Web Security: How to Secure a Website – Comprehensive Guide (2025)

By Rosan Baral
Updated On - January 3, 2025
34 Comments
Reading Time: 28 Minutes

The topic for today is Website Security, and it’s interesting as well as challenging to discuss as it changes every minute or even seconds.

The popular queries around the internet;

How to secure a website?
How to implement web application security?
Is this website safe?

This comprehensive guide provides a clear framework for site owners to secure their websites from hackers and security vulnerabilities.

Before diving into in-depth strategies, let’s know about website security’s general aspects.

What is Website Security?

Website security is a managed process or action taken to protect a website from different attacks or exploitation. It is an ongoing strategy and a crucial part of website management.

Why is Website Security Important?

Let’s put this discussion with an example first.

The Question: What would happen if you leave your home unattended or unlocked when you are away?

The Answer: There is a 50/50 chance that either your home gets robbed and smashed, or nothing happens because it’s your lucky day.

We hope you and your family and friends don’t have to deal with this situation in the real world and wish you are lucky every day.

But the same thing can’t be assumed for the security of your website.

There are numerous ways people or bots can attack your site or web application.

So, you must take web security as a serious threat. Why?

To protect it from hack attempts and malware.
To prevent a data breach for your clients or business.
To improve your search engine rankings.
To stop attackers from abusing web server resources.
To block phishing campaign emails from your website and lots of other reasons.

You have put a considerable amount of time and effort into your website. What would happen to your online presence if an attacker gains access to your website?

So, you need to implement active security measures to defend against these attacks and improve website security.

Companies spend millions on security, and it’s money wasted. None of these measures addresses the weakest link in the security chain - Kevin Mitnick ( The World’s Most Famous Hacker)

Why and How do Websites Get Hacked?

According to Internet Live Stats and Google, “There are over 1.73 Billion websites on the internet, and over 113,000 websites get hacked daily.

Depending on who you are, the results can vary. Some of the main reasons;

Commercial Gain – Your competitors or enemies can benefit from your downfall. What would happen if Google Chrome gets hacked today? Bing gets the audience. Just saying!
System Resources – The business of renting system resources is a big trade and a huge motivator for many cyber groups.
For Fun – There is a good chance that sometimes these attackers are computer-savvy people with nothing else to do except hack websites.
Online Protest – Hacktivists will damage websites to gain attention and spread their word instead of yelling and burning wheels on the streets.
Money – Does this need an explanation? I don’t think so.

You can be sure that website security threats are here to stay, and hacking will get advanced every minute or second, day by day.

But to operate and be successful with the hacking attempts, one needs to break the barrier between the web servers and applications.

But how exactly do websites get hacked?

There are millions of ways that a website can get hacked. It’s a vast issue in reality.

Cyber-threat is mainly a reflection of our weaknesses. An accurate vision of digital and behavioral gaps is crucial for a consistent cyber-resilience - Stephane Nappo

The most common and popular ways a website can get hacked are listed below;

Data Leakage – The biggest issue is Data Leakage in today’s online world. A famous example would be the Data Breach of Linkedin, where 117 Million accounts were compromised and sold on the black market.
Weak Passwords – This is the easiest way to lose access to your login credentials. A weak password can easily be decrypted with today’s technological advancement.
No Regular Updates – In addition to fixing bugs or glitches, the regular updates typically come with security enhancements. People make the mistake of implementing inconsistent updates.
Not Limiting User Permissions – Neglecting to limit the user permissions can be a recipe for disaster. Not every employee or client of your business should have access to your server configuration.
Using Insecure Protocols – Protocols might include not using encryption technology, visiting untrusted websites, weak web server security, and cracked software.

Even though there are several methods by which websites can get infected, the number one reason would be negligence from people.

And second would be poor code implementation in general.

There are two typical ways people use precautions for website security;

Precautions used after the incident.
Precautions used before the incident.

Let’s compare these topics to human health for easy understanding.

Would you prefer to take care of your teeth and avoid a dentist visit, or would you choose not to give a damn about your teeth and wait for a dentist’s visit?

As you can notice, it ultimately comes to your personal preferences. Still, even though it’s about your preferences, it’s a wise decision to take care of your teeth and avoid visiting a dentist.

