melt logo white small 1
Website Improvement Series
Know anyone else that would find this series helpful?

How To Secure Your Website

Table of Contents


This one is not sexy, but it is very important.

Imagine completely losing a website you’ve spent thousands of pounds on to be designed and built, plus the hours and hours spent adding content, making improvements, and running a marketing campaign. 

If your site helps bring new customers, imagine it was hacked and taken down, but there was no way to retrieve it. Everything was lost overnight, and there was no way to retrieve it. All that hard work and a key part of your marketing were lost.

Having your website hacked can cause major problems for your business and take months to recover from. 

You may think this wouldn’t happen to you, but believe it or not, I have seen and heard countless horror stories of this happening to more businesses than you think. 

Yes, getting targetted by hackers or spam malware sucks

No website will ever be 100% hackproof, but we can do some simple things to massively reduce our risk and exposure and recover quickly if something bad does happen.

Keeping WordPress Secure

An untouched installation of WordPress is open to attackers. Neglecting security leaves you vulnerable to hackers looking to deface, delete, or even inject your site with malware. 

However, a day spent installing and setting up the right security plugins and filling in all those little holes could make all the difference.

By following our advice, your site will be far safer from attackers. The great part is that many of these methods are “set-it-and-forget-it” actions.  Change one setting, and you won’t need to think about it for a long time.

Let’s get stuck in. 

Website Security Fundamentals

1. Keep your website well maintained

Not updating your website is one of the most common reasons we see businesses’ sites get hacked. Some haven’t updated their plugins for 3-4 years. 

If you have a WordPress website, you will notice that updates are always required. The Core CMS system, plugins, and themes are constantly updated. Updates are frequently released to improve functionality and patch security loopholes.

If you don’t update your site or plugins, you invite malware bots because they exploit older technology and security gaps in these tools. 

Most people don’t update their sites because they don’t know how to or are scared of breaking something on their site. 

Updating a plugin can cause issues, but it’s unlikely if you update the plugins regularly and your site is not overly custom-coded.

If you have backups, you can always restore your site within a few minutes if something goes wrong.

You don’t have to run an update every day, but a good rule of thumb is to do it at least once a month and at a time when your website receives less traffic. If something goes wrong, it can be restored without much disturbance. 

Most hosting companies run automated backups in the early hours of the morning, so it’s typically a good idea to do them first thing in the morning.

Also, doing lots of work on a site, like adding blog content, changing design elements and then running plugin updates, is a bad idea, as your changes could be lost. So, take a backup before running updates after making changes to the site.

You can also run up a staging version of the site, run the updates there first, and then apply these updates to the live site once you know everything is okay.

Safe Updates 

Some hosting companies offer safe updates that allow you to back up the site on a staging site and run updates. If it encounters an issue, it aborts the updates and emails you what caused the issue to then give to your web developer to fix.

Remove anything unneeded

It’s also important to remove any plugins you don’t need or use anymore and have sat disabled in your plugins dashboard.  They are still on your site and can be exploited.

Install Plugins and Themes From Reliable Sources

Another big mistake site owners make is getting their plugins and themes from unreliable vendors. A bad theme or plugin can corrupt, deface, or inject malware into your pages. 

WordPress does not endorse third-party websites and developers, so you never know what you’re getting. 

Avoid anything coming from unknown websites. If the plugin has many positive reviews and seems popular, it should be safe enough to install. 

Before downloading anything from the repository, check the stats listed in the sidebar on the right of the page. Avoid downloading plugins that haven’t been updated in the last year or more, have less than a few hundred installations, or receive low ratings. 

The same is true for themes. WordPress offers some themes in the theme repository. If, like many users, you’re looking for more variety, be sure to only purchase your themes from trusted and well-known vendors and creators in the community.

Custom Coding

If your site has a lot of custom coding, this can cause a vulnerability. As web technologies evolve, HTML, PHP, and Javascript become more secure. 

If your site has custom-coded elements, it’s important to keep these in line with changes as they can become less secure over time and make the site less compatible with WordPress and other plugins in the future.

Want more confidence updating your site?

If you are uncomfortable running site updates yourself, you can hire a company like ours to do plugin updates. We can restore the site quickly and fix the issue if something goes wrong. 

Our support plans start from £35 a month and include managed WordPress hosting, site updates, security tools, and more. 

Find out more about our website care plans here.

2. Good Web Hosting

A good web host will make a massive difference to your site’s security. We’ve helped countless businesses that kept getting hacked change their web hosting supplier, and the issues went away. 

Cheap hosting will not offer you advanced firewalls, backups, file and database blocking, or other security tools, leaving your site much more exposed. 

Cheaper hosting typically means your site is hosted on a server with hundreds of other sites. If one of those sites gets hacked, the attack can spread to all sites on the server. A good host will isolate each site and prevent this from happening.

Our recommendation would be Cloudways

They offer specialised WordPress Hosting and all of the features above, including easy backups, staging management, firewalls, SSL certificates, and awesome support.

