Website security is not one setting, one plugin, or one scan. It is the habit of reducing easy entry points, noticing problems early, limiting damage, and recovering quickly when something goes wrong.

For most business websites, attackers are not carefully studying the company for months. They are scanning for common weaknesses: outdated software, weak passwords, exposed admin panels, unsafe plugins, broken access controls, leaked backups, misconfigured servers, and unmonitored forms.

Good security does not need to be dramatic. It needs to be consistent.

This checklist is written for business websites, ecommerce stores, service companies, publishers, and small teams that need practical protection without turning every decision into an enterprise security project.

1. Keep the platform, plugins, themes, and dependencies updated

Outdated software is one of the most common causes of website compromise.

If your website uses WordPress, Magento, Drupal, Joomla, Laravel, Node.js, Astro, or any other framework, the public website is only the visible part of a larger software stack. The CMS, plugins, themes, packages, server software, database, and build tools can all introduce security risk.

A practical update process should include:

  • Apply security updates quickly
  • Remove plugins, themes, and packages you no longer use
  • Avoid abandoned plugins and extensions
  • Test major updates on staging before production
  • Back up the site before large changes
  • Check important forms, checkout flows, and pages after updates
  • Monitor errors after deployment

Automatic updates can help, especially for security patches, but they are not a complete plan. An automatic update can fail, conflict with another extension, or break a business-critical form. Pair updates with monitoring and rollback.

2. Protect every admin and hosting account with MFA

Passwords alone are weak protection for important business systems. Use multi-factor authentication for:

  • CMS administrator accounts
  • Hosting control panels
  • Domain registrar accounts
  • DNS providers
  • Email accounts
  • Cloud storage and backup systems
  • GitHub, GitLab, or Bitbucket accounts
  • Payment, CRM, analytics, and marketing tools connected to the website

For high-value accounts, prefer phishing-resistant authentication methods such as passkeys or hardware security keys when available. SMS codes are better than no MFA, but app-based MFA, passkeys, and hardware keys usually provide stronger protection.

Also remove old users. Former employees, agencies, freelancers, test accounts, and shared admin logins are quiet sources of risk.

3. Use least privilege for every user

Not every user needs administrator access.

Editors should not be able to install plugins. Marketing users should not be able to change DNS. Developers should not need production database access for routine content edits. Contractors should have time-limited access and only to the systems they need.

Review permissions regularly:

  • Remove inactive users
  • Downgrade unnecessary admin accounts
  • Avoid shared logins
  • Use unique accounts for each person
  • Disable accounts when a project ends
  • Keep a record of who has access to what

Least privilege matters because one stolen account should not give an attacker control over the entire website.

4. Use HTTPS everywhere and monitor certificates

Every modern website should use HTTPS across the full site, not only login or checkout pages.

HTTPS protects credentials, cookies, form submissions, admin actions, and visitor trust. It also prevents browser “Not secure” warnings that can hurt conversions.

Check that:

  • HTTP redirects to HTTPS
  • The SSL/TLS certificate is valid
  • Certificate expiry is monitored
  • Mixed content warnings are fixed
  • Canonical URLs use https://
  • Cookies are marked secure where appropriate

An expired certificate can make a healthy website look broken. Treat SSL monitoring as part of uptime monitoring.

5. Back up the site and test restores

A backup is only useful if it can be restored.

For business websites, backups should be automatic, frequent enough for the business risk, and stored somewhere separate from the production server. If the same server is hacked, encrypted, deleted, or suspended, local-only backups may disappear with it.

A good backup plan includes:

  • Database backups
  • Uploaded media and files
  • Theme, plugin, and application code
  • Configuration files
  • Environment variables or a secure record of required settings
  • Off-site storage
  • Retention long enough to recover from delayed discovery
  • Restore testing on staging

Test restores at least quarterly for important sites. The first restore test is where teams usually discover missing files, broken database exports, expired credentials, or backup jobs that stopped months ago.

6. Add monitoring for uptime, malware, forms, and changes

Security is partly about prevention, but it is also about detection.

You need to know when the website goes down, slows down, starts redirecting visitors, serves malware, sends form errors, or shows unexpected content.

Useful monitoring layers include:

  • Uptime checks
  • SSL expiry checks
  • Malware and blacklist monitoring
  • File change detection for CMS sites
  • Vulnerability scanning
  • Error log review
  • Form submission tests
  • Checkout tests for ecommerce
  • Search Console security issue monitoring

Google Search Console can report security problems such as malware, code injection, content injection, suspicious redirects, unwanted downloads, and phishing warnings. It should be connected to every important business website.

7. Harden login pages and admin areas

Admin areas are heavily targeted because they are obvious and valuable.

