How to protect your website from hackers

As a website owner, is there anything more terrifying than the thought of seeing all of your work altered or entirely wiped out by a nefarious hacker?

We see data breaches and hacks in the news all the time. And you may think, why would someone come after my small business website? But hacks don’t just happen to the big guys. One report found that small businesses were the victims of 43% of all data breaches. 

You might like…

You’ve worked hard on your website (and your brand) – so it’s important to take the time to protect it with these basic hacker protection tips.

5 Easy Steps to Secure Your Website from Hackers

You may have worried when starting this post that it would be full of technical jargon that your average website owner would find baffling. Some of our tips further down do get technical, and you may want to bring in your developer for those.

But there are a few things you can do on your own first that don’t involve that much technical know-how. 

Step #1: Install security plugins.

If you built your website with a content management system (CMS), you can enhance your website with security plugins that actively prevent website hacking attempts. Each of the main CMS options have security plugins available, many of them for free.

Security plugins for WordPress:

  • iThemes Security 
  • Bulletproof Security 
  • Sucuri
  • Wordfence
  • fail2Ban

Security options for Magento:

  • Amasty
  • Watchlog Pro

Security extensions for Joomla:

  • JHacker Watch
  • jomDefender
  • RSFirewall
  • Antivirus Website Protection

These options address the security vulnerabilities that are inherent in each platform, foiling additional types of hacking attempts that could threaten your website.

In addition, all websites – whether you’re running a CMS-managed site or HTML pages – can benefit from considering SiteLock.  SiteLock goes above and beyond simply closing site security loopholes by providing daily monitoring for everything from malware detection to vulnerability identification to active virus scanning and more. If your business relies on its website, SiteLock is definitely an investment worth considering.

Note: Our Managed WordPress hosting plan has SiteLock built in, along with other features to help secure your site.

Step #2: Use HTTPS.

As a consumer, you may already know to always look for the green lock image and https in your browser bar any time you provide sensitive information to a website. Those five little letters are an important shorthand for hacker security: they signal that it’s safe to provide financial information on that particular webpage.

example of green lock for ssl certificate

An SSL certificate is important because it secures the transfer of information – such as credit cards, personal data, and contact information – between your website and the server.

While an SSL certificate has always been essential for eCommerce websites, having one has recently become important for all websites. Google released a Chrome update in 2018. The security update happened in July and alerts website visitors if your website doesn’t have an SSL certificate installed. That makes visitors more likely to bounce, even if your website doesn’t collect sensitive information. 

Search engines are taking website security more seriously than ever because they want users to have a positive and safe experience browsing the web. Taking the commitment to security further, a search engine may rank your website lower in search results if you don’t have an SSL certificate.

What does that mean for you? If you want people to trust your brand, you need to invest in an SSL certificate. The cost of an SSL certificate is minimal, but the extra level of encryption it offers to your customers goes a long way to making your website more secure and trustworthy.

At HostGator, we also take website security seriously, but most importantly, we want to make it easy for you to be secure. All HostGator web hosting packages come with a free SSL certificate. The SSL certificate will be automatically applied to your account, but you do need to take a few steps to install the free SSL certificate on your website. 

Step #3: Keep your website platform and software up-to-date.

Using a CMS with various useful plugins and extensions offers a lot of benefits, but it also brings risk. The leading cause of website infections is vulnerabilities in a content management system’s extensible components. 

Because many of these tools are created as open-source software programs, their code is easily accessible – to both good-intentioned developers as well as malicious hackers. Hackers can pore over this code, looking for security vulnerabilities that allow them to take control of your website by exploiting any platform or script weaknesses.

To protect your website from being hacked, always make sure your content management system, plugins, apps, and any scripts you’ve installed are up-to-date. 

If you’re running a website built on WordPress, you can check whether you’re up to date quickly when logging into your WordPress dashboard. Look for the update icon in the top left corner next to your site name. Click the number to access your WordPress Updates.

check wordpress updates

Step #4: Make sure your passwords are secure.

This one seems simple, but it’s so important.

It’s tempting to go with a password you know will always be easy for you to remember. That’s why the #1 most common password is still 123456. You have to do better than that – a lot better than that to prevent login attempts from hackers and other outsiders.

Make the effort to figure out a truly secure password (or use HostGator’s password generator).  Make it long. Use a mix of special characters, numbers, and letters. And steer clear of potentially easy-to-guess keywords like your birthday or kid’s name. If a hacker somehow gains access to other information about you, they’ll know to guess those first.