On the contrary, it would be profitable for your health.

Ultimately, you can save an ample amount of time and money.

So, you can see for yourself why you need to be one step ahead of your attackers.

The same philosophy integrates with website security. It’s nearly impossible for any website to be 100% secure in today’s context, but you can make this challenging for attackers.

You should know that recovering a hacked website is more expensive than managing a web security plan beforehand.

Consider your website as a "Glass" in an online world. You need to polish it every day and try to make it shiny compared to your competition so that your audiences can see through your website.

TWEET

You need to be aware that there are many ways to join a broken glass, but it will leave a mark on its structure once broken.

So, it’s wise to protect your website beforehand, then wait for the disaster to arrive your way.

Now that you have a rough idea of how web security works, let’s dive into strategies to mitigate risk and implement security protocols for your site security.

Website Vulnerabilities and Mitigation Plans

A website can get hacked or attacked due to many factors. Still, some of the leading and widely used cyberattacks are discussed below.

1) SQL Injections

These types of injection attacks are very effective. The attacker attempts to access or alter the user input or SQL query of a web system by manipulating the user-supplied data to a website database.

This attack is a high-risk threat because, if successful, the attacker can alter the user-submitted data to his desired outcome instead of the information expected from the website database.

What are the impacts?

Sensitive data from the website database, including personal information and hash files, can be read.
Database queries can be altered. They can be edited, deleted, or even updated.
An attacker can obtain persistent backdoor access into an organization’s systems in some circumstances.

What are the mitigation plan to prevent SQL Injection?

Use prepared or parameterized queries.
Validate user input data.
Limit user privileges.
Use stored procedures.
Hide info about the error message.
Encrypt database credentials and store them in a separate path.
Disable shell access and other related functionalities if not in use.

To avoid a SQL Injection Attack, you always need to be cautious and be prepared for the worst. Don’t forget to validate and sanitize all the user interactions.

2) Cross-Site Scripting

Cross-Site Scripting is also known as XSS Attack in a technical term.

These security vulnerabilities usually inject a malicious script that is executed on the client-side, such as a browser or application’s output.

These flaws can occur when the application or script takes untrusted data and sends it through a web browser or application without any proper validation.

These flaws could potentially lead to a site takeover.

What are the impacts?

XSS Attack can result in the user’s session cookie being disclosed. It allows attackers to take over the user’s account and manipulate their sessions.
Disclosure of end user’s files.
Install malware and spyware.
Leakage of sensitive data.
Creating falsified information and targeting client-side users.

What are the mitigation plan to prevent Cross-Site Scripting?

While cross-site scripting attacks can be hard to predict and detect, the best practice would be to validate and sanitize the vulnerabilities.

It will help to utilize web application firewalls to reduce and prevent XSS attacks.

8) Use a Website Security Service

I understand that people sometimes don’t have enough time to take care of every aspect of the website due to their tight schedules.

It’s good to be occupied rather than playing PUBG on your mobile phones. Just saying!

If these situations occur, asking for help from the web security service providers is the right decision.

These companies or organizations are well equipped with website security tools and experts to help you know the security risks.

Before you choose the provider, you might first want to get the answer to this question;

Are the malware cleanups manual or automatic?

Many organizations or companies use automated bots to clean up infections, which are not bad. Still, you need to know that human beings create every technological advancement.

There is a good chance that bots won’t clean every infection. So, you need to pick a provider with professional security analysts working on-site, 24/7.

Additional Questions;

Is the service charged per site or page?
What kind of protection can they provide?
How easy is the setup?
Is there ongoing protection after the cleanup?
How do they respond after an incident occurs?
Do they monitor search engine blacklists?
Do they stop SEO spam?
What about virtual patching?
Is there a limit on cleanup service, or is it unlimited?
Do they run regular automatic backups?
Is the website firewall included in the service?

Using a web security service is like paying a premium to your insurance company.

You don’t pay because you expect something wrong to happen, but instead, you pay; if something happens, you have a backup to cover the costs.

Security Practices for Widely Used CMS (WordPress Security)

CMS, usually known as Content Management Systems, is widely used nowadays.

CMS provides a well-structured and functional framework platform for website owners or organizations to create different types of website developments.

