- Website Security Primer
- Website Threats
- DDoS Attacks
- Viruses and Malware
- WHOIS Domain Registration
In this guide to website security, we’re going to give you the knowledge you need to keep your website safe. We’ll go over common threats, what you can do protect your website from them and the most secure web hosts.
Website security isn’t talked about much, but it’s an extremely important topic. Even small websites are becoming the targets of malware, spam and distributed denial of service attacks, which are used to steal private user data or distribute nasty malware.
Let’s start with an explanation of how data flows from a user to the web server and how that data transfer exposes your website to attacks.
Website Security Primer
Before getting into how your website is exposed and what you can do to protect it, you need to understand, at least on a surface level, how data travels through the internet.
Web hosting means that your website’s files are stored on a server built for fast transfer times. You could host your own website, but without the sophisticated networking and top-notch server hardware that the best web hosting providers use, it’s not practical for speed or security.
When someone accesses your website, they connect to that server and begin downloading the files temporarily so the information can be displayed in their browser. The data transfer to and from your server happens in packets, small bundles of data that contain the information for the transfer.
That opens up vulnerabilities. An interception could give away who’s connecting, as well as what server they’re connecting to, and a spoof packet could load malware onto the computer or the server.
Those two scenarios are unlikely, especially with an encrypted connection, but the process shows why website security is so important. Web-based threats not only pose an issue to your website, but to your personal files and visitors’ information, as well.
There needs to be protection at all steps in the process. Some comes from your web host, some comes from the user and some comes from you. First, we’re going to take a look at the threats posed to your website and then ways you can ward them off.
Below are some of the most common threats you’ll face after setting up a site.
Spam is annoying and, for the most part, that’s the worst thing about it. Some spam bots have more malicious intentions, though, and can overload your server or earn a spot on Google’s blacklist. We’ll talk about the latter later in this section.
In most cases, comment spam is used by bots to place backlinks to other websites on your domain. It’s used to increase search rankings since backlinks are good in Google’s eyes. Google has factored in this sort of comment spam and buried URLs that take part in it. The problem persists, though.
Spam has two consequences. The first is speed. If users must register to comment, the database of users your website carries can easily be gummed up. WordPress, in particular, suffers from a load of comment spam, so there are plugins you can use to mitigate the problem.
The links posted by spam bots could be malicious, which is a more serious problem. Other users might click on those links and install malware on their machines. Plus, Google’s crawl bots can recognize malicious URLs and rate your website as unsafe.
To keep your website running as fast as possible, and to protect your users and organic search traffic, it’s important to avoid spam like the plague.
DDoS attacks have received much more press in recent years, mainly because of Operation Payback, which targeted major credit card outlets such as Visa and Mastercard in protest of the U.S. government’s attempt to censor Wikileaks.
DDoS attacks are meant to deny other users access to a particular website. Attackers overload a web server with traffic to take it offline and often keep the pressure on so the host has a difficult time getting the server back up.
Attacks are usually done with spoof IP addresses or botnets, which are large networks of slave computers that the attacker has remote access to. As hysteria around DDoS attacks has increased, so have protective measures.
Though DDoS attacks typically target one particular website, meaning most will not be affected, they can be one step in a more nefarious plan in which the attacker follows up with malware.
Viruses and Malware
Malware is the biggest threat to websites. Malware is short for malicious software, and many people refer to it as a “virus.” No matter what moniker you use, it poses a serious threat to you and your visitors.
Websites, even more so than your personal computer, are prime targets for malware for many reasons. They can be used to gain access to private user data, eat up web server resources or display a message for the hacker, especially if you have a high-traffic website.
In other cases, malware is used for financial gain. A hacker may gain deep user permissions and use that to place advertisements or affiliate links. In the worst case, a hacker uses a website as a distribution platform for malware by embedding links throughout it that download a malicious package on the visitor’s machine when clicked.
The best protection is to use a malware monitoring service, which we’ll talk about in a later section. Careful monitoring of your website’s load times, files and traffic can also help you see if there’s malware in your files.
WHOIS Domain Registration
Every website needs a domain and, when you register yours, your personal information is tied to it. It doesn’t take a clever hacker to figure out how to find that information, either, which paints a virtual target on your back for spam and solicitation.
WHOIS information is required to register a domain. Think about it like buying property. The company that issues the property needs to know who owns it and how to reach them and so does the public. The country you live in may play a part in how much information you need to hand over to register.
