Navigate Your Website to Success: Your To-Do List for Stronger Security

On your journey to a more successful online presence, there’s one essential step you should never neglect – website security. At SiteGround we’re constantly updating your security arsenal with out-of-the-box security technology and additional features. But there are a few extra steps you can take to protect your site so that when your online business gathers speed, you and your clients have ultimate peace of mind.

Your Ultimate Website Security Improvement To-do List:

Website threats take many forms and constantly evolve: phishing, malware, ransomware, DDoS attacks, identity theft, customer data leakage, and even human error. To protect your website on multiple levels,  we’ve compiled an extensive but easy-to-follow list with actionable tips. Complete each step to make sure your website is rock-solid against potential threats.

1. Choose a hosting provider that safeguards server infrastructure

💡WHY: Choosing a secure web hosting provider is the first step towards a secure website. A good hosting provider would protect your website on various levels, starting with their servers’ infrastructure security. Some essential and effective security measures on server-level include a network traffic firewall, Web Application Firewall, DDOS protection and more. All these help filter bad traffic and block brute-force attacks, denial of service, malware injections, and others.

❓HOW: When choosing or switching to a new hosting provider, research their hosting infrastructure and security measures provided. Check their website for security tech info or better yet, contact them directly with specific questions.

At SiteGround, we not only provide all essential security measures, but we go the extra mile. Instead of making them operate stand-alone, we have built a Central Security System that ensures all our servers are protected at all times by constantly gathering and analyzing data from all individual server security systems, and distributing smart security rules, applied to all machines. At SiteGround, your website is safe with:

• 24/7 server monitoring system that checks the server status every 0.5 seconds, far more often than standard monitoring systems in our industry. On top of detecting and fixing current issues, it also foresees and prevents a variety of problems automatically.
• Smart web application firewall system on server-level that monitors the traffic and prevents hackers from exploiting the most popular CMSs and their plugins. Our Security Team constantly creates new custom security rules and adds them to our smart WAF to protect sites hosted with us out-of-the-box. 
• Powerful AI anti-bot system that stops malicious traffic before it reaches our customers’ websites, blocking between 25 and 30 million brute-force attempts per hour across all our servers.
• Daily geographically distributed backups, stored in a data center location, different from the one hosting the live account, and Premium Backup service that provides up to 60 additional backup copies of our clients’ websites and allows downloading all backups to our clients’ local machines.
• The latest software versions, such as the default PHP 8.2 and the latest MySQL 8 that are used on all SiteGround servers. It’s important that your software is up-to-date at all times, because older software versions inevitably become vulnerable to hacker attacks with time.

2. Protect your data with an SSL certificate

💡WHY: Having an SSL certificate on your website is a must and an industry standard. Here are some of the main reasons why you should have one – an SSL certificate secures sensitive information, such as credit card numbers, IDs, passwords, messages, etc. by encryption; verifies your website’s identity; and ensures that your website meets the requirements of search engines which flag unsecured sites.

❓HOW: As a website owner, you can get a free SSL certificate from Let’s Encrypt, for example, or you can ask your hosting provider whether they offer SSL certificates. 
As a SiteGround client, you get free Standard and Wildcard SSL certificates with all our hosting plans, for all your websites. Мanage your active SSL certificates easily from your Site Tools control panel – just go to Site Tools > Security > SSL Manager. Once logged in, you can also switch from the free Standard SSL to the free Wildcard SSL (for medium-sized websites), or upgrade to the Premium Wildcard SSL (for large business websites).

3. Enforce strong and secure passwords

💡WHY: The password for logging in to your website admin panel is one of the first things that hackers will try to crack. If your password is weak, such as your name, or your date of birth, for example, hackers would need just a few attempts to guess it successfully and get access to all your website information. That’s why it’s crucial to use strong and secure passwords for your login.

❓HOW: To have a strong and secure password, make sure you use long passwords, with numbers, uppercase and lowercase letters, special characters, numbers, etc. Never write it down (neither physically, nor electronically), but keep it in a secure password vault management system. And remember to update them regularly, since if you use the same one over and over again, it will get vulnerable at some point.

4. Use 2-factor authentication

💡WHY: Even with the hardest to guess passwords, there’s still a possibility that it can be compromised. This could be due to a human error, or a brute-force attack, where hackers use different combinations to guess your password – on a huge scale, hundreds of thousands of attempts per hour, for example. 

❓HOW: To further strengthen your login, implement 2-factor authentication (2FA). It requires one additional step to be completed before anyone can access your data. That’s one more layer of authentication – a temporary dynamically generated code on your phone or email. The 2-factor authentication feature is a click away in the free SiteGround Security Optimizer plugin for WordPress websites.