Site owners use Content Management Systems for ease of use and low cost compared to custom website development.

Most CMS exploits rely on browsers, so you need to take CMS Security as a serious commitment and perform regular security scans to protect your site.

Top 10 CMS currently in the market;

WordPress
Wix
Squarespace
Joomla
Shopify
Drupal
Blogger
Prestashop
Magneto
Weebly

Even though there are lots of CMS available in the market, we will discuss the Top Open-Source CMS (WordPress) at the moment.

Don’t worry! The above strategies will help you mitigate risk and protect your website from hackers and security vulnerabilities, whether CMS or custom development.

You should be aware that “Something is always better than Nothing” in the business environment.

WordPress Security

Well! Where to start?

WordPress is an open-source platform that is a big hitter in the website market with the highest CMS share. As of December 2022, WordPress has a 67.15% share in the CMS market.

To clear the confusion, we are talking about wordpress.org, the robust and self-hosted platform.

WordPress isn’t going anywhere, so you can be sure WordPress will be growing over the coming years. With popularity comes the risk of high numbers.

So currently, WordPress websites are among the highly trafficked sites.

I assume you have gone through the above security vulnerabilities and mitigation plan to understand web security. If you haven’t, you can skim through, before, or after this discussion.

Now let’s discuss the security practices you can use to secure your WordPress and stop the attacks.

1) Change the Database Prefix

Before setting up a new WordPress installation, make sure to change the database prefix, which is usually wp_ as a default setting.

You can find these settings in the wp-config.php file. To alter the prefix, change the default setting to your desired name;

				
					$table_prefix = 'wp_';

				
					$table_prefix = 'yourchoice_wp_againyourchoice'

If you already have installed WordPress with the default database prefix, then go through this well-written tutorial on how to change the WordPress database prefix by Zuziko.

Even though you can change the database prefix using Plugins, we don’t recommend it.

2) Rename your Login URL

It’s no surprise that lots of attacks happen on the default login page. Some bots are programmed to recognize and exploit the default WordPress login page.

You can change the Login URL manually, which needs some coding skills. Even though it’s possible to manually change the login page, this is not a good idea for a couple of reasons;

The login page re-creates a new hash file every time you update WordPress. That means you need to change the URL again.
Sometimes, it can cause issues with other important site functionality. If it’s a staging site, not a problem, but if it’s a live site, you know the outcome.

Before you test the codes, make sure you have taken a backup because a wrong configuration in wp-login.php can make your website inaccessible.

Manually make changes in the wp-login.php file;

				
					function wp_login_url( $redirect = '', $force_reauth = false ) {
$login_url = site_url( 'wp-login.php', 'login' );
if ( ! empty( $redirect ) ) {
$login_url = add_query_arg( 'redirect_to', urlencode( $redirect ), $login_url );}

if ( $force_reauth ) {
$login_url = add_query_arg( 'reauth', '1', $login_url );}

/**
* Filters the login URL.
* @since 2.8.0
* @since 4.2.0 The `$force_reauth` parameter was added.
* @param string $login_url The login URL. Not HTML-encoded.
* @param string $redirect The path to redirect to on login, if supplied.
* @param bool $force_reauth Whether to force reauthorization, even if a cookie is present.
*/

return apply_filters( 'login_url', $login_url, $redirect, $force_reauth );}

You can use the WPS Hide Login plugin if you don’t want to take the coding hassle, which doesn’t involve manual coding.

This is the plugin we recommend to change the login URL for your website. This plugin is regularly maintained, and the authors quickly address and release the security patches.

3) Remove Default Username Account

Just because there is a default setting doesn’t mean it’s safe to use the default setting for system configurations.

WordPress now usually requires you to select a custom username at the time of setup for a new installation.

However, some organizations offering the famous 1-Click Installation scheme still set the default username to admin, Ufff!

Since you can’t create usernames by default, you can use these steps down below;

Select Users > Add New from your WordPress Dashboard and then start the process.
Now, create a new admin username. Don’t forget to delete the old one, and while you delete it, make sure to attribute your content from your old account to the new one if necessary.
Set the Role to Administrator so that you can delete the old account.
Use WordPress Plugins (Not Recommended).
Update username from phpMyAdmin.

