With their expert tips, 17 website, IT, and cybersecurity experts weigh in on how to make a website safe (and what you can avoid doing).

You’re not alone if you don’t know “how to protect a website” effectively. There were over 2.6 billion search results for that particular subject on Google alone at the time of writing this post! This is where our list of website protection recommendations will help.

Of course, we have our own ideas and views on how to tackle website protection in the best possible way:

  • Using passwords that are stable
  • Keeping your applications, firmware, and server up to date and patched
  • SSL/TLS certificates are used.
  • Keeping latest copies to your website

But, as we all know, there’s a lot more to website security than that, which is why I enlisted the aid of the cavalry to answer your question. I compiled 21 website security tips from 17 website professionals, IT administrators, and cybersecurity experts from around the United States and the world. Thank you so much.

14 Website Security Tips on How to Make Your Website Secure

1. Implement Strong Password Requirements and Follow Password Management Best Practices

Account protection is often limited by the passwords and management strategies used to protect them. If you use insecure passwords or don’t update or manage them on a regular basis, you’ll soon find yourself on a ride up a stinky brown creek. To solve this issue companies should definitely implement one of the password managers for business

The experts also had a lot to say about website protection to start off our list of website security tips:

One of the most common website security threats is the usage of weak passwords. When passwords are not set using the correct procedures, they can be easily hacked by external actors which will allow them to infiltrate your website. The risk of weak passwords can easily be fixed by educating employees about the importance of strong passwords. By implementing a password manager tool or multi-factor authentication it can offer an additional layer of security against possible website attacks.”

Sivan Tehila, director of solution architecture of Perimeter 81

But what exactly constitutes “weak” passwords?

You need to setup a secure password that isn’t associated with your or your lifestyle, hobbies, etc. You can use an on-line password generator. Be careful as there was a site that generated the same password for all users. This was a trap by hackers, who would then try this password for numerous accounts.

You can use a combination of dates, names and locations; merging them will make them a lot more secure than single terms. Use upper and lower case, alphanumeric characters, numbers and non-real life words.

Ideally you should change your passwords. monthly, but if not, quarterly is reasonably safe, and don’t use the same passwords for multiple sites as you can be a victim of multiple hacks. Your email or user name can be tracked among multiple sites. If hackers gain access to one of your accounts then they will try the same password across all other sites. This is normal protocol for them.”

Dustin Vann, owner & website manager at Trusy Social (Trusy.co)

There are, of course, other factors to consider when it comes to website password protection. Aside from the difficulty of the passwords and how much you update them, another factor to consider is how to handle and protect certain passwords.

One big tip we have is ensuring you have multi-factor enabled, especially if you are using a CMS system like WordPress. It is so easy for someone to break your password through a phishing attack or WordPress vulnerability. They can use your credentials to mangle your website, install malware, and destroy your brand.”

— Nick Santora, co-founder and CEO at Curricula

When possible, it’s best to protect passwords with 2FA, or 2-Factor authentication. A Yubikey is ideal, but authenticator apps are useful as well. Doing so will provide an additional layer of protection in the off chance your password is compromised or your phone is SIM-swapped.

People are storing more and more value online and virtual items and assets like cryptocurrencies are becoming more mainstream, which has led to a huge surge in 2FA support across a variety of platforms, be it Twitter, Facebook, Coinbase, Amazon, iCloud and more. Every day there’s less of an excuse to not have Google Authenticator downloaded on your iOS or Android.”

— Corey Petty, senior security engineer at Status

2. Implement Strong Authentication Methods and Limit Access

There are a lot of choices when it comes to web authentication. Traditional two-factor and multi-factor authentication systems are available. However, in addition to using digital signatures, hardware tokens and other forms of measures are available. Make sure you choose the authentication form that works best for your company and strengthens your defenses.

Furthermore, despite what Pam in accounting claims, not everyone requires access to all information. This is why website protection necessitates restricting access to only what users want.

Enable secure access to your admin area via IP whitelisting or Two-Factor Authentication. Practice regular account auditing for admin accounts as well as API users and remove any that are unnecessary or adjust access to only necessary areas.”

