15 Great Ways to Secure Your Website

Since there are no point and click software, like an Anti Virus solution, available to secure a website, people just consider the job is done once the website is up. It definitely is not. Protecting a website or webserver is possible only by continued efforts. Unlike a poorly protected desktop in your place of business, a hacked website will reflect poorly on you, your business or brand.

With the sheer volume of zero day threats emanating all the time, there may not be fit it and forget solutions for protecting a website. But there are always some time tested fundamental ground work that should be done to get the first line of defence up while figuring out a detailed security plan. After the fold comes a list of 15 tips that can help you lay the foundation for web security.

Use Open Source Scripts

OpenSource Scripts

OpenSource Scripts

Unless you know what you are doing or have a well versed development team in your payroll, it is a great idea to use open source scripts. Open source scripts like WordPress, Drupal, Joomla, Magento etc. are feature rich, powerful and are backed by thousands of coders for update & support.

This avoids websites falling prey to hackers & spammers due to poorly written code. Instead of building from scratch, you can use the existing scripts and modify them to your liking. Commercial scripts from reputed companies can also be deployed if they issue updates & patches regularly.

Update Constantly

New features or not, upgrade to newer versions of scripts as soon as they are released. Point upgrades mostly fix bugs in the script and are as important as a full version upgrade. If you are not sure whether the new update will break your customization, ask in the support forums and do not wait till you get your customization to be fixed before applying an update.

Use Strong Passwords

Passwords like “loveydovey123”, “unicornlover” are definitely not cute and it is absolutely reckless to even consider using them. Your password does not have to reflect your “inner persona”  as they are supposed to keep things safe.

Use a combination of alphabets, numbers and special characters and make sure they are atleast 10 characters long. Apps like Lastpass, KeePass etc. can help you generate strong passwords and to store them as well.

Secure Admin Email Address

Keep the admin email address used to login to your webserver, CMS, database etc. away from the public eye. Use a totally different address in your contact page. This will help from not being scammed by a phising email disguised to have been sent by your hosting company or domain registrar.

Add a Database Table Prefix

Database Table Prefix

Database Table Prefix

If you are using a CMS, blog or forum script, change the default database table prefix. For example in case of WordPress, the default database table prefix is “wp”. So if a brilliant hacker finds a way to extract data from a database, default table prefixes will leave you a sitting duck.

Password protect the Database

Database Password

Database Password

It is not a mandatory requirement in a lot of scripts to enter a database password and leaving them empty will still get the script installed. An empty password is a criminal waste of an additional layer of security. Database password do not slow down the website when querying the database, so there is absolutely no reason not to have one.

Delete the Installation Folder

Renamed Installer Folder

Renamed Installer Folder

Once the installation is done there is no use for the installer folder in the day to day operations of a website. It is very much possible for a hacker to run the installer once again, empty the database and take control of the website & its content. Ideally it is strongly advised to delete the folder once the installation is complete, but if you know your way around the web server, you can also opt to rename the folder.

Change File & Folder Permissions



Some scripts require full read & write access while installation. This can achieved by using the 777 code on vital folders like config, admin etc. Revert the file permissions back to their original code, say 755 or 644. A file or folder with full read write code gives easy access to inject malicious code in your website.

Use Secured FTP Access

If your webserver or ISP support SFTP access, jump at the opportunity and upload files to your server in fully encrypted glory. Nobody can sniff what you are uploading or downloading to & from the webserver.

Restrict Root Access

Be it may FTP or Database, never give root access to everyone willy nilly. Restrict access to certain non system folders in the case of FTP uploads by people other than the system administrator.

Ensure the presence of .htaccess file

.htaccess files are often used to specify the security restrictions for the particular directory, and make sure you have not deleted it by accident or if it is there in the first place.

Add robots.txt file

robots.txt gives special instructions to search engine spiders as to which folders are to be indexed and which ones are not. Folders with documents, images etc can be kept under wraps from being indexed and displayed in public web searches.

Use security plugins

Mature platforms always have plugins to extend the core functionality of the script. Look for plugins that add an extra layer of security and install them. For example, WP Security Scan plugin checks if most of the steps I have mentioned above have been implemented properly in a WordPress installation.

Read leading Tech Blogs

Keep yourself updated on the latest vulnerabilities, bugs and attacks on the Internet. There will be a time delay before the patches are issued and this information will help you protect your website or to temporarily take it offline if there is a very serious threat. Wired’s Threat Level and Kreb’s on Security are good places to begin.

