Secure Your Website From Hackers

Updated: January 30, 2017

You can go to great lengths in order to secure your website from being hacked, but by taking a few measures you will prevent almost all hacking attempts on your website from being successful. If your website has already been hacked, then these steps won't resolve that, instead, the website needs to be properly cleaned.

Secure Your Computers

Many hacks come from hackers getting FTP access to websites from malware on computers that have been used to access the website via FTP. It is important to make sure that all the software on those computers is kept up to date. How malware generally gets on computers is through security vulnerabilities in software that is accessible through your web browser, including things like Adobe Reader and QuickTime. Google's Chrome web browser, starting with version 10, automatically checks for outdated versions of that type of software running on your computer. You can also use Mozilla's Plugin Checker to check the current status of that type of software. For Window's users, the Secunia Personal Software Inspector will also check for outdated software. You should also run a good anti-virus program on those computers.

We would also recommend using a web browser that uses data from Google's Safe Browsing system. This will stop the web browser from accessing content on a website Google has detected malware on. Currently Mozilla's Firefox, Google's Chrome, Opera and Apple's Safari access this data.

By limiting what IP addresses can access your website via FTP you can severely limit the possibility that a hacker could use the FTP credentials if they were ever compromised. Support for this feature and configuration of the features varies between web hosts, so you should contact your web host for more details on setting this up.

Update Software

Outdated version of web software, like WordPress, Drupal, and Joomla, frequently contain security vulnerabilities that have been patched in subsequent versions. Keeping all the software running on a website updated, including add-ons, ensures that these cannot be exploited by a hacker. If software is no longer being used, it should be removed. The following links explain how to check if you are running the latest version of Drupal, Joomla, MediaWikiWordPress.

Unfortunately, not all software with security vulnerabilities is fixed, so keeping software up to date will not always protect against known vulnerabilities if the software is no longer supported. Drupal provides warning about vulnerable software through their update mechanism. For other software, please check how they handle warning about these situations to protect yourself.

SQL Injections

If you have custom written code on your website that accesses a SQL database, the website is potentially vulnerable to a SQL injection hack. All input data needs to be properly sanitized to prevent SQL injections. The developer of the code should be able to tell you if this is done by the code or a developer familiar with developing web code should be able to review the code for this issue. This especially important if you have an ASP based website.

Use a Secure Web Host

There have been several major hacks that have been cause due negligence of a web host to properly secure their systems. Unfortunately, there is no way for you to fully review their security. What you can do is find out from them if they taking the basic precautions which hosting providers who have been hacked in the past have not taken:

Ask them if they store user's passwords in plaintext on their systems, they shouldn't. Ask them if they have access controls in place to prevent other users from accessing your website's files (no matter the file's permissions), they should. Ask them if they keep the software on their servers updated, they should. Ask them what their policy is on updating outdated software.

Don't Use Weak Passwords

Hackers try to gain access to access to the backend of your website by attempting to log in with common passwords (things like password, admin, 123456, or abc123). This is referred to as a dictionary attack, and you can prevent this by not using common words or keyboard patterns as a password.

Security companies frequently claim that brute force attacks, which involve trying every single possible password combination, are occurring, and that their product or service will protect, but their evidence that this is occurring .


While it won't stop your website from being hacked, if you have a make frequent backups it will make it easier to restore your website if it has been hacked. You need to make sure to back up both the files and any databases. If you store a backup that has never been on the server, you can ensure that you will have a completely clean copy of the website. It is also important that you test your backups to make sure they will work if you ever need to use them.

Related Services:

Related Resource