Outside of your email, name, address and phone number, WHOIS data contains information such as the URL’s nameservers, which, on its own, isn’t concerning. Nameservers are used to route domain requests to the servers that host the URLs. In many cases, web hosts maintain multiple nameservers for their various types of hosting.
While a hacker shouldn’t be able to pin down exactly what server you’re using, it can give them a clue as to what area you’re located in. It’s been proven time and again that any data a hacker has will be used exhaustively, so even that small sliver could provide a gateway to your web server.
Search engine blacklists are an under-addressed threat to your website. In most cases, blacklists have a positive impact, weeding out websites that participate in keyword spamming or have been compromised. Even with good intentions, though, your website could make it onto a blacklist and, once you’re there, it’s hard to get off.
Search engines need to protect users who are clicking through search results. Because of that, if Google’s crawl bots notice anything suspicious in your code, you’ll get blacklisted.
Though not a direct security threat, being blacklisted still has consequences for your organic search traffic. It’s a byproduct of lousy security measures that can ruin your website’s reputation and traffic flow in the eyes of a search engine.
Now that you know the common threats posed to your website, let’s take a look at the steps you can take to protect it.
How to Keep Your Website Safe
Here’s a few simple tips that will protect your site. All of them are easy enough to implement, though not all are free.
Use a Firewall
The internet is, in a word, untrustworthy. The server your website is hosted on is trusted or, at least, we hope so. It’s used to connect the rest of the untrusted internet to your online files, though. Going at it unprotected, especially with web hosting, lets potential viruses come too close for comfort. That’s where a firewall comes in.
Imagine there’s a fire and you have a brick wall to protect yourself from it. That’s essentially what a firewall does. There are two forms that web hosts use to protect your website.
Hardware firewalls sit between your server and the rest of the internet. They tag packets as they come into the server to determine where the data is coming from. As this process goes on, the firewall can figure out what transfers should be happening and block those that shouldn’t be.
Most people are familiar with software firewalls, especially if they use Windows. Software firewalls monitor things such as incoming IP addresses, download rates and transfer times. Traffic that doesn’t fit in the lines that the software draws is blocked to prevent damage.
If you’ve installed software on Windows that connects to the internet, you’ve seen a software firewall in action.
Hardware and software firewalls provide the best security when used in conjunction. There shouldn’t be a major security difference between the two, so using both provides two steps of monitoring to make sure that traffic flowing to and from your website is safe.
Enable DDoS Protection
Firewalls help with DDoS attacks by noticing IP spoofing well before a simulated attack can be carried out. In the case of a botnet, though, all IP addresses are unique. A firewall can’t keep up as the traffic flowing to and from your website seems legitimate, just at an increased rate.
That’s why DDoS protection exists or, more accurately, DDoS mitigation. DDoS attacks try to crash a web server by flooding it with traffic. With a content delivery network such as Cloudflare, that traffic can be broken up to travel through a distributed network of servers and absorb the hit.
By routing traffic intelligently, the CDN can protect your website from downtime without blocking legitimate users. That is advantageous as software-based DDoS protection may block a sudden spike in traffic even if it’s warranted, such as after launching a new product or being featured on a major media outlet.
There are many web hosts that partner with Cloudflare to protect your website from DDoS attacks and speed up delivery of static content in the process. Bluehost and A2 are two that come to mind (read our A2 Hosting review).
Install an Antivirus and Clean Your Website
You can’t install AVG on your website and get to work (be sure to read our AVG review to clean your local machine, though), but there are dedicated monitoring and cleaning tools for websites. Using one can be the difference between a compromised website and a healthy one.
Usually, they’re going to cost you and the fee will be hefty if your website has already been compromised. There are some hosts, such as HostGator and iPage, that include protection with your hosting package courtesy of SiteLock, though. Read our HostGator review and iPage review to learn more about those providers.
If your host doesn’t include protection, there are many other options. SiteLock is a good choice, but you could use Sucuri or Cobweb Security, as well. Both offer free scans of your website, too.
Purchasing a program like those can be expensive, but they offer a lot of upside. You get constant malware monitoring and removal, full hack recovery, blacklist monitoring, virtual patching, DDoS mitigation, CDN performance and more. If it’s in your budget, getting a protection package should be all you need to keep your website safe.
Register Your Domain Privately
When you register a domain with WHOIS, your name, address, phone number and more are tied to it and displayed publicly. Sometimes you can get by with less information, but that depends on what country you register from.