Here is a quick video highlighting the hosting security features you should check for with your supplier. 

Managed Website Hosting

Managed hosting is when you outsource your website hosting to someone who manages your hosting account and website. They do all the security setup and updates and fix any issues that may arise. 

If you only have a shared hosting account, the company will often support you with the hosting; any website issues will be out of scope, and they will tell you to get further support.

Managed hosting removes the hassle of setting up and managing a server or hosting account, but it also offers monthly updates and technical support for website functionality issues.

We host and use all our sites to host and manage our client’s sites on Cloudways. If you would be interested in having us host and manage your site, you can find out more here – Managed WordPress Hosting 

3. Backups

It’s crucial to have daily backups as part of your hosting. A backup is a simple automated process in which your website files and database are snapshotted and saved. Backups typically occur in the early morning hours to reduce any impact running a backup may have.

Think of backups as peace of mind. 

Suppose your site experiences a security breach or a plugin update that goes wrong. You can restore it to its previous state with just a few clicks.

For an extra layer of backup peace of mind, I suggest storing external site backups elsewhere. Again, this can be automated. We use a tool called Manage WP with all of our sites, which gives you an extra place to retrieve the site from any issues we may have restoring it from the server.

All good hosting packages will offer backups, but you want to have the option to take or restore a backup when you want to. 

Typically, managing backups comes with dedicated hosting plans, but you will get backups from most hosting companies.

4. SSL Certificate

An SSL certificate encrypts your site traffic and any data passing through your site, form submissions and transactions. 

They offer more peace of mind for site visitors. If they visit your site and it says this site may be insecure, you’re a lot less likely for people to stick around and look around your site.

Nowadays, all hosting companies offer free SSL certificates, so there is no excuse not to have one on your website.

5. Firewalls

Firewalls are like your invisible security shield.

They protect your website from hacks and attacks. Essentially, it acts as a barrier that prevents dangerous users from accessing your site, breaching its defences, and stealing your data.

The most common type of Firewall is WAF. Web Application Firewall (WAF). WAFs inspect incoming HTTP traffic to filter, monitor, and block dangerous parties.

It will help to prevent

  • SQL injections
  • File inclusions
  • Distributed Denial-of-Service (DDoS) attacks
  • Man in the Middle attacks
  • Cross-Site Scripting (XSS)
  • Cross-site forgery

Your hosting company will typically provide a server-based firewall, but installing and running a firewall from a third-party supplier on your site is a good idea.

Here are the most popular ones 

1. Sucuri

Sucuri is a complete website security service with an auditing tool, malware scanner, and security hardening features. Although there’s a free version, you’ll need to upgrade to a premium plan to access Sucuri’s WAF:

The firewall can stop hacks in real-time and mitigate large-scale DDoS attacks. Furthermore, Sucuri uses a Content Delivery Network (CDN) to speed up your website’s loading times.

Pricing: Sucuri’s Basic firewall access costs $9.99 per month. Upgrading to the Pro firewall for $19.98 per month also includes SSL support and monitoring.

2. Cloudflare

Cloudflare is another popular security suite with CDN, SSL encryption, and DDoS protection.

Cloudflare’s cloud-based firewall protects against the ten most common security attacks, including XSS and SQL injections. You can also customise its rulesets to safeguard against other hacks. Moreover, Cloudflare has zero-day protections that can patch security vulnerabilities in seconds.

Pricing: Cloudflare offers a free plan. We find this perfectly fine for 95% of small businesses.

3. Wordfence

Finally, if you’re looking for a free WordPress firewall and security solution, consider Wordfence. It uses an endpoint WAF and malware scanner that can protect your website from internal and external threats:

Pricing: You can get the free plan or Wordfence premium starting at $99 per year.

5. A Good Security Plugin

Installing and configuring a good Security plugin on your WordPress site can help harden your site’s security, lock things down, and remove chances for exploitation. 

There are multiple security plugins out there; you can find out more about WordPress Security plugins here, but after testing a lot of these, one we like is

It has a free and paid version. 

In this video, I show you how to set up and configure some basics to help secure your site better using All In One Security.

WordPress Security Basics

6. Login Page Protection - Brute force blocking

Brute-force attacks occur when a bot locks onto your login page (typically/wp-admin) and sends thousands of requests to attempt to log in.

Spiking your hosting resources can slow your website down, but it will likely crash. Left unprotected, they’ll eventually crack your login and gain access to our site.

By default, anyone can log into your website by going to We can do this with the security plugin I showed in the Video above.  But you could use WPS Hide Login, which allows you to change this. 

Changing this common login URL and then blocking any IP that tries to make multiple login attempts can prevent this massively, and it’s super easy to do. 

It would help if you used a login URL that isn’t common. It might deter them a little if you change it to something like /login or /new-login, but these can be found quickly. Therefore, it’s better to choose something hard to guess. As an example, you could use /mysecretbackdoor

Watch the quick video below to learn how to do this.