Holding yourself to a high standard for password security is step one. You also need to make sure everyone who has access to your website has similarly strong passwords. One weak password within your team can make your website susceptible to a data leak, so set expectations with everyone who has access.

Institute requirements for all website users in terms of length and types of characters. If your employees want to use easy passwords for their less secure accounts, that’s their business. But when it comes to your website, it’s your business (literally) and you can hold them to a higher standard. 

Step #5: Invest in automatic backups.

Even if you do everything else on this list, you still face some risk. The worst-case scenario of a website hack is to lose everything because you forgot to back your website up. The best way to protect yourself is to make sure you always have a recent backup.

While a data breach will be stressful no matter what, when you have a current backup, recovering is much easier. You can make a habit out of manually backing your website up daily or weekly. But if there’s even the slightest chance you’ll forget, invest in automatic backups. It’s a cheap way to buy peace of mind. 

5 Advanced Steps to Secure Your Website from Hackers

All of the above steps are relatively painless, even for website owners with minimal technical experience. This second half of the list gets a little more complicated, and you may want to call a developer or IT consultant to help you out. 

Step #6: Take precautions when accepting file uploads through your site.

When anyone has the option to upload something to your website, they could abuse the privilege by loading a malicious file, overwriting one of the existing files important to your website, or uploading a file so large it brings your whole website down. 

If possible, simply don’t accept any file uploads through your website. Many small business websites can get by without offering the option of file uploads at all. If that describes you, you can skip everything else in this step.  

But eliminating file uploads isn’t an option for all websites. Some types of businesses, like accountants or healthcare providers, need to give customers a way to securely provide documents. 

If you need to allow file uploads, take a few steps to make sure you protect yourself:

  • Create a whitelist of allowed file extensions. By specifying which types of files you’ll accept, you keep suspicious file types out.
  • Use file type verification. Hackers try to sneakily get around whitelist filters by renaming documents with a different extension than the document type actually is, or adding dots or spaces to the filename. 
  • Set a maximum file size. Avoid distributed denial of service (DDoS) attacks by rejecting any files over a certain size. 
  • Scan files for malware. Use antivirus software to check all files before opening.
  • Automatically rename files upon upload. Hackers won’t be able to re-access their file if it has a different name when they go looking for it. 
  • Keep the upload folder outside of the webroot. This keeps hackers from being able to access your website through the file they upload.

These steps can remove most of the vulnerabilities inherent in allowing file uploads to your website. 

Step #7: Use parameterized queries.

SQL injections are one of the most common website hacks many sites fall victim to.

SQL injections can come into play if you have a web form or URL parameter that allows outside users to supply information. If you leave the parameters of the field too open, someone could insert code into them that allows access to your database. It’s important to protect your site from this because of the amount of sensitive customer information that can be held in your database.

There are a number of steps you can take to protect your website from SQL injection hacks; one of the most important and easiest to implement is the use of parameterized queries. Using parameterized queries ensures your code has specific enough parameters so that there’s no room for a hacker to mess with them.

Step #8: Use CSP.

Cross-site scripting (XSS) attacks are another common threat site owners have to be on the lookout for. Hackers find a way to slip malicious JavaScript code onto your pages, which can then infect the device of any website visitors exposed to the code.

Part of the fight to protect your site from XSS attacks is similar to the parameterized queries for SQL injections. Make sure any code you use on your website for functions or fields that allow input are as explicit as possible in what’s allowed, so you’re not leaving room for anything to slip in.

Content Security Policy (CSP) is another handy tool that can help protect your site from XSS. CSP allows you to specify which domains a browser should consider valid sources of executable scripts when on your page. The browser will then know not to pay attention to any malicious script or malware that might infect your site visitor’s computer.

Using CSP involves adding the proper HTTP header to your webpage that provides a string of directives that tells the browser which domains are ok and any exceptions to the rule.  You can find details on crafting CSP headers for your website here.

Step #9: Lock down your directory and file permissions.

All websites can be boiled down to a series of files and folders that are stored on your web hosting account.  Besides containing all of the scripts and data needed to make your website work, each of these files and folders is assigned a set of permissions that controls who can read, write, and execute any given file or folder, relative to the user they are or the group to which they belong.

On the Linux operating system, permissions are viewable as a three-digit code where each digit is an integer between 0-7. The first digit represents permissions for the owner of the file, the second for anyone assigned to the group that owns the file, and the third for everyone else.  The assignations work as follows:

  • 4 equals Read
  • 2 equals Write
  • 1 equals Execute
  • 0 equals no permissions for that user

As an example, take the permission code “644.”  In this case, a “6” (or “4+2”) in the first position gives the file’s owner the ability to read and write the file.  The “4” in the second and third positions means that both group users and internet users at large can read the file only – protecting the file from unexpected manipulations.