Use unique usernames with strong passwords and remove the default admin account in your WordPress installation.

All an attacker needs to do is figure out the password. Then your entire site gets into the evil hands.

4) Use Two-Factor Authentication

You must utilize Two-Factor Authentication for your login credentials to prevent hackers from gaining access to your site.

It acts as an additional security layer. It can be the regular passwords followed by a secret code, secret questions, phone number verifications, or the OTP (One-Time Password) codes.

The popular plugins that do the job well are listed below;

Why does this strategy work? Because it’s almost impossible for attackers to have both your password and your two-factor authentication credentials.

5) Utilize the Security Plugins

Sometimes, it’s better to leave the hard work to the professionals or automated tools so that you can relax your mind and loosen up your schedule.

That’s where WordPress, as CMS, stands out as it has lots of resources to fulfill every demand of the consumers.

There are lots of plugins and vendors working together to create a secure environment for WordPress.

Security plugins can handle a lot of back-end and front-end security protocols for your website.

Some of the features;

Strict-Transport-Security
X-Frame-Options
Active security monitoring
File scanning
Malware scanning
Blacklist monitoring
Public-Key-Pins
Content-Security Policy
X-Content-Type
WordPress Security hardening
Post-hack actions
X-XSS-Protection
Firewalls
Compatible settings for Content Delivery Networks (CDNs)
Brute force attack protection
Much more…

The popular and rigid WordPress Security Plugins are listed below for your ease;

Ultimately, it’s all about selecting the most reliable way to keep the attackers away from your website.

Some security plugins have price tags. You should consider paying if it's necessary. You should know that there is nothing like a free lunch or a product while doing business.

TWEET

A security breach on your site can cause some unrecoverable severe damage to your business. So, you need to be one step ahead of the attackers.

6) Choose your Hosting Provider Carefully

As I have already touched on this topic in the above discussion, I want to remind you again that you need to be vigilant while choosing your hosting provider.

As we are talking about WordPress Security, I recommend you choose a hosting provider with separate infrastructures and resources for WordPress websites only.

In general, look for Managed WordPress Hosting providers. These providers custom builts web servers framework with WordPress in mind.

Again, just a few keywords on Google, and you can find lots of providers on the market.

Generally, the company should monitor your sites every minute with tight software-based restrictions in place with 24/7 professional security analysts on-site.

They should protect your site from different malicious attacks and continuously add new security patches every now and then.

7) Regularly Audit WordPress Themes and Plugins

As you know, a coin has two sides. Head and Tail.

Likewise, WordPress has also its Pros and Cons. And those cons usually arise from vulnerable themes and plugins.

You might guess why you should consider auditing themes and plugins.

But believe me, you should never trust anyone 100% in terms of online security.

You should always keep some administrative access only to yourself, which even excludes your team members. Themes and plugins are way out of the league for full trust.

Let me demonstrate this discussion in the example below.

Think WordPress like a White House and Staffs as Themes and Plugins.

You must be aware that the staff has access to the White House with high-grade weapons.

Even though the staff are well trained and paid for their duties, what would happen if the team with full access did something wrong? The outcome would be disastrous.

You can think of the exact scenario with the WordPress environment.

The themes and plugins are working within the WordPress environment, and they have access to the back-end and front-end of your platform.

So, you need to be very careful to grant access. You should always consider using reputable, well-built, durable themes and plugins for your WordPress websites.

The best option would be to do market research and check out the reviews and codes before installing any themes and plugins.

8) Use SSL Technology to Encrypt Data

You need to install SSL technology to encrypt information. From a search engine optimization view, it’s a ranking factor.

You can purchase an SSL Certificate from third parties and install it on your site or purchase it from your hosting provider.

Many web hosting companies provide free or paid SSL Certificates for their clients.

Are there any flaws with free SSLs?

It’s great that organizations are offering free SSL for the good of the Internet. Free encryption technologies are almost the same as paid certificates.

Still, the difference comes down to support, trust, compliance, and many other factors.

You don’t have any warranty or insurance for a free SSL Certificate against fraudulent transactions and other potential issues.

After all, they are providing a free price tag. So, we don’t know when they can exist in the market.

