Your Website's Essential Security Features. Are They On?

Building and maintaining a strong website security is a constant process that often gets neglected by website owners due to its complexity, time consumption and cost. As a hosting provider, we know better. Over 18 years of experience in hosting, maintaining and securing millions of websites has taught us that website security is absolutely critical for every online business. We have seen the devastating consequences a hack can have on a website and ultimately on a business, and we have dedicated serious efforts to preventing and minimising the effects of hack attempts. 

During the years, we have optimized the security of our platform by developing sophisticated security systems, introducing a variety of security tools, plugins and features, and constantly analysing and monitoring traffic and patterns to recognise potential threats. While all of this has made us one of the most secure and trusted web hosting providers in the world, we know that platform security on its own, is not enough. The involvement of webmasters and site owners is just as important for properly securing a website. That is why we have compiled a list of the most essential security features you can enable that can make the difference between a hacked website and a peace of mind.

Use SSL

Today an SSL is absolutely essential for every website. An SSL certificate encrypts the connection between your visitors’ browsers and your website’s server so that the data transmitted between the two, such as personal information, credit card data, login credentials or else, cannot be hijacked by hackers. 

SiteGround clients get free Standard and Wildcard SSL certificates with all hosting plans, regardless of the number of sites. Make sure you have your SSL installed and traffic properly redirected via HTTPS from Site Tools > Security > SSL to ensure the encryption of the connection. 

If you have a business website or you’re processing online payments, you may consider our premium Wildcard certificates that come with $10,000 underwritten warranty and a dynamic site seal to create credibility and trust among your visitors.

Protect your login

Your login credentials are a gateway to your account and personal information (and when talking about websites, to your domain, site and emails, too). There are several things you can do to ensure that your login credentials are safe and secure, and only you or the people you have authorized have access to your website:

Harden Your Passwords

Despite all the awareness created nowadays about weak passwords and the importance of never sharing login credentials with anyone, one of the most common credentials hacking is through guessing or brute-forcing easy-to-crack passwords. Having a long password, consisting of multiple characters and combination of words, letters, numbers and symbols is an easy and super effective way to keep your accounts secure. Remember to use different passwords for different sites and apps, and never share your passwords with anyone, nor write them on publicly accessible places like post-it notes on your computer! Read more on the topic here.

Use 2-factor authentication

Regardless how hard your password is, there’s still a possibility for a hacker to get to it through a brute-force attack, virus, malware or other. With 2-factor authentication enabled, a secondary step needs to be passed by anyone attempting to access your data. 2FA adds another layer of authentication, usually through a temporary dynamically generated code (accessible only from your phone or email, depending on the settings), which cannot be guessed or hacked and makes your login defense bulletproof!

• For SiteGround Client Area, which is the gateway to your domains and sites, you can easily enable 2FA from Client Area > Login & Profile. 
• For your WordPress application login, you can install and activate the SiteGround Security plugin and enable the 2FA feature. Download plugin here, or install it directly through your WordPress admin area.

Monitor your website

Scan for malware regularly

There are numerous ways a website may get infected with malware – through compromised login credentials, infected or fake plugins and themes, corrupted software and more. Malware can have a serious impact on your site and online business. The best prevention for it is a secure web hosting platform and constant monitoring. If you’re a SiteGround customer, you can activate Site Scanner – a service that crawls your website on a daily basis and notifies you of potential malware and other threats. Just recently, Site Scanner helped save thousands of WordPress sites from a particularly nasty malware.

Block suspicious traffic

There are cases where only the person managing a site can notice specific patterns or suspicious activity. We have provided easy-to-use powerful tools for blocking specific IP addresses or whole countries, enabling our customers to control who’s accessing their website and prevent unwanted visitors.

Back up your site regularly

While backups don’t protect you from hackers directly, they keep you safe from other unexpected events – a site update that may have gone wrong, an infected site that has to be reverted to a clean version, and any other situation where a copy of your website is all you need to bring it back online. We know how often backups can save an otherwise dire situation, so we do automated daily backups of all sites hosted with us and keep them for up to 30 days. You can easily restore your website, files, or databases for free in just a few clicks from Site Tools > Security > Backups.

Take special care of your WordPress

Being the most popular CMS in the world, WordPress is also one of the most popular targets for hackers. While all of the advice above applies to WordPress, there are a few additional things you can do to ensure that your WordPress site is well protected from bad actors and malicious software.

Keep your WordPress up-to-date

Keeping your WordPress up-to-date is essential for your website security. If your site is hosted with SiteGround, we’ve got this covered for you. All WordPress sites hosted with us get automatically updated to the latest stable WordPress version (only after we have thoroughly tested it). Free plugins are also autoupdated, depending on the user settings.

