Security: Tips to keep your website secure

Top 17 Tips to Keep Your Website Secure

1. Update All Scripts & Plugins Check every web application, plugin or module you use. Always install the latest stable releases. Consult Secunia or your vendor’s site for known vulnerabilities.
   
   
2. Audit Your Files Compare your live files with a clean backup. Remove any unknown or leftover installer files before they can be exploited.
   
   
3. Use Strong Passwords Choose long, mixed–character passwords (letters, numbers, symbols). Avoid dictionary words or predictable phrases.
   
   
4. Separate Database Users Create a unique MySQL user for each application. Never reuse your main cPanel username and password inside your scripts.
   
   
5. Archive Your Raw Logs In cPanel’s Raw Log Manager, enable log archiving. Retained logs help you trace how an attacker may have entered your site.
   
   
6. Keep Custom Mods Updated If you’ve added third-party modifications, verify they’re actively maintained and updated just like your core application.
   
   
7. Sanitize All Input Validate every form field, URL parameter, or cookie before using it. Never include files or execute commands based on unchecked user input.
   
   
8. Avoid register_globals Applications relying on PHP’s register_globals setting are more vulnerable. Choose software that follows current PHP standards.
   
   
9. Protect Against Email Header Injection If you send mail from scripts, strip line breaks from user-supplied fields (to, subject, headers) before mailing.
   
   
10. Maintain Open-Source Apps Open-source is free—but you must apply security patches promptly or risk data loss and site takeover.
    
    
11. Don’t Assume Safety Over Time Just because your site has run for years without issue doesn’t mean it’s secure. New exploits appear constantly.
    
    
12. Restrict Configuration File Permissions Set files containing database credentials to 660 (owner/group read/write). Folders should be 755, PHP/HTML files 644.
    
    
13. Limit Administrative Access by IP Wherever possible, restrict wp-admin, /admin, or other back-end paths to specific IP addresses or protect them with a secondary password.
    
    
14. Secure File Uploads Allow uploads only to non-public folders (outside public_html) and only by trusted users. Scan or validate files before making them accessible.
    
    
15. Control URL Forwarding & Webmail Prevent open redirects and unrestricted webmail access. Require login or IP checks to stop spammers from abusing your site.
    
    
16. Password-Protect Experimental Features If you’re testing a new script or feature that you can’t keep updated, lock it behind a password immediately.
    
    
17. Use Proper File Permissions on Shared Hosting On suPHP servers, avoid world-writable files or folders. Directories: 755; PHP/HTML: 644; CGI/PERL: 755.

By following these best practices, you can reduce your exposure to common web threats and keep your site—and your visitors—safe.