You also need to know that the renewal process is 100% automated, which means your site can be at risk of temporarily being unprotected.

So, if you are ok with all these exceptions, you can go for free certificates. Our only recommended provider would be Let’s Encrypt.

But you should be aware that nothing is free in this world.

In short, you can’t be sure that free SSLs don’t have any flaws.

If you don’t believe us and want proof, you can check the recent blunder of Let’s Encrypt, which affected more than 3 million certificates in an instance.

There are also mentions from big brands why free certificates are a terrible idea.

9) Hardening WordPress Security

Let me inform you that these hardening settings are on an administrative access level, so you need to have full access and must be familiar with some coding.

Don’t worry if you are not familiar with technical terms. I recommend you to use security plugins that don’t need coding skills.

If you are not comfortable with our suggestions, we recommend using a website firewall service.

As the two leading web server platforms in the current markets are Apache and Nginx servers, we will dive into these two platforms.

Please don't blindly copy and paste these rules, as it may cause you harm if you don't understand how NGINX and APACHE interpret the rules!

You need to backup all your current settings and then implement these rules one by one in your staging site rather than the live site.

There is no certainty that the codes below will work for all the sites. It may work on one website and may not work on other websites.

Let’s dive in with the technical hardening process.

Apache Configurations

1) Hardening .htaccess

Some of the rules and configurations below depend on Apache versions you are running on the web server.

Rewrite Rule – This is to fix issues with permalinks if WordPress has to write access to your server.

				
					<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Restrict wp-config.php – These rules restrict your wp-config.php from public use.

# Restrict wp-config Apache (Version 2.2)

				
					<files wp-config.php>
order allow,deny
deny from all
</files>

# Restrict wp-config Apache (Version 2.4)

				
					<files wp-config.php>
Require all denied
Require ip Y.Y.Y.Y
</files>

# Disable File Editing

Use the following line of code in the configuration file, wp-config.php, not in .htaccess file.

				
					define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);

# Force New Sessions Under SSL Protocol

Use the following line of code in the configuration file wp-config.php, not in .htaccess file.

				
					define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

Block Access to Execution – These rules blocks or restricts access to necessary web directories files.

# Deny Directory Listing

				
					Options - Indexes

# Block Sensitive Files

				
					# protect .htpasswd

<Files ~ "^.*\.([Hh][Tt][Pp])">
	Order allow,deny
	Deny from all
	Satisfy all
</Files>

# Block Installation Files

				
					<files install.php>
Order allow,deny
Deny from all
</files>

				
					<files setup-config.php>
Order allow,deny
Deny from all
</files>

Restrict PHP Execution – These rules restrict attackers from placing backdoors to your important folders in your web directory.

# Backdoor Protection Apache (Version 2.2)

				
					<files *.php>
deny from all
</files>

# Backdoor Protection Apache (Version 2.4)

				
					<filesMatch ".+\.php$">
Require all denied
</filesMatch>

Prevent Image Hotlinking: This rule is essential to save your web server resources. It prevents other websites from using your images hosted on your website.

# Prevent Image Hotlinking

				
					RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} \
!^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(svg|gif|jpg|jpeg|bmp|png)$ – [NC,F,L]

Block Include Functions: It restricts malicious or spam files or source codes into folders used for includes.

# Block Includes

				
					<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php \– [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>

Prevent XML-RPC Attacks: If you don’t need any applications or software to connect with WordPress, you can deny access to the xmlrpc.php file.

# Deny Access to xmlrpc.php Completely

				
					<files xmlrpc.php>
Order Deny, Allow
Deny from all
</files>

# Deny Access to xmlrpc.php Partially

				
					<files xmlrpc.php>
order deny, allow
deny from all
allow from X.X.X.X
</files>

Block Information – Although some WordPress guides recommend removing these files altogether, we don’t recommend completely deleting the files.

# Block WordPress Info

				
					<files readme.html>
Order allow,deny
Deny from all
</files>

				
					<files license.txt>
Order allow,deny
Deny from all
</files>

Protect .htaccess – You don’t want attackers to see your hard work in a free environment after doing the hard work.

