You can add a security socket layer (SSL) to your website with HTTPS, which is a protocol that allows you to send secure communication over your computer network. You can shield your website against SQL injection.
Regularly watch your email transmission ports and also you can check your communication ports under email settings. Don’t allow file uploads that are highly suspicious. Invest more in website vulnerability scanners that will identify technical weakness on your website. Confidentiality refers to access control of information to ensure about users authentications and access control components.
16. Samuel David, Founder of Smart Home Vault
For WordPress users (who represent about 20% of self-hosted websites globally), I'd recommend installing the Wordfence plugin. Wordfence plugin is a security plugin and has free and paid plans. Besides being an automated tool, Wordfence is straightforward hence ideal for users who aren't tech-savvy.
Depending on settings, Wordfence will block an IP address for 4 hours after 5 failed attempts. For every failed attempt – and for other issues detected (like plugins with security risks) – Wordfence will notify by email. Still talking about email alerts, I like that Wordfence is big on updates/news about vulnerability and risks of Wordpress and Wordpress plugins. That way users can act just in time.
17. Abdul Rehman, Cybersecurity Editor at VPNRanks
The one website security tip that I'd like to give you is setting up a web application firewall like Sucuri on your website. A WAF is very necessary for your website security as it filters and blocks malicious and harmful traffic to your site.
You can also blacklist and whitelist specific types of traffic as per your desire. It's very necessary since it prevents harmful injections and hacks attacks that can prove to be detrimental to your site and the data it holds.
18. Bruce Sigrist, Web Developer + WordPress Specialist at Phase Three Goods
To secure and protect a website, be thorough and uncompromising.
On thoroughness… it's easy to disregard crucial parts of website security because the jargon is new or the setup looks cumbersome. From 2-factor authentification to firewalls and IP-limited logins, these steps might seem overwhelming to non-specialists. Hackers and spambots are a determined bunch; every obstacle you throw at them will reduce the likelihood of a breach.
On being uncompromising… while searching for security improvements, you might find limitations in your site's build or hosting environment. Don’t be afraid to switch hosts or frameworks if existing circumstances limit your site security.
19. Noman Nalkhande, Founder of WP Adventure
I take the utmost care to ensure there aren't any gaping loopholes for a security breach to occur. Since WordPress is hugely popular, there are some amazing plugins built especially to serve this purpose.
Sucuri and WordFence are extremely popular and do a great job. Besides using a security plugin, I'd also advise keeping your WP themes and plugins up to date with the latest versions. It is also wise to change the default login URL from /wp-admin to something more unique using a plugin like ManageWP or adding a few lines of code directly in .htaccess file.
20. Juan Pineda, Partner at Sofyma
Most attacks on business websites are happening because three aspects are disregarded: hosting security, website software maintenance, and passwords strength.
If possible, you should opt for a strong hosting platform that isolates the live environment from any server access. This guard against unauthorized updates that can result in compromise.
Independently of the hosting provider, you should always use strong passwords to access your server, control panel, or website management system.
Another important aspect to consider is keeping your platform software updated. If you are not using a managed hosting provider you should stay current with security releases for the operating system, SSL software, programming language, and database that you use.
If you are using a content management system or framework for your website you should also make sure that it is kept updated with the security releases that are published by the community.
21. Chris Love, Owner of Love2Dev
Using HTTPS for all communications is a no brainer today. It was once complicated and expensive. Today it takes about 30 seconds and is free.
A common mistake I see is improper use of identity for authentication. Many websites do not properly use identity to block access to sensitive account data. Often applications are brought to me and APIs are not secured and direct access to the database can be had with direct calls to the exposed API endpoints.
Another recommendation I am making more and more is the use of Biometric and passwordless authentication. Here only verified tokens are made available to the application. The user's device verifies the identity with facial recognition or fingerprint analysis. It is hard to crack and storing a password hash is not required.
22. Jessica Rhoades, Owner, and Designer at Create IT Web Designs
Most people think that web security is just installing a WordPress plugin.
It is more than that. It is forming a plan around your website. First, do you take regular backups of your website and keep them off the webserver? Keeping a backup is key to protecting your data.