— Brian Taylor, co-founder of Forix

Websites owner make a mistake in giving credentials to partners, Instead, if partners need to pull user data from your site, provide them with an OAuth based API. This is also known as the Password Anti-Pattern.”

Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

User and admin list should be reviewed and cleaned up if such people are no longer part of that project/entity/company/etc.”

— Ross Thomas, IT administrator at SectigoStore.com

Login functionality and session management are also important considerations in website security:

Check the session management, after login does not perform any user action for 15 mins, Let say your session timeout is 15 min, After 15 mins if you perform any user action, It should automatically be logged out from the website.”

Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

Avoid staying logged in to inactive sessions. Not only could data be being collected on you in the background, but it increases the chance of someone maliciously accessing your account. Additionally, if you’re using a centralized identity service like Google, Twitter, or Facebook as your login, if someone hacks one of those accounts, they’ll immediately gain access to your connected accounts too. Don’t reuse passwords, especially on valuable services like email, online banking, identity services. Use a password manager to help you.”

— Corey Petty, a Senior Security Engineer at Status

3. Don’t Allow Unvalidated File Uploads to Your Website

Despite the fact that the Open Web Application Security Project (OWASP) warns against allowing “only anybody” to upload files and other content to websites, it never ceases to amaze me how many websites follow those guidelines and do so anyway. The OWASP File Upload Cheat Sheet outlines some excellent guidelines for implementing secure file uploads (which we won’t go over in detail here, but thought it was worth noting in a website security article).

But why is this such a significant step in terms of website security? Let’s take a look at what one of the experts has to say:

Here is one way that a lot of websites get hacked. A lot of websites will allow unvetted file uploads to their website. The grave mistake website owners make is that they only check the file extension and determining if it’s safe based of that. This is a huge error since the extensions can easily be faked and .exe files aren’t the only thing that can cause damage. For example, images can have dangerous PHP code in the comments. There are some workarounds that website owners can do. One is to simply not allow the users to execute any files that they upload. This means that the files will be stored in the database, outside of the server where your website is stored. Make sure that the files uploaded are using a secure mode of transportation with SFTP and SSH ports. The second one is to do a quick check to verify that the file extension is the correct one by simply changing the extension name.”

— Mark Soto, owner of Cybericus

4. Use Encryption and Secure Protocols to Serve Your Website via HTTPS

Oh, sure. You had to figure this will make our list of expert website security tips in some way. To facilitate a safe, encrypted link between two parties (i.e. your site visitors’ clients and your web browser), SSL/TLS certificates for your website and server are needed. We don’t claim that only because we sell SSL certificates; serving websites over HTTPS is actually needed by Google and the other major browsers in order to avoid being labelled as “Not Safe.”

David Alexander, Alexander M. Kehoe, Dave Hatter, Ross Thomas, and Greg Rogozinski, to name a few, agree with us. They stress the value of SSL/TLS for protecting users’ confidential information in their website security tips.

Luka Arezina and Sivan Tehila, however, are probably the two who put it best:

One good tip for any website owner, especially eCommerce websites, is to set up SSL security on the domain. Having an SSL-secured domain lets your future customers know that they are visiting a website where the data is coming from a secure source. This is visually displayed as a “green padlock” icon on the website address field, in the top-left corner of your browser. 

A secure domain also lets visitors on your website know right from the landing page that your company takes cybersecurity seriously. It also prevents “content warning” and “unsecured connection” messages from spooking away your potential customers. Additionally, it adds another layer of data protection to transactions on the website, which is critical for doing business online.”

Luka Arezina, editor-in-chief at DataProt

When it comes to best website security tips, the first one that comes to mind is making sure your website has an SSL connection. An SSL connection is an encryption method that is used when a visitor makes a connection to your web host server. This is one of the easiest ways to ensure your customer’s information is secure. Additionally, Google warns visitors when they’re entering a site without SSL.”

