Few things are worse for a website owner than waking up to find a compromised site. Your web host can often help you restore it, but the hours spent figuring it out can be incredibly stressful. You also risk losing traffic, trust and revenue while your site is down.
The good news is that there are a lot of tools and security protocols for keeping your website safe. Let’s look at the security tools your web hosting company should have in place, plus web hosting tips for making your website safer.
Why is security essential for a website?
There are numerous ways cybercriminals can attack an insecure website. The one you’ve probably heard about most often is data theft: harvesting your — and your visitors’ — private information so cybercriminals can either sell it to third parties or attempt to scam you and your visitors. This is especially concerning if you collect payment information or other sensitive details about your visitors.
Another common tactic for cybercriminals is to flood websites with malicious traffic to overwhelm their servers and force a shutdown in something called a distributed denial of service or DDoS attack. Scammers can also deface an insecure site, often replacing the homepage with a redirect to a scam website in an attempt to steal your visitors’ data and/or money.
These cyberattacks can result in lost traffic, trust and, if you’re running a business website, revenue. Data breaches can also lead to legal issues. Choosing a web host with excellent security protocols, and following best practices for securing your website on your own, are essential if you want to avoid these problems.
How web hosts secure your website
Your website is like an online building for your data and your web host is its landlord. It should provide security protocols and tools to keep your site safe, just as a landlord installs locks and hires security.
SSL certificates
Secure socket layer certification is a security protocol that encrypts data sent to and from your website, translating it into a secret language only known to other computers. This makes it difficult for third parties to intercept data. If they manage to seize it, the data will effectively be gibberish to them, making it difficult to record or alter. This prevents them from using information like your users’ contact or payment details to scam them or steal their identities.
SSL certification, marked by the “s” at the end of “https,” also signals that your site is safe. Many VPNs and some browsers won’t let visitors load a site without it. Google also penalizes sites without SSL certification. Most web hosts bundle SSL certification into their hosting plans, certifying your sites with no additional fees and little to no effort on your part, to help you avoid these issues. Some hosts, like GoDaddy, charge additional fees for SSL certification on certain plans.
Secure file transfer protocol
File transfer protocols, or FTPs, are used to transfer large amounts of unencrypted data to your web hosting server, like if you wanted to upload a video or multiple files to the server. Using an FTP does not provide users with a secure transferring method, leaving your data vulnerable to eavesdroppers who can use it to infiltrate your site.
While many web hosting services offer FTP access by default, some web hosting services, like Ionos, offer secure FTP, or SFTP, access instead. Secure FTP encrypts the data you’re transferring for improved security.
Web application firewalls
A web application firewall, or WAF, is a filter that monitors data sent to and from your site and attempts to block anything suspicious. You can think of it like the website equivalent of wearing a mask during COVID or flu season: the mask lets air in and out, but keeps the majority of germs from infecting your lungs. The WAF does the same thing for your website, allowing legitimate visitors to use your site while striving to keep out harmful users.
Most web hosting services include WAFs in all of their web hosting plans. They may use “firewall” as a shorthand for WAFs — something we’ve done in many of our own web hosting guides here at CNET. If you see the term “firewall protection” on a web hosting site, it probably means the company’s using a WAF. You can always contact customer service to confirm this.
Antivirus and malware protections
Antivirus and malware protections are essential, especially on a shared hosting plan where your site shares a server with other sites. While you and everyone else are uploading files for your sites onto the server, some of those files could unknowingly contain a virus or malware. Once the file reaches the server, the malicious code can impact every site on the server, similar to the way germs coughed out on a plane can circulate in the air and infect everyone on the flight.
For shared hosting plans, the web hosting service is responsible for maintaining antivirus and malware protections. However, if you have a VPS or a dedicated server, you might have to install your own protections.
Distributed denial of service protection
Imagine you’re asking your parents a question, but your little sibling doesn’t want your parents to tell you the answer. Your sibling gathers all their friends, kids from the neighborhood, classmates and anyone else they find and they all start screaming at the top of their lungs to drown out any other noise. You can’t hear yourself think, let alone whatever your parents are saying. That’s what a distributed denial of service, or DDoS, attack is like to your website.