So, a file with “777” (or 4+2+1 / 4+2+1 / 4+2+1) permissions is readable, write-able, and executable by the user, the group, and everyone else in the world.

As you might expect, a file that is assigned a permission code that gives anyone on the web the ability to write and execute it is much less secure than one which has been locked down in order to reserve all rights for the owner alone.  Of course, there are valid reasons to open up access to other groups of users (anonymous FTP upload, as one example), but these instances must be carefully considered in order to avoid creating a website security risk.

For this reason, a good rule of thumb is to set your permissions as follows:

  • Folders and directories = 755
  • Individual files = 644

To set your file permissions, log in to your cPanel’s File Manager or connect to your server via FTP.  Once inside, you’ll see a list of your existing file permissions (as in the following example generated using the Filezilla FTP program):

how to see file permissions in cpanel file manager

The final column in this example displays the folder and file permissions currently assigned to the website’s content.  To change these permissions in Filezilla, simply right click the folder or file in question and select the “File permissions” option.  Doing so will launch a screen that allows you to assign different permissions using a series of checkboxes:

right click in filezilla toview file permissions

Although your web host’s or FTP program’s backend might look slightly different, the basic process for changing permissions remains the same. Our support portal has solutions for how to modify your folder and file permissions using chmod permissions.

Step #10: Keep your error messages simple (but still helpful). 

Detailed error messages can be helpful internally to help you identify what’s going wrong so you know how to fix it. But when those error messages are displayed to outside visitors, they can reveal sensitive information that tells a potential hacker exactly where your website’s vulnerabilities are. 

Be very careful what information you provide in an error message, so you’re not providing information that helps a bad actor hack you. Keep your error messages simple enough that they don’t inadvertently reveal too much. But avoid ambiguity as well, so your visitors can still learn enough information from the error message to know what to do next. 

3 More Steps to Protect Your eCommerce Store from Hackers

All the tips we’ve shared so far will help protect your online store from criminals. That being said, because eCommerce websites are popular targets for fraudsters and data thieves, there are a few more steps you should take to protect your business and your customers. 

Step #1: Get a third-party fraud prevention service for your store, even if your eCommerce platform or payment providers offer fraud protection. 

Why would you pay for extra eCommerce fraud protection if you already get it for free? Because that extra layer of protection can save you time and help you avoid rejecting good orders by mistake.

The fraud protection that comes with many eCommerce platforms does a great job of identifying orders that have a high risk of being fraud. What happens after those orders are identified is up to you: reject them all or review them and decide which ones to approve. 

Both options have their own risks. Reject every order that might be fraud and you could end up turning away a lot of good orders for small issues like a shipping and billing address mismatch or a location outside your home country. Many rejected customers won’t come back, so over time automatic rejections can cost you a lot of revenue. But reviewing risky orders takes time and expertise you may not have. 

A third-party service that offers manual review can take an expert look at the orders with a high fraud risk, reject the actual fraud attempts and OK the good but slightly wonky-looking orders. You get to avoid fraud and keep the money from good customers flowing in. 

Step #2: Set some transaction limits to repel fraud attacks.

It’s super easy for criminals to get stolen credit card numbers online and use them to buy items for resale. But many times, those card numbers are missing the all-important CVV – the 3- or 4-digit number on the card that payment processors require to complete a transaction. 

CVV number on credit cards
Image: Experian

What’s a card fraudster to do? In many cases, they do what’s called card testing: visit a small online store with weak checkout security, add something small to their cart, and keep trying different CVVs until they find a match for the purloined card number they’re trying to use. 

Voila! Their order goes through, they can go shopping elsewhere for the big-ticket items they really want to fence, and you get ripped off.

Now imagine a botnet that does nothing but card testing—hundreds or thousands of CVV-match attempts in just a few minutes so they can commit more fraud faster. Actually, you don’t have to imagine because card-testing fraud botnets are a thing, and they can cost your business a small fortune in fraud losses and chargeback fees.

To stop fraud bots from flooding your checkout, set some limits. 

  • Adjust the settings for your fraud-control program to limit the number of times a customer can try to enter the correct CVV and block their IP address if they get declined too many times. 
  • Set a limit on how many transactions can come from the same IP address in an hour, day, week, etc., and block addresses that exceed that limit. 
  • Track your number of declined transactions and look into it right away if you see a spike.