Secondly, are you updating your plugins on a regular schedule? Vulnerabilities in plugins are always being discovered.
Lastly, do you have any subdomains, and are you updating and scanning those on a regular basis?
An old test server on a subdomain that a customer forgot about was how one of my customers was hacked. The subdomain plugins were not updated for over 2 years and were hacked. Since they were able to get into the subdomain it affected the main website. We were able to quickly resolve the security with the subdomain, but the main website was down for about 6-8 hours.
23. Nir Kshetri, Professor at University of North Carolina-Greensboro
Many strategies need to be used to secure and protect a website but I would emphasize two things. First, companies should practice extreme precautions and safeguards if they allow others to upload files through their websites to ensure that no malicious files are uploaded.
Moreover, if users upload files too big in sizes, they can bring the website down. To keep the website secure, an option would be not to allow file upload.
However, this is not a practical strategy for many companies. Companies should allow uploads to support only one or a few file types. They can set up an email address and list in their Contact us page to submit other file types. They should also limit the file size to avoid DDoS attacks and scan received files for viruses and malware.
Second, if the website stores passwords, it is critical to hash passwords and employs stronger hashing function (e.g., bcrypt) rather than simple function (e.g., SHA1). In this way, even if hackers are able to penetrate a company’s network, it will make it difficult to steal the passwords and use them for nefarious purposes.
24. Michael Miller, CEO of VPN Online
As a security evangelist, one tip I always preach is to update everything! Your first line of defense is always going to be your antivirus, operating system, hardware, and passwords. Make sure you religiously update them. As an added insurance, keep offsite backups. The easiest way to fix a problem is by restoring to a previous backup.
25. Nelson Sherwin, Manager of PEO Companies
Did you know your domain name is a target?: My one tip is to not forget about your domain name. It can actually be a huge target for attacks, so you need to make its security a priority.
Picking a registrar that has security as a primary focus is a great first move. You should also look into adding a domain lock and setting up multi-factor authentication for extra steps to ensure that you’re keeping it safe.
26. Chase Higbee, Lead IT Strategist at Atlantic.Net
The key to website security is to minimize the attack surface of the website infrastructure and place controls over how network traffic reaches the website.
Exposing only the front end web server(s) to the public Internet using a DMZ is critical, as well as logically positioning application and database servers behind additional firewalls.
Protect the frontend by proxying TLS traffic through a secured web gateway, and create strict security policies to manage end-to-end traffic inside the perimeter network.
27. Jon Rasiko, Managing Director at DeepCode
Starts with the basics. Ensure you take the time to carefully configure your web server by using strong cryptographic parameters: a necessity for many frameworks such as PCI-DSS or HIPAA.
Learn and implement web security headers, such as the Content-Security-Policy header to mitigate some of the top 10 OWASP security issues. Secure your cookies with the proper flags such as ‘HttpOnly’ and ‘Secure’.
One last piece of advice: protect your code repositories by removing passwords and tokens and clean up non-essential files on your production web servers.
28. Kyle Hrzenak, President & CISO at Green Shield Security
Some of the best ways I've found to secure a website are as follows.
SSL – An SSL is very important because it ensures data safety, as long as you ensure protection from SSLv3 Poodle.
Use website penetration software such as Acunetix Web Vulnerability Scanner. Tools similar will provide errors that currently exist on your website or even web-server and provides documents on how to fix those issues.
29. Alex Artamonov, Cybersecurity Specialist at Infinitely Virtual
If a website is hosted in a shared environment, back-end server security is the hosting company’s responsibility. If the server is hosted within a private environment, security lies with the owner.
With a website hosted on a private server, additional vigilance – e.g., an effective patch management policy – is essential. Likewise, make certain to close any unused ports, disable filtering of any remote management ports, use secure passwords, and run regular vulnerability tests.
30. Nicholas McBride, Cybersecurity Consultant at Ecuron
When securing a website there are four basic steps that will prevent the majority of attacks.
First, check that all permissions are properly set. One of the most common avenues of attack is via improperly set file permissions allowing attackers to view sensitive files or upload their own.