— Sivan Tehila, Director of Solution Architecture of Perimeter 81

5. Use DNS Filtering to Restrict Access to Specific Sites

If only there was a way to keep the staff from unintentionally downloading malware from the internet… Just wait, there’s more! Using a DNS filter is what it’s called. The domain name system (DNS), which is used to translate “google.com” or “apple.com” into an IP address that the server can retrieve (in a roundabout way), also has certain filtering capabilities.

So, what makes it such a good cybersecurity option? Sivan Tehila responds quickly once more:

One of the best website security tools I recommend to implement is a DNS filtering feature. DNS filtering offers businesses the option to restrict employee access to certain URLs, by defining which are either permitted or blocked sites. One of the key reasons why every business should adopt DNS filtering is to prevent employees from gaining access to websites that don’t help them with their jobs, or sites that can create major security risks for the organization. By limiting access to certain URLs, it helps employees be more productive and helps to fight off potential security risks such as data loss, malware, or even legal issues.”

— Sivan Tehila, Director of Solution Architecture of Perimeter 81

6. Have Visibility Within Your Servers, Databases, Networks, and General Infrastructure

Every day, website and IT administrators around the world face a difficult and frustrating challenge: keeping networks, operating systems, and websites secure from hackers and cybercriminals. You’re most likely one of them. But how can you defend something you don’t even realise you have? This is where getting a lot of exposure comes in handy:

In short, know what is being deployed in your infrastructure. If you can’t tell when a new device is added anywhere on your network, there’s an issue. Organizations are compromised everyday via third-party systems or shadow IT that they didn’t know was on the network.”

— Brad Pierce, director of network security at HORNE Cyber

You need to know what’s linked to your systems at all times, whether it’s a mobile computer, an SSL/TLS certificate, or an IoT device like a smart printer, to avoid data leaks and boost your website protection efforts (and overall cybersecurity). Shadow IT and unknown digital certificates for websites not only put the company at risk, but they can also cost you time and resources in terms of downtime and fines for noncompliance.

This is one of the most important website security tips we could include in this list for obvious reasons.

7. Keep Software, Firmware Up to Date and Patched

This argument follows on from the last in our list of website security recommendations. While it’s critical to have complete visibility of your network, IT infrastructure, and tech components, it’s also critical to ensure that everything is up to date. I’m referring to fixes and changes here.

Any device or server may need updating and/or patching at some stage in the future. Keeping it up to date allows you to not only work with the most up-to-date technology, but it also allows you to repair any holes in your cybersecurity defences that manufacturers addressed with such updates. You can either do it manually or rely on automated updates.

One of the first tips I start with is making sure your server isn’t using an old version of PHP like the 5.x generation. I see this issue on a regular basis when PHP 5.x has been retired and not receiving security and bug fixes since 1 January 2019.”

David Alexander, designer, developer and digital marketer at MazePress

8. Check Your Configurations to Ensure They’re Set Properly

It’s easy to update your site’s settings on a regular basis, and it’s a good idea. For starters, this expert tip ensures that no modifications to your current settings were made. Second, it gives you the opportunity to study your existing settings in case you need to make some adjustments.

But, what are the opinions of the experts on the subject?

One of the biggest gaps that I see is the lack of security around website configurations (database credentials, API tokens, etc.). Most websites store their configurations either un-encrypted on their servers, or even worse, directly in code. And developers typically share the configs through unsecure channels like Slack or Email.

A solution to this would be to encrypt configurations, however managing how to decrypt and inject that configuration securely is a huge challenge. I run a startup that is building a product called “Courier” (CourierConfig.com) that helps users secure their application configuration for deployment and securely share their configuration. This was really born out of the difficulty of managing websites’ configuration.”

Yoseph Radding, software engineer and Cofounder of Shuttl LLC

9. Use Reverse Proxies for Large Websites

Although not everybody believes it is important to go to the trouble of setting them up, reverse proxies have been shown to protect multiple web servers from web application vulnerabilities. Since they often have more resources at their disposal, these proxies are commonly used to improve not only security but also performance and general reliability.