Add an extra safety layer with a trusted security plugin

There are WordPress specific exploits and vulnerabilities that are best handled within WordPress itself. Some of our best WordPress engineers have developed the (free for all) SiteGround Security plugin that consists of a number of tools and features designed to keep your WordPress safe and secure. It helps site owners to disable XML-RPC if you don’t need it, add XSS protection, protect system folders from being injected with malicious files with just 1 click, and many more.

Avoid common usernames like “Admin”

Your login consists of two pieces – a username and a password. On many occasions the username is something automatically generated by the platform where you register and you have no control over it, but on others, such as your WordPress application, you are in full control of what your usernames should be. Except, all WP installations come with user “Admin” by default. And hackers know that, which means they are one step closer to accessing your site! That is why we suggest you disable all Admin users on your sites, and create users with different usernames and equal to the Admin rights. You can disable the use of Admin and other common usernames with the free SiteGround Security plugin.

Limit login attempts

A standard behavior of unauthorized users is to try and guess your password (or username and password) on the login form by making multiple consecutive attempts for that. You can easily cut them off by limiting the number of consecutive unsuccessful login attempts they can make. After they reach the set amount, the IP from which they log in gets blocked for 1 hour. Use the free SiteGround Security plugin to activate this feature for WordPress sites.

Use a trusted web hosting provider with security-first approach

As we mentioned in the beginning, protecting your website is a team effort and on our platform your websites’ security is our number one priority. Here we want to recap some of the things we do and in case you are not a SiteGround client, you may want to consider these security essentials for any hosting provider you work with:

Server-level Web Application Firewall

The web application firewall monitors the traffic and blocks the opportunity for hackers to exploit many common application security holes. Although there are many solutions such as WordPress plugins, or third-party services to address that need, a server-level WAF is of utmost importance since it works with big data and real time. That is why our dedicated Security Team constantly monitors various security bulletins for exploits and vulnerabilities, and immediately creates custom security rules, which they add to our smart and in-house managed Web Application Firewall. It protects all sites hosted with us out-of-the-box.

Brute-force prevention

Siteground has a sophisticated AI-driven bruteforce prevention system that for years has been stopping millions of bruteforce attempts per day (even hour)! And while this on its own is impressive, we recently made it even better. After the recent system upgrade, we have managed to reduce the amount of malicious traffic reaching your site by 95% and thus significantly minimizing the actual bruteforce attempts! No action is required on our clients’ end, they’re already using it. 🙂

DDOS protection

DDOS attacks are frequently used by hackers to bring down sites for different reasons – ransom demands, economical or business competition, political motives or simple vandalism. We have a system of software and hardware mechanisms that divert DDOS attacks, mitigate their impact, and eventually stop them. And the best thing is that you don’t have to do anything – we protect all sites hosted on our platform!

Managed PHP

Keeping PHP up-to-date is essential for keeping your website safe. Older PHP versions are often a gateway for vulnerabilities and malware, and a lot of web hosting providers tend to overlook this in order to make PHP management easier. We have developed a secure managed PHP solution that helps our customers keep their PHP updated to the latest stable PHP version.

On-demand traffic blocking (IP and Geo Blocking)

There are cases where only the person managing a site can notice specific patterns or suspicious activity. We have provided easy-to-use powerful tools for blocking specific IP addresses or whole countries, enabling our customers to control who’s accessing their website and prevent unwanted visitors.

Smart Client Area & Site Tools Login

All SiteGround accounts are protected behind a smart login we have developed to recognise suspicious behaviour and enforce additional client verification when an irregular pattern is detected. Our login system learns from your behaviour – like the devices you’re usually using or the locations you often log from, for example – and knows whether a login attempt is coming from you or an impostor. In the latter case, a challenge is introduced – one that is easy to pass for the real account owner and very hard for anyone else.

Monthly Security Reports

There’s one more thing that often gets overlooked, but it’s important to include it in your website security strategy. You need to make sure that you keep an eye on your site’s security status regularly, yet this can take you much time, effort, and money. SiteGround clients receive free monthly security reports straight into their inboxes.

We perform automated security checks of our clients’ websites and then provide them with summary results in a user-friendly format, along with actionable tips on reducing the risk of malicious attacks, if we identify any weak areas.

These are the features that are essential for your website security. If you have all of them enabled, we’re confident that your website is well protected and you can have a peace of mind that you have done everything in your power to secure your online business. We’d love to hear which of these features you’re already using and which are the ones you just found out about.