Extra Login Security steps

Two Step Authentication

You can use a two-step authentication plugin to go the extra mile. 

Once a user logs in, it asks the visitor for an extra identifier. The most common is an SMS message sent to your phone or an authenticator app. Two steps are super powerful, as a hacker could access your email, but it’s unlikely they could steal your phone.

It does add extra steps for your site users and can cause frustration.

I prefer not to have two steps for ease of use; we don’t regularly have people log into our site or store user data there. With all the other security measures in place, I’m confident our site is secure enough not to need them. 


We’ve all seen the I’m a robot checkbox on login pages or web forms. A captcha system adds an extra step and effectively stops bots. 

I prefer a Math Capture because it’s less intrusive and has the most security plugins. 

Limit Login Attempts

A plugin that limits login attempts will give users only a few chances to log in before they’re locked out. You can set this to as many as you like—5 failed login attempts before being blocked is generally a good rule. 

It can also detect and redirect or block bots from your login page.

Watch the video above to learn how to set all of these up.

7. Strong User Login

Choosing a strong username and password combination can make a big difference. We can do all the security fixes we like, but if your login details are common and easy to hack, it won’t make any difference once hackers find it. 

Here’s a list of usernames you should avoid.

  • Admin
  • Your real name or nickname
  • Any personal information
  • Your site or business name or something related to it 

It would help if you also chose a secure password. 

Avoid personal information, obvious choices like “password,” or anything related to your website.

A good password should be 10+ characters, use various characters and numbers, lowercase and capital, and sometimes other characters, and avoid common words and phrases. 

Bad Example 


Good Example


The best passwords are long, random sequences of letters, numbers, and symbols that no one could ever guess. Going into your user profile in WordPress and changing your password will generate a strong password. Using that is always a good start.

But I can’t remember that password. People choose weak passwords out of convenience, which can expose them. It’s your responsibility to make your site secure. It’s easy to save your password on your phone, in a secure document, or use a password management tool like OnePassword, so there is no excuse.

Delete Admin Users you no longer need. 

Over time, as people work on your site, you’ll add them to make their lives easier. If they no longer work with you, removing them from the database is a good idea, as it’s an extra login hackers cannot exploit.

8. Protecting Your Files

File Directory access 

You can access your site files and files through a browser if you know the correct URLs. Meaning they could easily be targeted, stolen or changed. I dont understand why WordPress allows this, but it’s easy to fix.

Most hosting companies will offer this now as an option to disable. I recommend you do.

File & directory permissions 

Permissions for folders and files on your server can help secure things because it stops them from being writable (changed)

The default permissions will be left as they are without taking action. It’s super easy to do with the right tools.

Disable File Editing

WordPress comes with a set of easy-to-reach themes and plugin editors. They are under Appearance > Theme Editor and Plugins > Plugin Editor. These allow direct access to your site’s code.

While these tools are useful to some, many WordPress users aren’t programmers and will never need to touch anything here. 

It’s best to turn off file editing, as hackers can use it to quickly execute malicious code or delete entire parts of your website.

Watch this video, in which I show you how to turn off directories and file editing and change permissions.

9. Spam blocking

There is nothing more annoying than seeing your web forms flooded with Spam entries, fake orders through your ecommerce system or Viagra-based comments on your blog posts. 

Spam can cause issues with your site if you dont take action to block it. It will add more to your database, create malware links that can be tracked back, and attract spam malware bots. 

It’s easy enough to stop. 

Adding captchas on forms, disabling and changing commenting settings, and firewalls can eliminate 99% of spam through your website.

Out of all the Spam-blocking tools, CleanTalk is the best I have seen, and it costs as little as £4 a month.


This step has covered a lot, and you may feel overwhelmed. 

However, securing your website is simple.

Using a trustworthy hosting company with secure servers, back up your site daily, keep your plugins and themes up to date, and ensure you have a secure login and strong password. Doing all this will make you more secure than 80% of website owners and safe from becoming a horror story.

If you’re concerned about securing your site and feel it’s beyond your expertise, consider the benefits of working with a professional website maintenance company. The peace of mind from knowing your site is looked after by experts is invaluable.

Our website support service includes daily security monitoring, patching, and backups. They also include the tools and plugins covered in the videos, saving you additional costs. Learn more about our website support service here.

pricing migration fold

Want Some Feedback On Your Site?

Book a free website audit where we’ll look at your site design and offer guidance on how to make it easier to navigate and areas of the design you can improve

memberpress membership agency

Free Audit

Let us do all the hard work for you and get our expert insights into ways to improve your website and boost conversions.

Final Step
melt logo web

Find Out Why Your Site “Isn't Working”


Stop guessing at a plan of action and let one of our experts analyse your site for you—free of charge.

You’ll get a detailed report with actionable recommendations and a priority list of missed opportunities—so you know precisely what to do and when.