While I would agree it is easier said than done, reverse proxies are a great security-related solution for larger websites or clusters of websites. A reverse proxy is a server that handles requests (typically the public facing 443 and 80 requests) to webserver(s) that the proxy sits in front of. When it is time to handle requests to the public, the reverse proxy will get the information (typically cached) from the webservers and then serve it to the requestors. So, a user would not be requesting directly from the webserver, but it would be requesting from the reverse proxy.

This adds another layer of security between and the requests made from reverse proxy to webserver can be way more secure without worry of breaking access or adding tons of overhead during high-traffic times.”

— Ross Thomas, IT administrator at SectigoStore.com

10. Reconsider Hosting Multiple Websites on One Server

Although there is nothing inherently “evil” about hosting multiple websites on the same server, there is a security risk that the sites may have restricted access to one another. The problem here is that in shared hosting environments, there is a possibility of cross-site contamination.

When websites on a shared server aren’t properly isolated, cross-site contamination occurs.

You should avoid running multiple websites on one server and I’ve seen this mistake done numerous times. Secondly, you should create a separate database for each site instead of using prefixes. This will help you keep your websites isolated.”

— Mihai Corbuleac, information security consultant at StratusPointIT

11. Keep Multiple, Current Website Files and Database Backups

It should go without saying that routinely making and maintaining up-to-date website and database backups is critical. Basically, if disaster strikes and you don’t have backups of your data, material, plugins, and everything else relevant to your website, you’ll be sorely disappointed.

Our web and IT experts agree on the following website security recommendations:

They say prevention is better than the cure, but having a fallback plan is also a good idea. You should back up your website regularly in the unlikely event that it gets compromised. Luckily for you, some hosting providers do it for you automatically. However, this is no excuse to not do it yourself, since this is your website after all. Having an off-site backup somewhere might just be the magic cure that resurrects your website from the dead.” 

Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

Also, is crucial to back up your website regularly. Of course, some hosting providers do it for you, automatically, but for improved security it’s best to keep off-site backups.”

— Mihai Corbuleac, information security consultant at StratusPointIT

12. Keep Your Database Separate from Your File Server

There are a variety of reasons why anyone may want to keep their files and database on the same server. One of the most common reasons is for comfort or cost savings. However, certain regulations can necessitate a division of responsibilities (SoD). One of them is the Payment Card Industry Data Security Standard (PCI DSS).

According to PCI DSS Rule 2.2.1 of the most current Requirements and Security Assessment Procedures document (version 3.2.1), PCI DSS enforcement businesses must “implement only one primary feature per server to prevent functions requiring different security levels from coexisting on the same server.” As a result, any database containing confidential financial data, such as credit card numbers, must be kept isolated from the internet and cannot connect directly with it.

What other excuse might you have for having to distinguish your web or application servers from your database if you don’t need to be PCI DSS compliant for any reason? Some experts argue that running a multi-server environment is advantageous because it expands the number of resources and links that can be supported, as well as improving monitoring.

I highly recommend that you separate the database from the file server. It might be costly at first, but doing this will ensure that no attacker will have access to sensitive data found in your database. You might have a compromised website but at least information like bank accounts, credit cards, and personal information.”

Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

Depending on what your site is doing, user data is always a big point of contention and can lead to the dreadful lawsuits/PR embarrassment. Do right by your customers/clients and protect their data.

One thing that should always be practiced, no matter how small the site, is to offload any database related to the website onto a different server. The amount of code added to makes calls/queries to the database server is often minimal, but moreso than making calls to the local machine. And, as long as you have your database being accessed through a local network, as in no public facing network interfaces, that immediately complicated any hackers’ attempts to gaining access to that data. Though, it is certainly not impossible.

Things like tokenization or encryption can help protect the data itself. Consider using these if you are holding sensitive user information, such as addresses or payment information. Encryption makes a lot of sense when the database is only be accessed by a few things.”

— Ross Thomas, IT administrator at SectigoStore.com

13. Use the Right Website Security Tools and Features

Stable architectural design and coding practises should be used by any website owner or administrator. Additionally, they must employ standard defence and threat detection systems, such as vulnerability scanning software and web application firewalls.

