Running your own website can be both rewarding and fun, but it can also be quite stressful if you don’t keep security in mind at all times. Here are 10 things you should do to make sure your website remains secure and unharmed by hackers. Security-conscious webmasters should be familiar with these things to keep their websites protected from a variety of different attacks and vulnerabilities.

10 things you should do to improve your website's security

1. Stay up-to-date

Knowledge of current events is important for any position in which decisions or strategies require a certain amount of situational awareness. Even if it’s not a requirement of your job, staying up-to-date on news that matters is good for business.

Information related to local, national and international news helps keep you informed about what’s happening outside of work—and inside your company—so that you’re prepared for changes in industry standards and trends. Plus, as technology advances at breakneck speeds, staying up-to-date will help make sure that you can effectively navigate its complex waters.

2. Use strong passwords

It's a good idea to use strong passwords, even if it isn't required by your hosting provider. Password strength is based on password length and complexity, but also factors like whether or not they contain any personal information (like pet names or hobbies). Creating strong passwords can be difficult, especially if you need several unique logins, so it helps to follow some best practices.

First, avoid using real words in any language that would make sense if reversed; secondly, make sure passwords are long; at least 8 characters is recommended. Last but not least: don't reuse passwords across sites—it’s much easier for hackers to crack one password when they have access to everything else in a breach.

3. Passwords are never enough

We all know it’s smart to use strong passwords. But that’s only part of the story: Your system is only as secure as its weakest link, so be sure you don’t use common passwords across several accounts. And never let anyone else get access to your password manager (whether a dedicated password management app or online service such as LastPass). If someone gains access and commits identity theft or credit card fraud, then not only will you lose money, but also will face legal trouble for negligence.

4. Update the software on your server

You may think updating WordPress or Joomla is a waste of time, but it’s absolutely crucial. Every site has an exploitable component and some have more than others. If it hasn’t been updated in awhile, update it today and follow up with a full backup. While we’re talking about backups, don’t forget to backup everything regularly.

If a hacker gets into your system and gets everything, at least you have good backups so that you can get right back up again. Better safe than sorry!

5. Change passwords after a breach or hack

It may sound painfully obvious, but if hackers have gained access to your website, it's time for a change. Make sure passwords are strong and unique across all sites: Hackers know that many people use one password for many sites. That means once they've breached one site, accessing others could be just a matter of time.

If there is only one password for everything and it has been compromised, changing it will protect against attackers using these logins elsewhere on the web.

6. Protect public facing files with .htaccess directives

Protecting files with .htaccess directives protects sites from certain attacks. For example, using an Options directive in a file called .htaccess will set three very important security options on all HTML files accessed by a browser on a particular web server. This could be as simple as password protecting access to restricted directories and files.

Also, limiting POST data (HTTP_POST_FILES) is another important step in ensuring a secure site. Another extremely useful tool is ErrorDocument 401 which automatically replaces any 403 or 404 error pages with its own custom page, so that it can be customized for whatever message needs to go out.

7. Don't log in as admin

If there are other users on your site, make sure you log in as one of them. (Don't forget about Google Analytics or Alexa, either.) If nobody else has an account on your site, try creating a new test user (no special privileges) and logging in as that user when you need to access admin pages. If someone wants to hack into their site, they have no way of knowing that isn't actually you doing it.

If a hacker is able to trick another employee into giving up their credentials—or if they can guess yours—they'll be able to do anything with that account as well. No wonder 60% of attacks start with compromised credentials.

8. Secure Remote Login (SSH, telnet etc.) section

To be able to log in and make changes to a web server from another machine, you will need secure remote login (SSH) and a secure shell client program. Secure Shell or SSH is a cryptographic network protocol for operating network services securely over an unsecured network. For example, if you're using FTP over an open internet connection, anyone can snoop on your traffic and potentially obtain sensitive information like usernames and passwords.

By connecting with SSH instead, they would only be able to see that data going out onto port 22, as if it were any other encrypted traffic. If they wanted access, they'd have to break the encryption first -- which would take more time than it would be worth for most hackers.

9. Take care of the employees and contractors too!

Security is a multilayered thing and what’s good for one layer may be different from what’s good for another. For example, many companies start by locking down their network at layer two (by adding more robust firewalls, closing potential holes in operating systems and installing endpoint antivirus software).

That’s great, but it doesn’t mean much if an attacker can compromise a single employee’s computer. Protecting individuals on a physical level is critical, too—and one of those layers is often overlooked by organizations.

10. Be paranoid! Check for errors often.

The easiest way for a hacker to break into a web server is by exploiting coding errors, called bugs, in server-side software. So it's vital that you check your sites often for these bugs and fix them as soon as possible.

You'll have an easier time finding these problems if you have an automated system in place that regularly checks for them -- automated systems are especially important if many people are working on code that runs on your servers. For example, open source software like Joomla! has periodic scanning tools built into its development cycle.


It is said that prevention is better than cure, so rather than waiting for your website getting hacked and recovering it afterwards, I would suggest that you prevent your site from being hacked. What can you do to prevent web hacking? It depends on what kind of site you are running but in general: Always keep WordPress updated and use a good password. WordPress plugins like WordFence can help with securing your site but only if they are kept up-to-date.

Keep an eye on php versions in use. Use strong passwords and don't use easy-to-guess passwords. Run occasional backups of databases, themes and plugins too, in case something goes wrong later. If you need any help in this technology or want to have your own web app, you should hire website developers in India. Feel free to post comments or ask for further information below!