# Protect .htaccess Apache (Version 2.2)

				
					<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow, deny
deny from all
satisfy all
</files>

# Protect .htaccess Apache (Version 2.4)

				
					<FilesMatch "^.*\.([Hh][Tt][Aa])">
Require all denied
</FilesMatch>

2) Adjust Permissions for Web Directories

As I mentioned above, you need to adjust your configuration correctly to prevent attackers from taking control of your site.

You can adjust these settings directly from an admin panel provided by your hosting provider or through an FTP client.

# Fix Permissions

				
					Permissions for all the directories should be set to 755.
Permissions for all the files should be set to 644.

# Restrict Access to Your Essential Files

				
					wp-config.php file: Set permissions to 600
.htaccess file: Set permissions to 604

As defined in the Unix OS, these permissions or rules are referred to as View, Write, and Execute.

3) Use Security Headers

These lines of codes are inserted in your .htaccess files.

It helps prevent your web pages from being opened in external frames or iframes while preventing clickjacking attacks on your website.

These header settings should be carefully implemented and appropriately checked because it’s easy to block web resources without you noticing.

# X-XSS-Protection

				
					Syntax
X-XSS-Protection: 0
X-XSS-Protection: 1
X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; report=

				
					Code
header always set x-xss-protection "1; mode=block"

# X-Frame-Options

				
					Syntax
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM hxxps://yourchoice[.]com/

				
					Code
header always set x-frame-options "SAMEORIGIN"

# X-Content-Type-Options

				
					Code
header always set x-content-type-options "nosniff"

# HTTP Strict Transport Security (HSTS)

				
					Strict-Transport-Security: max-age=
Strict-Transport-Security: max-age=; includeSubDomains
Strict-Transport-Security: max-age=; preload

# Content Security Policy (CSP)

				
					Syntax
Content-Security-Policy: ;

				
					Code
Content-Security-Policy: script-src 'self' https://www.google-analytics.com

# Feature-Policy

				
					Syntax
feature-policy: autofocus 'none'; phone 'none'

				
					Code
header always set feature-policy "autoplay 'none'; camera 'none'" always;

When combined, the above codes will look like the settings below:

## CSP

				
					Header set Content-Security-Policy: default-src 'self';
img-src 'self' https://i.imgur.com;
object-src 'none';script-src 'self';
style-src 'self'; frame-ancestors 'self';
base-uri 'self'; form-action 'self';

## General Security Headers

				
					Header set X-XSS-Protection: 1; mode=block
Header set Access-Control-Allow-Origin: https://www.yourchoice.com
Header set X-Frame-Options: deny
Header set X-Content-Type-Options: nosniff
Header set Strict-Transport-Security: max-age=31536000; includeSubDomains

I recommend you perform these tests on different browsers and source frames to check for errors and outcomes before implementing these settings on your live website.

Nginx Configurations

1) Disable Unwanted HTTP Methods

Allowing TRACE or DELETE is risky as it can allow Cross-Site Tracking attack.

				
					if ($request_method !~ ^(GET|HEAD|POST)$)
{
return 405;
}

2) Deny Access to .PHP File Extension and Sub-Directories

You should deny direct access to any PHP files.

				
					location ~* /(?:uploads|files)/.*.php$ {deny all;access_log off;log_not_found off;}

# Works in Sub-Directory Installs and also in Multisite Network

				
					location ~ ^/(?!(blog)/?) {deny all;access_log off;log_not_found off}

3) Block Nginx-Help Log

You don’t want your logs to be open for public viewing.

				
					location ~* /wp-content/uploads/nginx-helper/ {deny all;}
location ~ ^/(wp-includes/js/tinymce/wp-tinymce.php)include /usr/local/nginx/conf/php.conf;

4) Disable Direct Access to Dotfiles

Likewise, a PHP file, a dotfile many contain sensitive information.

				
					location ~ /\.(svn|git)/* {deny all;access_log off;log_not_found off;}
location ~ /\.ht {deny all;access_log off;log_not_found off;}
location ~ /\.user.ini {deny all;access_log off;log_not_found off;}

5) Hide Nginx and PHP versions

This won’t prevent the attack itself. However, don’t let the attacker know your settings.