What other applications, plugins, extensions, and so on will be beneficial? For our list of website security tips, we also asked the experts this issue. What they had to say was as follows:


SQL injections have become really trendy lately, and I believe that most hackers are prone to using this especially with the rise of cloud-based systems like Microsoft Azure. If you didn’t know SQL injection is effective for cloud-based systems which is why a lot of security experts are finding ways to stop this vulnerability. SQLMap is an open-source testing tool that can detect SQL flaws in the system allowing you to fix potential areas that are targets for SQL injection. I highly recommend that anyone with a website get this.”

Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews


Being proactive and taking an offensive approach to ensuring online security is the better option, as compared to waiting to see if an attack comes. Threat Runner is a penetration tool that is designed to safely simulate a malware infection on an organization’s network. Through reverse engineering and the de-weaponization of authentic malware samples, it mitigates the risk of damage of an attack through knowledge and context of vulnerabilities within the network, strengthening security posture.”

— Brad Pierce, director of network security at HORNE Cyber

Zed Attack Proxy (ZAP)

ZAP is also a web security application that every website owner should get. It’s open-source software that simulates an attack allowing the program to find vulnerabilities in your systems such as missing anti-CSRF tokens, private IP disclosure, SQL injections, and XSS injections. ZAP is also very intuitive, making it usable for both beginners and pros alike.

  Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

Multiple Solution Recommendations

And some experts believe there is never just one solution that should be put to work:

I don’t think the professionals limit their selves with one or two tools, so it is not possible to have favorite ones. It is all about to clarify what do want to do and what is your goal, because every tool has its own specificity.”

Ben Hartwig, chief security officer and head software engineer at InfoTracer

Duo Two-Factor Authentication is a great service that allows you to securely log in without being restricted by location or IP address. On the fraud prevention front both Kount and Signifyd provide great services for verifying identity and protecting businesses from fraudulent credit card use, which is rampant in this day and age.”

Brian Taylor, co-founder of Forix

14. Review Your Web Server Security Policies Regularly

Although this should be part of the daily website security duties, it’s amazing how many people want to put it off until tomorrow (that, ultimately, may never come). Reviewing the security procedures should be achieved on a regular basis — preferably, once a quarter.

Security policies can encompass a lot of things, but the main points are who has access to what and how do they do it. Of course, the ‘why’ is the reason why we even do all of this….

Reviewing the access policy (basically like a lower level firewall) for your webserver is a good way to close the roads of the unwanted requests. Typically, you’d want your public-facing traffic going through port 443 (HTTPS) or port 80 (I guess) but specifying admin access (typically using something like SSH) to certain IP addresses will really limit access to the backend and parts outside of the website.

Review patches for critical software that are (likely) improvements in the software’s security. Unless the flaw is critical and propagating quickly, I would also wait on patches and review feedback so efforts to secure a problem are not doubled.”

— Ross Thomas, IT administrator at SectigoStore.com

But wait, there are only 14 website security suggestions on this page! Yes, I understand. That’s because the experts also had some recommendations for items you can avoid doing to boost the security of your website (and overall cyber security), which I’d like to share.

Website Security Tips: 7 Website Security Mistakes to Avoid

Now that we’ve gone through some of the website security best practises that should be implemented or followed, I figured it’d be interesting to ask these experts about the types of website security mistakes that should be avoided. Of course, there are the usual precautions to take: don’t neglect protection, match your budget to your security efforts, and so on. But, surely, there are some other suggestions?

Needless to mention, I was not let down. Here are some of the things you shouldn’t do when it comes to website protection, according to these website and cybersecurity experts:

Believing Cyber Security Is “All or Nothing”

The biggest mistake we see in cyber security is the mindset that it is all or nothing. You don’t need to budget a million dollars a year to have a full time cyber-security consulting firm watching your every move. For most businesses, especially small businesses, all they really need is some very minor protection from firewall software, an SSL certificate, and 2-factor authentication of their passwords. You can absolutely find free and cheap tools to protect your website from 90% of attacks without bankrupting your company.

Once you can afford a more robust security apparatus, then you can buy one. Don’t be afraid to take a few minor steps, because those may be enough to save your business from the majority of attacks.”

