Your website is under attack right now. Not maybe, not eventually — right now. Automated bots scan every public-facing server continuously, probing for weak passwords, unpatched software, and misconfigured permissions. Most website owners don't realize they've been compromised until customer data is stolen or their site starts serving malware.
A solid website security checklist turns you from an easy target into a hardened one. You don't need a dedicated security team or an enterprise budget. The steps below cover what actually matters — the fundamentals that prevent 95% of real-world attacks.
The Website Security Checklist: 15 Steps
1. Keep All Software Updated
Outdated software is the #1 attack vector. WordPress core, plugins, themes, PHP versions, server packages — if it runs on your server, it needs updates.
# Update system packages
sudo apt update && sudo apt upgrade -y
# Check PHP version (should be 8.2+ in 2026)
php -v
# Update WordPress via WP-CLI
wp core update && wp plugin update --all && wp theme update --all
Enable automatic security updates where possible. A known vulnerability in an unpatched plugin is an open door.
2. Use Strong, Unique Passwords Everywhere
Every account connected to your website needs a unique password of at least 16 characters. This includes your hosting panel, SSH, database, CMS admin, FTP, and email accounts.
Use a password manager like Bitwarden or 1Password. If you're still using admin/password123, change it before finishing this article.
3. Enable Two-Factor Authentication
2FA adds a second verification step that stops attackers even if they have your password. Enable it on your hosting dashboard, CMS admin panel, and any service connected to your site.
Use an authenticator app (not SMS — SIM swapping attacks make SMS 2FA unreliable).
4. Install an SSL Certificate
Every website needs HTTPS in 2026. Browsers flag HTTP sites as "Not Secure," and Google uses HTTPS as a ranking signal.
# Free SSL with Let's Encrypt
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
SSL encrypts data between visitors and your server, preventing credential interception and man-in-the-middle attacks. If you need a detailed walkthrough, our guide on how to set up free SSL/HTTPS covers every step.
5. Configure a Firewall
A firewall controls which traffic reaches your server. At minimum, only ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) should be open.
# UFW setup
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable
Consider changing your SSH port from the default 22 to reduce automated scanning noise.
6. Set Correct File Permissions
Wrong file permissions are one of the most common security mistakes on web servers. The standard for most web applications:
- Files:
644(owner read/write, others read) - Directories:
755(owner read/write/execute, others read/execute) - Config files with secrets:
600(owner only)
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;
chmod 600 /var/www/html/wp-config.php # or .env
Never use 777 permissions on a production server. For a deep dive, our Linux file permissions guide covers every scenario.
7. Automate Backups
Security includes recovery. When everything else fails, a recent backup saves your business.
#!/bin/bash
DATE=$(date +%Y-%m-%d)
mysqldump -u user -p db_name | gzip > "/backups/db_$DATE.sql.gz"
tar -czf "/backups/files_$DATE.tar.gz" /var/www/html/
find /backups -type f -mtime +14 -delete
Run this daily via cron. Store copies off-server — a backup on the same machine as the site it backs up is not a real backup.
8. Disable Unnecessary Services
Every running service is a potential attack surface. If you're not using FTP, disable it. If you don't need phpMyAdmin exposed to the internet, remove it or restrict access by IP.
# Check what's listening
sudo ss -tlnp
# Disable a service
sudo systemctl disable --now vsftpd
9. Secure Your Database
Your database contains everything valuable — customer data, content, credentials. Lock it down:
- Use a strong, unique database password
- Restrict database access to localhost only (no remote connections unless absolutely needed)
- Create dedicated database users with minimum required privileges
- Change the default table prefix if your CMS allows it
10. Add Security Headers
HTTP security headers protect against common attacks like clickjacking, XSS, and MIME sniffing. Add them at the server level:
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
Test your headers at securityheaders.com — aim for an A grade.
11. Monitor for Intrusions
Set up basic monitoring so you know when something goes wrong:
# Find recently modified PHP files (potential compromise)
find /var/www/html -name "*.php" -mtime -3 -ls
# Check for PHP files in upload directories (almost always malicious)
find /var/www/html/wp-content/uploads -name "*.php" -ls
Tools like Fail2ban automatically block IPs that show brute-force behavior. Install it and configure it for SSH and your web application login pages.
12. Use SSH Keys Instead of Passwords
SSH key authentication is dramatically more secure than password login. Once configured, disable password authentication entirely.
The combination of SSH keys plus a non-standard port plus Fail2ban makes brute-force attacks essentially impossible.
13. Implement Rate Limiting
Rate limiting prevents attackers from hammering your login pages or API endpoints with thousands of requests:
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
location /wp-login.php {
limit_req zone=login burst=3 nodelay;
# ... PHP handling
}
14. Remove Unnecessary Information
Don't make the attacker's job easier. Hide version numbers and server information:
server_tokens off;
For WordPress, remove the version meta tag and disable XML-RPC if you don't use it. If you're scaling and want to test security changes safely, use a staging environment before applying them to production.
15. Create an Incident Response Plan
Know what you'll do before something happens:
- How will you detect a breach?
- Who gets notified?
- How quickly can you restore from backup?
- What's your process for changing all credentials?
- How will you communicate with affected users?
Having this plan documented saves hours of panic when you actually need it.
Website Security Checklist: Quick Reference
Use this condensed website security checklist for regular audits:
- All software updated (CMS, plugins, server packages, PHP)
- Strong unique passwords on all accounts
- 2FA enabled on admin and hosting accounts
- SSL certificate active and auto-renewing
- Firewall configured (only necessary ports open)
- File permissions set correctly (644/755, secrets at 600)
- Automated daily backups running (stored off-server)
- Unnecessary services disabled
- Database access restricted and secured
- Security headers configured
- Intrusion monitoring active (Fail2ban + file monitoring)
- SSH key authentication (passwords disabled)
- Rate limiting on login pages
- Version information hidden
- Incident response plan documented
Run through this checklist monthly. Security is not a one-time setup — it's ongoing maintenance.
FAQ
How often should I audit my website security?
Run through your website security checklist monthly for active sites. Additionally, audit after every major software update, after adding new plugins or services, and immediately after any security incident.
What's the most important item on this checklist?
Keeping software updated. The majority of successful website attacks exploit known vulnerabilities in outdated plugins, CMS versions, or server software that have patches available. Update everything promptly.
Do I need a paid security service?
Not necessarily. The free tools and practices in this checklist handle the fundamentals that prevent most attacks. Paid services like Cloudflare Pro, Sucuri, or Wordfence Premium add convenience and advanced features, but a well-configured server with free tools is already well-protected.
Can shared hosting be secure?
Shared hosting has inherent security limitations because you share resources and sometimes IP addresses with other sites. For serious security, a VPS gives you full control over firewall rules, file permissions, SSH configuration, and every other item on this checklist.
Secure Your Website with DeployBase
A website security checklist is only as strong as the infrastructure behind it. At DeployBase, our VPS plans give you full root access to implement every security measure in this guide — firewalls, SSH keys, security headers, automated backups, and more. NVMe SSD storage, 99.9% uptime guarantee, and 24/7 expert support, starting at $5/month.
Get secure VPS hosting at DeployBase → — your website's security starts with the right foundation.