DDoS attacks are cybercrimes that flood your site with traffic from a network of malware-infected and connected computers called a botnet. The increase in traffic can prevent visitors from accessing your site, disrupt your work and overwhelm the server your site is on, causing your site to shut down altogether.
Web hosting services with DDoS protections can detect and prevent these attacks. A WAF can help identify and mitigate DDoS attacks, but often this isn’t enough to prevent an attack. One tool to help prevent a DDoS attack is an intrusion-prevention system. These network security tools monitor for malicious web traffic activity and report, block and drop the activity.
Brute force attack protection
A brute force attack is a hacking method that involves attempting to infiltrate your site by testing numerous username/password variations on your admin page until one works. Some brute force attacks use software to automatically enter dozens or hundreds of username/password combinations in a matter of minutes.
Many web hosting companies offer some level of brute force protection, often through bots that detect brute force attacks and block the IP addresses behind them. Some also offer built-in tools for things like two-factor authentication and limiting login attempts to further protect you from brute force attacks.
Site data backups
If your site is compromised, backups allow you to restore it to its former glory. You can choose to manually back up your data, or you can enable automatic backups so you can schedule when your data is backed up.
Some web hosting companies, like Ionos and Hostinger, offer free automatic backups with their hosting plans. However, lower-tier web hosting plans like shared hosting might only offer manual backups, with automatic backups only available on higher-tier plans.
Some backups are stored in a secure cloud server. Others are stored in separate physical servers from the one your site’s data is stored on. These precautions keep your data safe if your server is compromised. If a web host doesn’t specify where they store backups, you can contact customer service and ask whether the backup is stored on the same server as your data.
Managed hosting plans
In managed hosting, the web hosting service handles any potential administrative issues, security updates and other software updates to keep your site functional and secure. If you think of your website like a building, managed hosting is when you hire maintenance staff to keep it in good repair, and unmanaged hosting is when you decide to clean, repair and otherwise maintain the building yourself.
Managed hosting typically costs more than unmanaged hosting. For shared or WordPress hosting, this means you’ll pay $2 to $5 per month for the first term (one to three years) of an unmanaged hosting contract or $7 to $10 a month for the first term of a managed hosting contract. The cost difference increases in more advanced hosting types, like VPS and dedicated hosting.
Best web hosting security practices: What you can do to protect your site
Your landlord isn’t the only one responsible for building security. You also need to take precautions, like keeping your keys in a safe location where only you can access them. Similarly, you need to take steps to keep your website safe.
Update your software regularly
Malware is always changing, and content management systems like WordPress and its many themes/plugins evolve to protect themselves from new threats. You must update this software to make sure your site has the most recent protections in place. If you don’t feel comfortable performing these updates yourself — or you don’t have the time to do so — you can invest in a managed hosting plan.
Pro tip: WordPress updates can damage your site if they’re not compatible with your existing themes and plugins. Make sure you have a recent backup before performing any major updates, and always update themes/plugins before updating the core software to ensure compatibility.
Remove unused software
Deactivating a theme or plugin leaves the files, including any vulnerabilities in those files, on your site. Moreover, deactivated plugins and themes aren’t updated, so they won’t have the latest security fixes. This makes it important to fully uninstall any themes, plugins or other website software you’re not using. Uninstalling unused software also prevents database bloat, which can slow your site and cause other functionality issues.
If you’re temporarily disabling a plugin while you work on certain aspects of your site, deactivating can be a wise move. However, if you know you won’t be using that plugin for the foreseeable future, you should uninstall it. You can always reinstall it if you need to start using it again down the line.
Use strong login credentials
Cybercriminals who infiltrate your site by logging into your admin account can cause untold damage. You can make these attacks more difficult by using a strong username and password.
A strong username is one cybercriminals can’t easily guess. The bare minimum here is to avoid using the default “Admin” username. You can include numbers or symbols in your username to make it harder to guess. You may also want to create a separate email purely for your admin account rather than using a public-facing email if your email address can be used in place of your username.