# Hide the Nginx Version

				
					server_tokens off

# Hide the PHP Version

				
					fastcgi_hide_header X-Powered-By;proxy_hide_header X-Powered-By;

6) Use Security Headers

It provides an extra layer of browser security.

				
					add_header X-Frame-Options "SAMEORIGIN";
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block"

7) Disable Directory Listing

You never want anyone to know what’s in the directory for most of the time.

# Disable Directory Listing

				
					autoindex off;

8) Limit Requests to Logins

This rule will limit the number of requests that the page can handle per second.

				
					limit_req_zone $binary_remote_addr zone=WPRATELIMIT:10m rate=5r/s;
location ~ \wp-login.php$ {limit_req zone=WPRATELIMIT;}

9) Deny Access to wp-content Folders

If you think there are some suspicious activities in your database, you can deny access to those files.

				
					location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ {deny all;}
location ~ ^/wp-content/uploads/vigorousitsolution {deny all;}location ~ ^/wp-content/backup {deny all;}

You can utilize the Security Headers website to analyze your HTTP response headers.

Setting headers is relatively quick. You will have a reasonably significant increase in your site security for different attacks on the internet.

## WordPress Security Conclusion ##

As you can see that WordPress Security is a big deal.

So, you can’t ignore the importance of WordPress Security. You need to carefully review the above security checklist and find new ways to improve your website security.

Website Security Mistakes to Avoid

It’s hard to look at every aspect of your website and your business at once.

So, there might be a time that you can make mistakes.

It’s a mistake when you do it unknowingly, but it’s a choice if you repeat the mistakes.

So, try to avoid these mistakes for your website security;

Do not make the mistake of “I have a small business, or I don’t sell online, so I don’t need to care about my website security” philosophy.
Do not send the data to an online platform without any encryption technology.
Do not save your passwords in your browsers. Utilize password management tools instead.
Do not be too optimistic. Website security is a never-ending process, so you always need to be active and be ready to search and fix the problems.
Do not install third-party software or tools blindly. You should thoroughly get an overview of the products you want to install beforehand.
Do not over-rely on website security service providers. It’s not only their responsibility to protect you. You also need to be alert at the same time. They can’t do anything if you do the things they tell you to avoid.

Suppose you have a tight schedule or lack team members to protect your site daily. In that case, it’s a wise decision to get help from experts or web security companies.

On the contrary, you can focus more on your business operations while leaving professionals with hard work.

Website Security FAQs

Why do I need web security? There’s nothing valuable on my site to steal.

Attackers don’t discriminate. It doesn’t only infect popular sites. Most cyberattacks are automated, so you’re as much of a target as anyone.

I don’t need website security now, nothing wrong has happened yet.

Implementing web security is just like locking your home doors. You don’t close the doors because you expect something bad to happen.

You close the doors because the consequences might be devastating if something did happen.

Why should I use the website security service?

Think of this as buying a house. When you buy a home, the house comes with doors and windows with built-in locks.

Still, the house doesn’t have additional security like an alarm system, surveillance camera, and other amenities.

After you move into the house, you’ll likely add different kinds of stuff. You may opt to protect your home by installing additional security protocols, and you’ll pay extra for that added security.

Similarly, as you build your website and add more stuff to it, you’ll want to protect your site by adding another layer of security.

CONCLUSION

As you can see, website security is a big deal. Your site is your source of income or your business for many of you.

So, it’s essential to invest some time and implement some of the security strategies mentioned above.

If you haven’t taken any steps or followed some of the above strategies to secure your website from attacks and vulnerabilities, your site might be at risk.

It doesn’t make sense to cry over spilled milk. So, it’s better to be careful beforehand.

What are your thoughts on website security?

Did I miss some points which you want me to add or update?

Let me know in the comments below.

7) Install SSL Certificate

SSL Certificate provides authentication and encryption, reassuring your audiences that their data and transactions are encrypted through a secure socket layer.

SSL Encryption Technology helps to ensure that your information or credentials are sent to the correct server without getting intercepted.

Importance of SSL Certificate;

Encrypts sensitive information.
Increases trust with customers.
Builds brand power.
Required for PCI compliance for those who accept credit card information on their website.
Better SEO rankings.

Having an SSL Certificate assures that you care about data security, which provides audiences with extra confidence.