5 Simple Website Security Best Practices

April 4, 2018 in SiteLock News

Welcome to the fourth article in our Making Security Makes Sense to Clients series.

In my previous posts I discussed the importance of securing your own site, your client sites, and how educating your clients about website security can foster trust and growth in your freelance or agency business.

After you’ve communicated the Why, Who, How and When of website hacks, it’s time to either start building security into your project proposals and costs or to continue educating your clients. Or both really 🙂

In this post, I’m going to share five website security best practices that are easy to implement. Whether you include these steps as part of your service, or your website security education plan, your clients will benefit. What’s even better, they’re easy to implement! So let’s get to it, shall we?

1. Website Backups

As a WordPress website owner you’re probably aware of the concept of backups, but if not, here’s what backups are and why they’re critical to a solid security plan.

A website backup is a snapshot of all your website’s important components. Backups should include all of the following:

  • Files
  • Databases
  • Plugins
  • Themes

The reason you want a backup of your website is that if you experience a hack or things go wrong during a software update, you’ll have easy access to a clean version of your website.

Although it may sound overly technical to do, it’s actually quite easy. Many hosts provide simple ways to create backups within their customer control panels and even if they don’t, there are several backup plugins made specifically for WordPress that are easy to use.

2. Software Updates

Backups are the first step, but just as important is keeping your software up-to-date. WordPress itself is updated often to include not just new features, but also security patches. In fact, there’s an entire team of people dedicated to the security of WordPress and when a flaw is discovered and patched, it’s critical that all of us utilizing WordPress perform those updates when they’re released.

Plugins and themes also receive regular updates and often include security patches for newly discovered vulnerabilities.

It’s not just WordPress, plugins and themes you need to update, but also ANY software running on your web server. This could include forum software, or any other scripts or applications you’re using.

If you’d like to learn about backups and updating your WordPress site, read our Keeping Your WordPress Site Updated series here.

3. Strong and Unique Passwords

I know. I know. They’re hard to come up with and even harder to remember! But if you choose one really hard password and just reuse it everywhere, you’ll be fine.

I’M KIDDING! Please don’t ever reuse your passwords.

Using unique passwords for every website, social account, or ANY online account is just as critical as creating a strong password. If you’re wondering why, go ahead and load the URL below, enter a password you reuse for any of your accounts, and see what the result is. I’ll wait.


Did you get a result? I did, and you can see that below. I entered a password I used on more than a few sites for several years. I’ve stopped using that password now 😉

The good news is that creating strong and unique passwords can be much simpler than you might think. That’s because of Password Managers. A password manager assists in generating and retrieving complex passwords, potentially storing such passwords in an encrypted database or generating them on demand.

I highly recommend using some type of password manager. Here are a few of them I recommend:

But guess what? You still need to come up with and memorize a strong password for your password manager login. At least it’s just one and not 4 dozen!

4. Firewalls

One of the most common ways to stop website hacks is to block malicious traffic through the use of a firewall. There are two types of firewalls. Network Firewalls and Web Application Firewalls.

Network Firewalls – This type of firewall is used by web hosting providers or anyone managing their own servers. These are used to identify and block malicious scripts between individual web servers within their network.

Network Firewall

Web Application Firewalls – These firewalls are used to secure your specific website. This solution blocks malicious scripts and traffic BEFORE it even reaches your web server and attempts to compromise your site. Not only does blocking this traffic make your website safer, it also saves load time and bandwidth on your web hosting account.

Web Application Firewall

5. Continuous Monitoring

What makes malware so effective is its elusiveness and ability to hide from you as a website owner. However, there are still several visual signs you can look for. These include:

  • Your account login information was changed without your consent
  • Your website files were modified or deleted without your knowledge
  • Your website freezes or crashes
  • You’ve experienced a noticeable change in your search engine results, such as blacklisting or harmful content warnings
  • You’ve experienced a rapid drop or increase in traffic

While you can visually look for signs of an infection, the use of an automated scanner is a much more effective security measure. An automated website scanner can monitor your website for potential threats on a daily basis, working in the background while you tend to your business.

Some scanners can even automatically remove known malware, like our SMART and SMART PLUS products. As we mentioned earlier search engines also search your website for malware. If they find it before you, then you run the risk of being blacklisted and removed from search results until it has been cleaned and then re-indexed.

All too often, this is how website owners discover that their site has malware, and by then their website has already been infected for days or even weeks.

Remember These 5 Simple Best Practices

As you can see, implementing website security best practices isn’t difficult and can reduce your website’s risk of attack considerably.

When an explanation of these steps is included in your client education plan, it becomes much easier to justify the inclusion of security in your project costs. More importantly, it ensures that the websites you’re providing are as secure as possible, and that’s great for everyone.

Stay tuned for next week’s article where I’ll share tips and examples of how to include security in your project scope, proposals, and maintenance plans.

Coming Up in the Making Security Make Sense to Clients Series:

  • April 18: Summary: Making Security Make Sense to Clients

Want to keep the conversation going? Follow us on Twitter or Like us on Facebook!

Latest Articles
Follow SiteLock