Keeping a website secure is not a one-time task. Most website compromises happen because software, plugins, themes, or custom code are left outdated, access is shared insecurely, or basic account security is not maintained.
Keep Your Website Updated
If your website runs on WordPress, Joomla, or any custom platform, updates should be applied whenever the developer or software provider releases them, especially security updates.
If you are not on a security maintenance plan, you should make sure a qualified developer is actively maintaining your website. An outdated website is a much easier target for hackers.
Use a Security Maintenance Plan or Ongoing Developer Support
The safest option is to keep your website on a maintenance plan or have a developer actively managing updates, monitoring for issues, and responding quickly when vulnerabilities are discovered.
Use Strong, Unique Passwords
Every login connected to your website should use a strong, unique password that is not reused anywhere else.
- Do not reuse the same password on multiple websites
- Do not use your business name, domain name, or personal details in a password
- Do not share one password among multiple team members
Use a Password Manager for Secure Sharing
If a password ever needs to be shared with a developer, designer, or team member, it should be shared through a password manager such as LastPass or another trusted password manager, not in plain text by email or chat.
Do Not Send Permanent Passwords by Email
As a best practice, do not send permanent passwords through email. If account access must be provided, it is better to use a password manager sharing feature or send a reset link that requires the user to choose a new password on first login.
Turn On Two-Factor Authentication
Whenever available, enable two-factor authentication for your website admin, hosting account, domain registrar, email account, and password manager.
Use Only Necessary Plugins, Extensions, and Features
Every plugin, extension, theme, or custom feature adds more code that must be maintained. Use only what you need, remove anything unused, and make sure all installed software is actively supported and kept up to date.
Protect Your Email Account Too
Your email account is often the key to resetting passwords for your website, hosting account, and domain. If someone gains access to your email, they may be able to take over everything else. Your email should also have a strong unique password and two-factor authentication enabled.
Make Sure File Permissions Are Set Correctly
If you use your own developer and host your website with Further Design Group, make sure your developer sets correct file permissions and ownership on the server.
Files and folders should only have the access they actually need. Permissions that are too open can make a website easier to compromise, especially after migrations, restores, or manual file uploads.
If you are unsure whether your file permissions are set correctly, ask your developer or contact us before changes are made.
Keep Backups and a Recovery Plan
Even well-maintained websites can still be targeted. Keeping current backups and having a recovery plan can greatly reduce downtime if something goes wrong.
Ask for Help Before Making Security-Sensitive Changes
If you are unsure whether to install an update, add a plugin, give access to a contractor, or change a login, ask your developer or support team first. Small mistakes can create avoidable security risks.
Recommended Best Practices
- Keep your website on a security maintenance plan, or have a developer actively maintaining it
- Apply WordPress, Joomla, plugin, theme, and custom-code updates promptly
- Use strong, unique passwords for every account
- Store and share passwords only through a password manager
- Never send permanent passwords through email
- Require password resets for any temporary first-time login
- Enable two-factor authentication wherever possible
- Remove unused plugins, themes, extensions, and user accounts
- Make sure file permissions and ownership are set correctly
- Keep your email account, domain registrar, and hosting account protected too
- Maintain current backups
Website security is an ongoing process, not a one-time setup. The more consistently your website is maintained, the lower your risk.