Stay away from Nulled Scripts & Themes

Piracy of commercial scripts and paid themes is the easiest among all other forms of piracy. Smaller file sizes, absence of version specific keygen, cumbersome Daemons, DLL patches & cracks make it a cake walk to pirate a script rather than a software or PC Game.

However, unlike pirated desktop software where a hidden malware is removed by the Anti Virus software, there is no way you can escape the backdoor added to the codebase. Even for a seasoned programmer, it is impossible to go through thousands of lines of code to check if the script is free of backboors.

A nulled script or theme with a backdoor ensures that the hacker peddling it in the first place has gotten himself a free server to spam people with mails promising to enhance things that cannot be enhanced. If you are lucky, your website might not used for anti government propaganda or for distributing child pornography. Unless you so love orange jumpsuits or better yet, would love to go on an all expenses paid trip to a certain facility in Cuba, stay away from nulled scripts. Nulled scripts hurt the pirate worse than the developer. Enough said.

When it comes to security online, there are always infinite number of ways to protect a website. Share with us the tips & tricks you use to protect your website by leaving a comment.

If you like this post, consider tweeting it!


Add Yours
  • Use FastCGI or SuPhp depending on what you prefer so that php scripts are executed with the permissions of their owner ( here the ftp user). This way you won’t have to change the permissions during install and after.

  • I’ll admit I’m a little confused over the “database prefixes” idea as security. If a user can get far enough that they can start polling your database, it is easy to get a list of all tables circumventing this procedure.

    That being said, the rest of these are definitely something to think about when designing a website.

  • Excellent tips, they will definitely be beneficial to myself and others; I wonder if you guys/girls implement these preventative measures in this site, -my guess is you do.

  • I’ve used three different security plug-ins for wordpress. They had some unique elements, but for the most part they did the same thing. Anyone have an opinion as to which one is the top dog?

  • lol “unicornlover”
    thanks for the tips!

  • Great post, i just have a question. What’s the best file permitions to have in a file so nobody can edit it besides the admin? 755?

    • 644 for files and 755 for directories

  • Very goods tips. Also a good tip is to rename the wp-admin directory.

  • Good tips, esp. re: nulled scripts – I’ve never used one, and can’t really see a reason to – there seems to exist decent, if not excellent free alternatives to most paid scripts.

    Re: open-source scripts, you also need to be careful and update religiously, because the ‘openness’ that makes it secure in the first place also allows hackers easy access to code to find bugs, which then get fixed by the developers as they are discovered. eg. WP

  • Thanks a lot for those! It’s unbelievable how many people forget to do a lot of the things on that list.

  • Thank so much’ i love your blog.

  • You could also add to the list, “use second factor authentication” instead of standard passwords where one is just as easy for a hacker to copy as another no matter how complex.
    There is a new authentication method https://www.shieldpass.com where you buy cheap access cards which you then embed the widget html into your login page so it uses dynamic password numbers every time you login. It is unique in also being able to encode transaction digits for mutual authentication which completely stops any attacker even one with access into your laptop or mobile.

  • Thanks for this, older article but still useful!

  • Great list of tips.
    I’d suggest also to put blank “index.html” file in each directory that need to be accessed by the scripts you use, so if someone try to list it he will obtain a blank page instead of the list of you directory. This is useful especially if you run non updated software (like cms opensource / free plugins), often those plugins offer vulnerability and knowing them may help brilliant hackers breach into your system!

    • there is an idexes option for this in you apache config file. no need for so many index.html files. see below the ‘Options -Indexes’ command will stop you file indexes being displayed and will show – file not found on server,

      # Possible values for the Options directive are “None”, “All”,
      # or any combination of:
      # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
      # Note that “MultiViews” must be named *explicitly* — “Options All”
      # doesn’t give it to you.
      # The Options directive is both complicated and important. Please see
      # http://httpd.apache.org/docs/2.4/mod/core.html#options
      # for more information.
      Options -Indexes

      # AllowOverride controls what directives may be placed in .htaccess files.
      # It can be “All”, “None”, or any combination of the keywords:
      # Options FileInfo AuthConfig Limit
      AllowOverride All

      # Controls who can get stuff from this server.
      # Online –> Require all granted

      # onlineoffline tag – don’t remove

  • Great article. Thank you!

    For the websites that have users a nice way to improve the security is using a two-factor authenticator. Here you have a great one http://www.whitefactor.com