Second, ensure that HTTPS is properly enabled and strictly required for all domains and subdomains.
Third, configure DNS properly to prevent the possibility of DNS hijacking.
And finally, patch your server and operating system software in a timely manner. Combined, these four steps will do the most to keep your website secure.
31. Lumena Mukherjee, Cybersecurity Consultant at SectigoStore
Website security is often assumed to be the responsibility of hosting providers. However, that’s not the case. Securing the site is the onus of the site owner. The tips below can get you started in the right direction:
Run regular vulnerability scans and perform manual web application security assessments to identify security weaknesses and fix them before a breach.
Make use of an SSL/TLS certificate to encrypt the communication between client browsers and your webserver to guarantee that no data is transmitted in plaintext.
Backup your website automatically using a third-party platform regularly to minimize the impact of any issues.
32. Vladlen Shulepov, CEO at Riseapps
It’s true that in order to provide website security, there should be a strategy in place. First of all, data encryption is one of the most important ways to protect a site, so such a well-known measure as an SSL certificate must be used.
Any framework, cloud service, firewall, etc., used in the development process should be trustworthy and safe, and the same applies to servers. If there is a login option, multi-factor authorization is the most secure choice. In case an intrusion takes place, a data breach protocol can help minimize the damage.
33. Joe Tuan, CEO of Topflightapps
Our Wordpress site has been recently hacked multiple times. In response, we are applying Cloudflare rate limiting. It can help limit excessive requests for specific URLs or for an entire domain.
On top of that, we took stock of all external plugins we installed on our site and removed those posing a threat: no longer updated and used.
34. Maxim Ivanov, CEO of Aimprosoft
Besides standard website security measures, such as reliable hosting, patching all applications on the webserver to the latest version, etc., use more enhanced precautions.
Firstly, choose a firewall to secure your servers and restrict access to all undesirable ports except for those that should be available (e.g., 80 and 443).
Secondly, use WAF (web application firewall) securing your app from the outside attacks, such as SQL injections, XSS (Cross-Site Scripting) attacks, file inclusion, and so on. Mind that there are special services, such as Cloudflare that function like reverse proxy, provide WAF, DDoS mitigation, and take care of website security for you.
Finally, conduct security audits of a web application code to minimize the level of its vulnerability and configure fuzzing by using such a tool as Fail2ban.
35. Swapnil Bhalode, Co-founder and CTO of Tala Security
Client-side vulnerabilities are the web's weakest link, resulting in data breaches at leading global brands – and the biggest GDPR fine to date (BA, $230m). Known as Magecart or credit card skimming, these attacks succeed because only 1% of website owners deploy security policies that protect the client-side.
The best strategy to secure websites against these attacks is to deploy browser-native security controls such as CSP, SRI, and other advanced standards.
Developed by the world's leading web experts, like Google and GitHub, they're constantly refined in-step with the latest web developments. Used together, they provide the most comprehensive, future-proof protection against client-side attacks.
36. Rob Shavell, CEO of Abine/DeleteMe
To secure and protect a website as possible, it's absolutely critical that you use strong passwords for your server and website admin area. In addition, if your site requires a sign in, you should encourage your users to use best password practices in order to protect their own data.
37. Laura Fuentes, Operator of Infinity Dish
38. Heinrich Long, Privacy Expert at Restore Privacy
To secure and protect a website, there are three main protective technologies to consider when implementing a strong web security strategy.
First and foremost, you should invest in a great cloud-based firewall, Norton is a great provider with a range of products to suit almost any website. The firewall protects your website by evaluating visitors to your site and blocking potential hackers from gaining unauthorized access to your data.
Secondly, support this with an application-level firewall that works to specifically protect your site from vulnerabilities created by apps or services linked to your site.
Finally, invest in technologies to support application hardening. Application hardening is a crucial aspect of your security strategy and is required to prevent hackers’ efforts to tamper with an app and compromise your site.
There you have it! 38 ways to secure and protect a website!
Thankfully, the interviewees have provided helpful website security tips that you can apply to secure and protect your websites.