5. Stop brute-force attempts

💡WHY: Brute-force attacks by bots are a severe global issue for any website nowadays. They cover a huge scale of multiple websites on one or more servers, making it a very serious issue whether your site is big or small, business-critical or just an online portfolio. A brute-force attack is a hacking technique that uses trial and error to guess and crack your passwords, login credentials, and encryption keys, on a massive scale. A successful brute-force attack can cause huge financial losses; steal personal information, such as bank details, confidential medical information, etc.; and many other damages.

❓HOW: There are multiple measures that you can take in order to protect your site from brute-force attacks. These include having strong passwords, limiting the login attempts to your website admin panel, monitoring IP addresses for anomalous behavior, using CAPTCHAs, creating a unique login URL for your website admin panel, and others.

All of the above aside, your choice of web hosting provider plays a crucial role in securing your site against brute-force attempts. At SiteGround, we have developed a sophisticated AI anti-bot system that blocks millions of brute-force attempts per hour. After the system’s latest upgrade, it filters 95% more of the malicious queries by constantly learning from thousands of brute-force attempts per day and adding a traffic validation functionality that minimizes the number of brute-force attacks. SiteGround clients benefit from this advanced system by default, no action needed on their part.

6. Monitor your website traffic closely

💡WHY: As a website owner, you can sometimes notice specific patterns or suspicious traffic coming to your website. Imagine that you monitor abnormally high traffic from a country you’re not targeting, you receive too many spam comments on your blog from а  specific location, or any other unusual behavior from a certain geographical region.

In such cases, it would be useful to be able to stop the traffic from that location, as many times it might turn out to be malicious. Stopping the traffic from a specific country could also benefit your business, if, for example, legal requirements prevent you from providing your service in that country, or there are heavy taxation requirements, and others.

❓HOW: To monitor your website traffic, you can use different network security tools that alert you of potential malicious activity in your network, or you can also set up alerts yourself, whenever you encounter login attempts or suspicious activity from certain IP addresses. 

SiteGround clients can easily block specific IP addresses or whole countries and stop traffic from countries that are not relevant to your business or online presence. If you are a SiteGround client, control your website traffic in Site Tools > Security > Blocked Traffic.

7. Keep your inbox clean from spam messages

💡WHY: Dealing with multiple emails is part of our daily work routine nowadays. Yet, when there are a number of spam messages in your inbox by the hour, the task becomes even more tedious and annoying. You have to manually process each email and mark as spam those that sneaked into your inbox. But there’s more to spam than simply a cluttered inbox – it’s dangerous, because it can be the main source of phishing and other hacker attacks. It goes the other way round, too.

Spam messages can negatively affect not only the receiver, but the sender as well. If another user on your server has sent uncontrolled spam, then there’s a chance that your entire server address will get blacklisted. This will affect you when you try to send an otherwise legitimate email, which might not get to the recipient simply because it’s coming from an already compromised server address.

❓HOW:  First and foremost, make sure to not delete spam messages from your inbox, but rather mark them as spam, so that your spam filter will know not to let any more messages from this address into your inbox. Second, if you can tell that the message is spam, even before opening it, then delete it without clicking on it, or downloading anything. Such messages can contain malicious software! Other rules to follow in order to avoid spam, include keeping your email address as private as possible, unsubscribing from email lists, or simply using a third-party spam filtering service.

SiteGround clients enjoy an in-house built Spam Protection solution that keeps both incoming and outgoing spam away. Our solution not only efficiently minimizes the amount of spam messages delivered to your inbox, but it also constantly learns from your email reading behavior and actions to add even more custom rules for spam messages. As a result, our system blocks 12 Million spam emails from even reaching your mailboxes every day, while 600,000 get filtered directly in the spam folder. It also extremely efficiently detects and stops outgoing spam messages from our servers, giving you an extra layer of security.

SiteGround clients have our built-in Spam Protection features enabled by default, but can also easily control them via an easy interface to allow and block senders. They simply need to go to Site Tools > Email > Spam Protection and directly tell the system how to treat a certain sender by adding an email address or an entire domain to their block/allow lists.

8. Scan your website for potential threats regularly

💡WHY: Hackers invent new and smarter ways to “hijack” websites, by the hour. Your website can get infected with malware in numerous ways – compromised login credentials, corrupted or outdated software, infected or fake plugins and themes, and many others. If your site gets infected with malware, this can have serious consequences on your whole business,  not only on the website itself.

❓HOW: Your best bet against malware is constant monitoring. However, as a website owner, you have many other responsibilities in regard to your website. You simply cannot monitor it for suspicious behavior on your own 24/7. But your hosting provider can and should. 

With SiteGround, our clients can activate Site Scanner – a security add-on that crawls your websites daily, warns you of potential malware and other security threats, and provides tools for reaction if your sites are under attack. Here’s how Site Scanner protects your websites.