Individual sites’ guidelines for a strong password vary, but there are some bare minimum rules:
- Avoid using numbers or words that others know are significant to you, such as your birthdate or your pet’s name.
- Always use a password that’s at least 12 characters long (some sites recommend a 14- or 16-character minimum).
- Include a mix of numbers, upper case letters, lower case letters and special characters.
- Never reuse a password. A password for one site should only be a password for that one site.
You can use a password manager to suggest strong passwords and store them for you so you don’t have to remember them.
Limit login attempts
Limiting the number of login attempts someone can make in a specific time period is a great way to protect your site from brute force attacks. Your hosting account should already have this in place, but your content management system probably won’t.
There are several plugins that can help you with this if you’re using WordPress. I use and recommend Limit Login Attempts Reloaded, a free plugin that lets you customize the number of failed login attempts a user can make before being locked out of your site. Limit Login Attempts Reloaded also keeps detailed records of login attempts, making it easy to block IP addresses connected to repeated failed login attempts.
Use two-factor authentication
Two-factor authentication, sometimes referred to as 2FA or multi-factor authentication, requires you to enter multiple “factors” to log into your account. Your login credentials are the first factor. The second factor is typically a numerical code sent via email, SMS or an app like the Google Authenticator App. This theoretically confirms that you are the owner of the account rather than someone who’s illegally gained access to your login credentials. It’s sort of like claiming a package from the post office — you need both the delivery notice and ID to prove you’re the right person to pick it up.
Some web hosting companies may offer built-in tools for two-factor authentication. Most of the time, however, you’ll need to implement this yourself. If you’re using WordPress, I recommend using the free Wordfence plugin to set up two-factor authentication.
Make it difficult for people to find your login page URL
By default, all WordPress sites use “ as the URL for your sign in page. You can make it more difficult for malicious actors to infiltrate your site by changing your login page URL so they can’t easily locate your login page.
Another way to prevent bad actors from finding your login page is to remove the link from all public areas of your site. Combined with a changed login page URL, this makes it difficult for users who don’t either have access to your hosting account or existing knowledge of the URL to find your login page.
Use third-party security tools/plugins
There are many third-party tools you can use to further secure your website. For example, you can use the Cloudflare WAF if your host doesn’t offer firewall protection. If you suspect your site has been infected with malware, you can run the SiteLock malware scanner — either the free version or the paid add-on — to identify issues.
There are also numerous security plugins for WordPress. Wordfence is a great free option, with tools for setting up two-factor authentication, scanning your site for vulnerabilities and file repair. For real-time malware detection, you can upgrade to premium Wordfence, an IP blocklist that automatically blocks 25,000 to 60,000 malicious IPs and multisite support.
Where to look for these features when choosing a web hosting service
How (or even if) web hosting companies display security features varies. Most web hosting services list some security features like SSL certification and malware scanning in the main plan breakdown. However, other features like firewall protection may not be listed in this area because it’s kind of like a “greatest hits,” highlighting only the most notable features of each plan.
There are two places to look if you don’t see a specific security feature in the main plans area:
- The detailed plan breakdown: A side-by-side comparison of all plan features, usually accessed by a link saying something like “Compare all plans.” Features that are so common they’re assumed to exist like firewall protection, and more technical features like sFTP are often hidden in these detailed breakdowns.
- Customer service: If you don’t find the information in the detailed breakdown or a CNET review — or if you’re considering a company we haven’t done a full review for yet — you can reach out to the hosting company’s customer service. Most web hosting companies have live chat support that can help you find this information in a matter of minutes.
Another great way to learn about the security features, and the overall performance, of a web host you’re considering is to read our hands-on reviews at CNET. We analyze each web host’s detailed plan breakdown and speak with customer service to confirm the existence of essential security tools like firewall protection so you don’t have to. I recommend starting with the reviews for Hostinger, Ionos and A2 Hosting if you’re looking for a web hosting company with top-notch security.
Building a website for the first time? Read our guides on how web hosting works and how to host a website for a better understanding of how to get started.