Private domain registration is, unfortunately, a paid service that’s essential to protecting yourself and your website. The domain registrar will replace your information with theirs, so no one will be able to look up who you are on the online database.
For example, if you register a domain with GoDaddy (read our GoDaddy review) and choose to do so privately, GoDaddy’s name, mailing address, phone number and email will show instead of yours.
Install a SSL or TLS Certificate
Using an SSL certificate on your domain is one of the most practical ways to protect your website and its users. Unencrypted data transfer is a gift for snoopers as it allows them to steal, intercept or compromise your data.
That is especially important when transferring personal information. If, for example, you run an online store, a SSL certificate is essential. If you don’t have one, your buyers’ credit card info, addresses, names and more are sent thousands of miles without protection. Plus, selling products online without an SSL certificate is a surefire way to make Google’s blacklist.
When you have a certificate installed, your web server will connect to your visitor to complete a TLS handshake. If everything is as it should be, a secure connection will be opened between the user and the web server to encrypt data traveling between them.
That adds load time to your website, which is why some SSL certificates are more expensive than others. Some provide more security with slower loading times and vice versa. The SSL certificate you need depends on your website’s purpose.
Many web hosts, such as Dreamhost, bundle SSL certificates in their packages for free. We’ll talk more about Dreamhost in the best secure web hosting section below.
You may see these referred to as TLS or SSL/TLS certificates, as well. SSL, as a protocol, has been superseded by TLS, currently in version 1.2. SSL certificates still work with the TLS protocol, though. It’s confusing, so make sure to read our SSL vs TLS piece to learn more.
Other Website Security Tips
With those mainstays out of the way, let’s look at some miscellaneous tricks to help keep you secure.
Update Your Software
Updates aren’t always for improving performance and adding new features. Sometimes, they’re for fixing vulnerabilities that were unknown. Because of that, it’s important to update your software regularly to make sure you have the most recent threats covered.
That is especially true for WordPress, as the platform and every plugin you use are potential security threats. Installing WordPress plugins that are no longer supported by their developers isn’t a great idea for that reason. They aren’t configured to guard against the latest exploits.
Unfortunately, updating immediately isn’t the best option, either, as new versions of plugins can be incompatible with others. It’s important to backup your website regularly using online backup services so you can revert to a previous version in the event of an incompatibility.
If you’re using WordPress and want to know more, read through our three-piece series on using the content management system.
- Beginner’s Guide to Using WordPress
- Intermediate Guide to Using WordPress
- Advanced Guide to Using WordPress
Monitor Your Security
It may seem obvious, but constant monitoring of your website’s security status is imperative for warding off potential attacks. Make sure to note spam rolling through, unwarranted spikes in traffic and suspicious behavior.
There are many WordPress plugins that help with monitoring. Jetpack and Akismet Anti-Spam are the de facto options, but you can go deeper with plugins like Securi. If you’re not using WordPress, common sense and frequent security checkups should do the trick.
Choose Your Server Carefully
As long as your web hosting provider implements the same security measures on all its servers you should, in theory, have the same level of protection. That’s not the case, though, and spending extra money on a more robust server may come with unintended security benefits.
The concern is shared hosting. It is inherently less secure as you’re sharing the same server with multiple other websites. If one of those websites is targeted for an attack, information on your website can be gathered.
Either through reserve IP lookup or purchasing a website on your shared server, a hacker can gain access to the files of all other websites on that server. In years past, that was accomplished with a Symlink bypass on the server. Most web hosts have patched or upgraded their shared servers to protect against those attacks since.
Still, hackers are clever little devils and there’s no shortage of new schemes being thought up. Shared hosting is a cost-effective option for creating a website, but it puts you at a disadvantage in terms of speed and security.
Scan Your Local Computer
Your local machine may be a serious security threat to your website. Some malware is written to steal FTP logins and inject malicious files into websites. Using the best antivirus software can help bypass the whole debacle.
It’s important to run deep scans of your machine on a regular basis, especially if you commonly download files online. Even executables that seem trustworthy can come with unintended partners, so a strong antivirus can keep your mind at ease.
We’ve found through our antivirus reviews that Bitdefender is the most secure option. It received excellent marks in our hands-on testing and from the three independent labs we consulted. It also has an excellent user experience and a low price tag, which you can read about in our Bitdefender review.
Change Your Passwords
No matter what platform you build your website on, you’re going to have to prove you are who you say you are with a username and password. If you’re using a CMS such as WordPress, there’s twice the risk, especially if you’re using the same password for it as you are for your web host.