9. Boost your WordPress security

💡WHY: WordPress is the most popular CMS platform in the world, and as such, it’s also a preferred target for hackers. Even though all of the above tips apply to WordPress as well, there are a few extra things you can do to make sure that your WordPress website is fully secured against malicious threats.

❓HOW: We have identified some important, yet easy-to-follow tips to help you take special security care of your WordPress website:

• Keep your WordPress version and plugins up-to-date

It’s important to keep your WordPress version and plugins up-to-date with their latest possible versions, because hackers use any vulnerability or backdoor to get access to your website’s files, sensitive information, etc. Simply log in to your WordPress admin and go to Settings or plugins to check if there’s a newer version.

At SiteGround, we automatically update all WordPress sites hosted with us to the latest stable WordPress version, as well as the free plugins, depending on clients’ settings in their Site Tools > WordPress > Autoupdate.

• Review your user roles and permissions

Make sure to review and clean up inactive users or limit access for certain users only to the information and resources they require for that specific role. For example, let the administrator level accounts only for the people responsible for the technical aspects of your site, but give edit access to your blog only to users that manage content or users on your site.

• Avoid common usernames

Remember that your WordPress login consists of your username and password. However, all WordPress installations by default come with the user “Admin” which means that hackers already know one of the two pieces of your login information. That’s why it’s important to change your username to a custom one.

• Limit login attempts

Another way a hacker would try to crack your username and/or password is to try and guess them on the login form with numerous consecutive attempts. What you can do is limit the number of consecutive unsuccessful login attempts by blocking their IP for a certain period of time after they reach a set amount of attempts. With the free Security Optimizer plugin by SiteGround, you can activate this feature with a click of a button.

• Clean up unused or outdated plugins and themes

Unused or outdated plugins and themes, including deactivated ones, also open the backdoor for hackers to get to your website. To avoid that possibility, simply delete any unused plugins and themes on your website.

• Add an extra layer of security with a trusted plugin

With the free Security Optimizer plugin available for all WordPress websites, you get all the security features you need to protect your WordPress website. Its user-friendly interface allows you to enable a variety of safety features with a few clicks – from hiding your WordPress version, locking and protecting system folders, to hardening different aspects of your login security, as well as monitoring visits, bots, etc. in a detailed activity log.

10. Back up your website regularly

💡WHY: Even if you’ve taken multiple security measures, unexpected events still happen – an update might go wrong, you can accidentally break something on your site, or any other unforeseen circumstances can require you to revert to an older version of your website. Just like an UNDO button in real life. That’s why it’s a must to keep several backup copies of your website in order to revert any mishaps in due time.

❓HOW: There are two main ways to back up your website – manually and with a third-party backup service. If you want to back up your site yourself, you need to log in to your web hosting account, locate the directory with your website’s files, use an FTP client to download this directory on your local computer and store it in a safe place. This is useful but can be impractical because you never know when mistakes will happen – so having an automated backup is crucial.

At SiteGround, we know how often backups can save an emergency situation with your website. That’s why we have a sophisticated system for creating and keeping backups of your website automatically. We generate a backup of your website every day and store each for up to 30 days. What’s more, we keep these backups in a data center location different from the one hosting the live account, which is an extra layer of security for your data, in case something affects your whole data center. SiteGround clients can easily manage backups from Site Tools > Security > Backups. 

For the ultimate peace of mind of our clients, we have recently launched our new Premium Backup service that provides clients with automatic backups made every hour, on-demand backups for a full backup of their sites (whenever they need it), 7 additional automated daily backups on top of the ones included in their plan, and allows for ​​downloading all backups to their local machine.

11. Keep an eye on your website security status regularly

💡WHY: Even if your site is secured and backed up, you still need to check its security status regularly. It’s important to know how secure your site is and whether the security level has changed – keep an eye on how many attacks have been mitigated, or find new ways to further protect your site from incidents.

❓HOW: To check your website security status, you can use a free open-source web security testing tool. There are many such tools available online. If you’re using WordPress, you can also run a security scan with various free plugins to scan your website and detect vulnerabilities. After you check the status of your website security, it’s important to analyze the results and take measures where necessary.

SiteGround clients receive free monthly security reports, delivered straight into their inboxes. In these reports, they get a summary result of their site’s security check, along with actionable advice on how to reduce the risk of malicious attacks, if there are any weak areas identified. All this information is compiled in a user-friendly format, and the feature is enabled by default for all our clients. To manage their preferences for the reports for any of their websites, they simply need to go to their Client Area > Click on User Avatar > Notification Preferences and click the pencil icon next to Monthly Security Reports.

Wrap-up

A website is the most important and valuable digital asset you have, so you would want to make sure that it’s as secure as possible, time after time. By constantly reviewing and implementing new security measures, you ensure your site’s at maximum security level. This way your business, your visitors’ information, and your reputation will be safe during any business season.

Quick Cheat Sheet