 Alexander M. Kehoe, Co-founder and Operations Director at Caveni

Being Negligent and Ignoring the Obvious

It’s usually a matter of not bothering with the obvious things. Not making sure you’re up to date on PCI vulnerability scans, not limiting access to your admin area due to inconvenience, and not investing in staying up to date with the software versions are the most common reasons we’ve seen for breaches.”

— Brian Taylor, co-founder of Forix

IT security consultant Dave Hatter says that some of the most important things to consider when securing web applications can be found on OWASP’s Top 10 and CWE’s Top 25 lists.

Of these lists, the things that seem to be most often overlooked and most easily corrected are:

– Injection attacks (SQL, Command): Validating ALL input against a whitelist and disallowing dynamic queries (requiring parameterized queries or stored procedures)

– Broken authentication: Ensuring that all secured pages require a unique token along with complete mediation, ensuring that each and every access to a secured object is checked for authorization can solve this issue

– Sensitive data exposure: Encryption, least privilege and least common mechanism can solve this issue

– Hardened systems: CIS Benchmarks can help admins harden and secure on-premises systems, and Cloud based platforms like Azure, when configured correctly can provide additional security for web apps.”

— Dave Hatter, IT security consultant at Intrust IT

Having Poor Password Selection, Management, and Policies

Common mistakes people make with passwords that make them easily hackable is people using notable people, pets and dates personal to them, which of course these words will be the first passwords that a hacker will attempt!”

— Dustin Vann, Owner & Website Manager at Trusy Social (Trusy.co)

Using Default Credentials, Site Addresses, and Database Prefixes

My tips to help protect websites from one of the most popular security problems that is breaking into the admin system using brute-force. Oftentimes, when e.g. bots try to guess the admin password and you have a standard “wp-admin” panel address and a default “admin” username, it is easy for them to break into your system. The following tips will help prevent it.

What I recommend is to, first of all, change the default login admin panel address to one made by yourself, e.g. “/wp-admin” to “/my-own-secure-cms-panel”. The next step is changing the default administrator name, e.g. from “admin” to “mylogin2746”. If you are using an open-source CMS, change the default database prefixes e.g. “wp” to “hj34”. WordPress’ users should additionally install a security plugin, such as Wordfence or iThemes Security. Another good practice is to introduce two-step verification of users when logging into the admin panel.”

— Greg Rogozinski, co-founder and CEO of Cut2Code

Including Session IDs in URLS

Session-Id should not be passed to URL. It may allow an attacker to login to the system and perform unauthorized operations.”

Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

Lacking Regular Website Testing

One of the most common mistakes that I see a lot of website owners make is that they don’t test their website regularly. Scanning can help detect problems, but testing the website itself will reveal problems with the code itself. You’ll be able to see which parts are vulnerable to attack and which areas to improve. Testing your website regularly after a new update is a must to ensure that no one will take advantage of poorly written code.”

Kenny Trinh, CEO of GeekWithLaptop and founder and CEO of Netbooknews

Trusting Their Security to One Product or Solution

Be wary of security products and solutions that are marketed to completely protect your organization. I’m not talking about the traditional requirements of firewalls, intrusion detection/prevention, but rather the “automagic” and “silver bullet” cybersecurity solutions of the world. There’s no easy button — cybersecurity is complicated and cyber threats are constantly evolving and so should your security tools.”

— Brad Pierce, director of network security at HORNE Cyber

Now that you’ve had a chance to hear from all of these incredible industry experts, you may be wondering: Who the heck are they and why should I listen to them?

Wonder no more! Let’s introduce our experts for this website security tips list.

Final Thoughts on These Website Security Tips and How to Secure Your Website

The bottom line is that for many companies, having an ecommerce website is a gold mine. It’s also a perfect way for other groups to support their missions and get their name out there. Websites, on the other hand, are inherently vulnerable without the proper safeguards in place, putting your data — as well as that of your site users who provide information through transactions and forms — at risk from cyber threats.

This is why it’s important for businesses of all sizes to do whatever they can to keep their websites safe.

Categorized in: