How do you protect your website?

Website security is more important than ever, especially with rising cyber threats. What measures do you take to ensure your website is secure? Do you use any special tools or practices?
I'll introduce some items, and I’d like to see how closely your list matches mine.

1- Using HTTPS
2- Regular Updates
3- Strong Password Policies
4- Two-Factor Authentication (2FA)
5- Firewalls and Intrusion Detection Systems
6- Regular Backups
7- Content Security Policy (CSP)
8- Vulnerability Scanning
9- Securing File Permissions
10- Monitoring Logs and Traffic
11- Limit User Access and Roles
 
Some additional ones that we do:
  • Password rotation (30 days)
  • Firewall Log Inspection
  • Admin Login Alerts (WordPress sites)
  • FTP lockdown to single IP
  • Database lockdown (no remote access)
  • Shell Access via SSH Key only (and IP lockdown)
If a website is small, and rarely updated, then it doesn't need to be database driven - export entire site to HTML and it'll load faster anyway.
 
If a website is small, and rarely updated, then it doesn't need to be database driven - export entire site to HTML and it'll load faster anyway.
Conor, I'm curious - do you have some favorite tools that you use to export a site into raw HTML? We have tons of hosting companies with various PHP driven sites and there are days that I'd love to just have them export it to HTML, often times their code becomes outdated, etc.
 
This is indeed a complex question. We provide all the services you've mentioned and offer 24/7 support with specialists who monitor and ensure everything operates smoothly, guarding against unauthorized access. Protection from DDoS attacks is crucial because your website becomes highly vulnerable during such attacks. Some use Cloudflare, while others configure their own defense systems. It's important to understand that every action has consequences, and preventing a fatal error in your server and website's operation is vital for maintaining security and performance.
 
This is indeed a complex question. We provide all the services you've mentioned and offer 24/7 support with specialists who monitor and ensure everything operates smoothly, guarding against unauthorized access. Protection from DDoS attacks is crucial because your website becomes highly vulnerable during such attacks. Some use Cloudflare, while others configure their own defense systems. It's important to understand that every action has consequences, and preventing a fatal error in your server and website's operation is vital for maintaining security and performance.
Yes, every provider needs to consider the minimum requirements for their services. What I mean is, whether you are a beginner or a professional, what tips do you use and recommend for your website?
 
Conor, I'm curious - do you have some favorite tools that you use to export a site into raw HTML? We have tons of hosting companies with various PHP driven sites and there are days that I'd love to just have them export it to HTML, often times their code becomes outdated, etc.
I use a few different programs, but we have some clients that use the HTML plugins for WordPress itself. Just search for "Wordpress to static HTML" and you'll see a number of plugins. We've enjoyed using SimplyStatic also - works pretty well.

Other tools we use are Screamingfrog and WinHTTrack - love the 2nd option as it can pull an entire copy of any site. The only issues you'd run into are contact forms which need to be replaced or search functions if you're needing search in your site. Since those are generally dynamic, you'll need to use replacements for them.

So, we build in WordPress, pull the entire site with WinHTTrack, then upload those stack files to the site. Any time there's new content, we update in Wordpress and pull another export. Like I said, there are plugins also, but I'm a little old-school and like lots of control :)
 
To keep our website secure and protect user data, we take a proactive approach with multiple layers of protection. Here's how we ensure everything runs safely:

  • SSL Encryption: All data transferred between our users and the website is encrypted, which protects sensitive information like passwords and payment details.
  • Regular Updates: We make sure our website and software are always up to date with the latest security patches, reducing the risk of vulnerabilities.
  • Strong Authentication: We require strong passwords and use two-factor authentication (2FA) for extra protection, especially for accounts with sensitive information.
  • Web Application Firewall (WAF): A WAF helps protect against common attacks like SQL injections and cross-site scripting by filtering malicious traffic.
  • Backups & Recovery: We back up our data daily to avoid any data loss and have recovery plans in place just in case something goes wrong.
  • DDoS Protection: Our website is equipped with DDoS protection to safeguard against attacks that aim to overwhelm our servers with traffic.
  • Continuous Monitoring: We keep an eye on website traffic for any suspicious behavior, allowing us to react quickly if a potential threat is detected.
These combined efforts ensure that our website remains secure, providing a safe experience for our users.
 
To add, the basis of Do not trust the user, always assume the worst.

Have a 2nd party backup for your website, and do extensive penetration testing. Hire people to try to hack your website and report back any vulnerability.
 
There're plenty of methods, some of them are:
- first of all to host website on a secure web server,
- firewall and mod_security rules,
- make website with the latest PHP (or other language) code, which is properly sanitized,
- if WordPress, there're plenty of firewall and security plugins (e.g. WAF)
- in all cases, proper security rules in .htaccess will protect website against many attacks or different vulnerabilities,
- professional help and security support from the hosting provider.
 
Back
Top