As with any account, someone can snag your password through brute force or by installing a malicious application and load a slew of nasty files into your database. For the best protection against that sort of attack, you need to use a password manager.
Password managers are among the few security tools that increase protection while making the user experience easier. The key to protecting your web hosting accounts, whether it’s your cPanel or WordPress login, is using a random, unique password for each link in the chain.
We rated Dashlane as the best password manager during our comparison of the 10 market leaders. It automatically fills in login fields and can generate long, unique passwords that are next to impossible for a machine to guess. Dashlane’s security is the best in the industry, so no one can nab your passwords from the remote server. Learn more in our Dashlane review.
Additionally, make sure your web host offers two-factor authentication. It’s the most practical way to add an extra layer of security without extra cost. If you want to learn how to enable it on your own, make sure to read our guide to the best 2FA apps.
The Best Secure Web Hosting
All this DIY stuff is pretty cool, of course, but there are a few web hosting services that have top-notch security built in. Let’s take a look at a few of our main contenders.
Dreamhost is one of the most secure web hosts, at least, among those with a reasonable price. All the protocols it uses adhere to the latest standards and there’s a bundle of security goodies for extra protection.
All hosting comes with domain privacy and an SSL certificate for free. You may be able to find one or the other for free, but Dreamhost was the only one we found that offered both.
Dreamhost also has a built-in malware removal tool. It’ll run you a few bucks more per month, but the cost is easily outweighed by the benefits. Dreamhost scans your website weekly for malware and vulnerabilities and notifies you of any over email. In the event it finds malware, the tool will automatically clean it from your website.
You can notify Dreamhost of a false positive and it will update its database and restore whatever code was removed.
Security is one of many reasons Dreamhost made it onto our best web hosting for WordPress list. You can read more about security measures, features and speeds in our Dreamhost review.
Bluehost is revered as a secure web host across all of its plans. You get a variety of spam tools to keep your inbox clean, protection against malware and DDoS attacks, a CDN and a SSL certificate.
Shared plans, which are the cheapest available, come with Cloudflare integration, SpamExperts, domain privacy, a Let’s Encrypt SSL certificate and automatic backup through CodeGuard Basic.
Bluehost protects against the risks of shared hosting, too, with resource management. If Bluehost notices a website taking excessive resources, it’ll move it to an isolated hosting environment for evaluation. That keeps your performance running smoothly and defends against a malicious website or DDoS attack on your server.
WordPress services use a heftier set of security tools. Plans include SiteLock Professional, which features automatic malware removal, daily scans, FTP monitoring and reputation management. You’ll also get access to SiteLock’s web application firewall to protect against malicious traffic.
Bluehost is an excellent choice for security, but also for speeds and price. You can read more about those in our full Bluehost review.
Kinsta is a more expensive managed WordPress host, but the cost is offset by its features. You get a security guarantee, meaning, if your website is hacked while Kinsta is hosting it, it’ll be cleaned and repaired free of charge.
Kinsta is a more expensive managed WordPress host, but the cost is offset by its features. You get a security guarantee, meaning, if your website is hacked while Kinsta is hosting it, it’ll be cleaned and repaired free of charge.
Kinsta uses proactive protection to guard against hacks. Your website is checked every five minutes for uptime — that’s 288 times per day — to ensure that the server hasn’t crashed from a DDoS attack or anything else.
Kinsta only supports SFTP and SSH connections, too, which means data uploads are encrypted.
In the event an attack makes it through those security layers, Kinsta will do a few things. It’ll sweep your files to identify malware, rebuild the WordPress core, change SFTP, SSH and database passwords and remove any infected themes or plugins. If something is removed that shouldn’t be, you can restore your website with one of Kinsta’s automatic backups.
Kinsta has attracted clients such as Ubisoft, General Electric and Intuit due to its excellent security and speeds. Read more about it in our Kinsta review.
Hackers often go after the largest pod of users they can access. Because of that, website security is an uphill battle and your risk gets higher as your traffic increases. Even so, web hosts have began adding protection for malware, DDoS attacks and more to mitigate those issues.
Implementing the latest in protection doesn’t have to be costly. Our best cheap web hosting guide, for example, has options with practical protection for a few dollars per month. That, along with knowledge of threats online, should be enough to keep your website secure.
What protective measures are you implementing on your website? Let us know in the comments below and, as always, thanks for reading.