For CMS websites, especially WordPress and ecommerce platforms, protect login and admin routes with layered controls:

  • Strong passwords
  • MFA
  • Login rate limiting
  • Bot protection
  • CAPTCHA only where it improves real risk
  • IP allowlists or VPN access for sensitive admin areas
  • Disabled default or unused admin accounts
  • Audit logs for administrator actions

Do not rely only on hiding the login URL. It can reduce noise, but it is not a security boundary. Strong authentication and access control matter more.

8. Secure forms, uploads, and user input

Contact forms, quote forms, search boxes, checkout fields, file uploads, comments, and login forms all accept user input. Attackers test these areas constantly.

At a minimum:

  • Validate input on the server
  • Escape output before rendering it
  • Restrict file upload types
  • Store uploads outside executable paths where possible
  • Rename uploaded files safely
  • Limit file size
  • Scan uploads when risk is high
  • Protect forms from spam and abuse
  • Avoid sending sensitive form data through insecure email workflows

If your website has custom development, test against common web application risks such as broken access control, injection, security misconfiguration, vulnerable components, authentication failures, and weak logging.

9. Use a web application firewall carefully

A web application firewall, or WAF, can block common attacks before they reach the website. This is especially useful for CMS platforms, ecommerce stores, and sites that regularly receive automated attack traffic.

A WAF can help with:

  • Known exploit patterns
  • Malicious bots
  • Login abuse
  • Rate limiting
  • Bad user agents
  • Suspicious request patterns
  • Virtual patching while you prepare a real update

But a WAF is not a replacement for fixing vulnerable code, updating plugins, or using strong access control. Think of it as another layer, not the foundation.

10. Remove what the website does not need

Complexity creates risk. Every plugin, script, account, integration, tracking tag, API key, and abandoned landing page adds something to maintain.

Regularly remove:

  • Unused CMS plugins and themes
  • Old staging sites
  • Test scripts
  • Public database exports
  • Old backup archives
  • Unused administrator accounts
  • Deprecated tracking tags
  • Forgotten subdomains
  • Exposed development tools

Attackers often find the forgotten corner first.

11. Protect DNS, domains, and email

Website security is not only the website application.

If someone compromises your domain registrar, DNS provider, or business email, they may be able to redirect the site, intercept password resets, change mail records, or impersonate the business.

Protect these systems with:

  • MFA on registrar and DNS accounts
  • Registrar lock where available
  • Limited DNS permissions
  • Strong email security
  • SPF, DKIM, and DMARC records
  • Monitoring for DNS changes
  • A clear owner for renewal dates and domain access

Many serious incidents start outside the CMS.

12. Log important activity

Logs help you understand what happened, how far it went, and what to fix.

Useful logs include:

  • CMS admin logins
  • Content and settings changes
  • Plugin or extension changes
  • File changes
  • Server access logs
  • Error logs
  • Firewall events
  • Deployment history
  • Backup job history

Keep logs long enough to investigate delayed incidents. If you only keep a day or two of logs, you may lose the timeline before anyone notices the compromise.

13. Build an incident response checklist before you need it

When a website is hacked, the first hour is stressful. A short response checklist helps the team move calmly.

Your checklist should answer:

  • Who owns the response?
  • Who can access hosting, DNS, backups, and the CMS?
  • How do we take the site offline if visitors are at risk?
  • How do we preserve logs and evidence?
  • Where are clean backups stored?
  • Who contacts customers if data may be involved?
  • Who requests review in Google Search Console after cleanup?
  • Who verifies forms, checkout, analytics, and SEO after recovery?

Do not wait for an incident to discover that nobody knows where DNS is managed or whether backups work.

14. Review security monthly

Security improves through routine. A monthly website security review does not need to be long, but it should be real.

Check:

  • Software updates
  • Admin users
  • Backups
  • Restore status
  • Uptime and SSL monitoring
  • Malware scans
  • Search Console security issues
  • Critical forms
  • Error logs
  • New plugins, scripts, and integrations

The best website security program is usually not the most complicated one. It is the one the business can actually keep doing.

A practical starting point

If you are not sure where to begin, start with these five actions:

  1. Enable MFA on every admin, hosting, DNS, and email account.
  2. Update the CMS, plugins, themes, and dependencies.
  3. Confirm backups are running and test a restore.
  4. Connect uptime, SSL, malware, and Search Console monitoring.
  5. Remove unused users, plugins, themes, scripts, and old files.

Those steps will not solve every security problem, but they reduce a large amount of common risk.

Website security is not about fear. It is about stewardship. A secure website protects customers, protects revenue, protects search visibility, and gives the business a calmer path when something eventually breaks.

If you want this handled as an ongoing routine, ViWeb can help with website monitoring and maintenance, or with website recovery when a site is already compromised.

Further reading