Step 3: Get to know PCI-DSS requirements and best practices.

PCI-DSS is the payment card industry’s standard for data security. Every merchant who takes card payments is required to follow the guidelines to avoid exposing their customers’ payment data and facing liability. 

Any payment platform, processor or gateway you use to take payments on your site should be PCI-DSS compliant, and that reduces some of the steps you have to take to protect payment data. Ultimately, though, it’s your responsibility to know the basic requirements—and it’s helpful to check out the PCI Security Standards Council’s free resources. A good place to start is the Data Security Essentials Evaluation Tool for merchants, which can show you where your security is strong and where it could be stronger. 

Protect Your Website from Hackers

Securing your site and learning how to protect against hackers is a big part of keeping your site healthy and safe in the long run! Don’t procrastinate taking these important steps. 

At HostGator, we have created a set of custom mod security rules to aid in the protection of your website. If you’re looking for a new web hosting provider, you can click here to sign up for a great deal. For new accounts, we’ll even transfer you for free! After you’ve created an account, you just need to fill out the form here.

Don’t worry about getting tripped up in the process. Try our HostGator support articles or contact one of our customer support specialists that are available 24/7/365 via chat or phone. We can help you get secure!

Casey is the Senior Director of Marketing for Hosting and has been in the web hosting space for 7 years. He loves the slopes and hanging out with his kids.

22 thoughts on “How to Secure a Website from Hackers [13-Step Guide]

  1. Be default all files and folders should be owned by your cPanel username and a group of the same name with only you assigned to that group. Given that circumstance, 644 for files and 755 for folders is ideal.

  2. Nice stuff,You right….website planners must ensure their scripts are very well planned and
    tested, especially those parts that deal with private information. In
    many countries there are now legal requirements to ensure the privacy of
    medical and financial records.

  3. Limit Login Attempts will temporarily lock out IP Addresses that make several failed attempts to get into your WordPress admin. Also be sure to keep your computer and browser up to date!

  4. Thanks for the post this was awesome going to help me in further instructions .

  5. I have 0700 for .cpanel and other default directories, for public_html and public_ftp I have 0750. I think its fair enough. is it?

  6. WP Better security can destroy your website if you don’t configured in a good, way, stay away from options like file detection and Ip blocks

  7. how can i clean SQL injection showing in google and bing,Yahoo my website has been hacked but i have scanned and cleaned all Word press Files any help to clean showing problem in this networks,how to cleab up CMS SQL Injection Vulnerability

    please help me to clear this problem

  8. Thanks for sharing such a wonderful information, really appreciate it, my sites was hacked , now I know hot to protect it,
    Thanks again!

  9. The best explanation I ever came across. File Permission is something that I was not aware much but now I am. Thanks a lot.

    Most common causes for a hosting account to become hacked, or otherwise compromised. If you use WordPress, Drupal, Joomla or any other PHP-script, database-driven CMS then it is vitally important that you keep these scripts up-to-date. Failure to do so is literally an open door inviting hackers to gain access to your account. Updating these scripts is as simple as logging into the back-end and clicking on any “update” notification that appears therein.

  10. Nice stuff Hostgator, You right…. website planners must ensure their scripts are very well planned & tested, especially those parts that deal with private information.

  11. Thanks for your explanation. How do you prevent someone from downloading files directly from folder through the browser after submitting the file’s folder in the browser address bar? Files like some pictures, ebook etc are supposed to be downloadable through a special downloading link provided and not directly from the folder.

  12. good article…have done all this but if a hacker gets into your “root” via a bad proxy or unsecured socket layer…then ALL your sites will be hacked via cpanel WHM or DDS attacks (just went through this) HG will hep you to a point but when it comes to securing your reseller account or VPS or dedicated server? your on your own..and the learning curve is HIGH! Now, more than ever you need to hire an expert in securing your sites…
    i’m 25 years in the business..and still trust the untrusted now cloudflare..who recently got hacked 4.5M sites…
    I was one of the unlucky ones…200 clients of mine were hacked…now 30 days later..all good…God Bless trusted host for over 14 years…

  13. Install SSL, have a backup, keep updated, use CSP injection, mantain multilayer security.

  14. Online security is really a big issue in this modern technology age. We are not same, someone can steal our valuable online resources. So most of the people are worried about their security. Especially, the website owner and blogger, using https, security plugin, and regular backup can be your best choice. Thanks for this article.

Comments are closed.