How to Maintain and Secure Your Website [Your Best Practice Guide]

Originally published on Hostgator.com on August 6, 2019 By Sean Dundon 

This article is part of HostGator’s Web Pros Series. In this series, we feature articles from our team of experts here at HostGator. Our Product Managers, Linux Administrators, Marketers, and Tech Support engineers share their best tips for getting the most of your website. 

Maintenance and stability are two of those concepts that often get brushed aside. Sure, they’re great, but are they exciting? Not so much.

It’s much more exciting to talk about innovating, creating, and inventing.

Of course, excitement isn’t always a good thing. It’s thrilling to experience huge traffic spikes when your latest blog post goes viral. It’s also thrilling—and not in a good way—when your site crashes because you ignored some base-level maintenance tasks.

It’s often during those thrilling-in-a-bad-way times that we look at maintenance and stability with fresh eyes. Suddenly, these concepts look a lot more attractive.

Today’s article is all about encouraging you to give website maintenance and stability the attention it deserves—by regularly following the best practices that create a stable, secure website. When things are stable, you can enjoy the thrill of a traffic spike—without the nagging worry that your site can’t quite support it.

Over nearly a decade of working with HostGator customers, I’ve seen firsthand what works, what doesn’t, and what really doesn’t when it comes to maintaining and supporting a stable, stress-free website. Today, I’m sharing those learnings with you. If you want to enjoy peace of mind as a website owner, consider these best practices your guide.

Let’s dig in, shall we?

7 Best Practices to Follow for a Stable and Secure Website

I’ll let you in on a little secret: The best way to enjoy a stable and secure website is to start with the most secure, stable environment you’ve got. 

So, if you’re reading this while you’re in the phases of brainstorming your site, getting ready to register your domain name and select your hosting package, go ahead and give yourself a congratulatory pat on the back. You’re reading this at the perfect time. Implement these best practices now, and you’ll officially start with the most secure, stable environment possible.

Having said that, it’s never too late, and the best time is always now! There are always actions you take to make your website more stable and secure, whether your site is a year old or five.

That’s the great news. You can get pretty darn secure with fairly low effort on your part. You don’t have to be a tech genius to enjoy a secure website.

Follow a few simple best practices, like the ones I outline below, and you make it a whole lot harder for the bad guys. That’s what counts.

1. Stay up to date on updates.

Once you’ve launched your site, you want to keep things updated as frequently as possible. That includes your server, your CMS or builder software, and any plugins you may be using.

Keeping up with updates is the best way to keep your website secure. Many people get afraid of updating their website because they don’t want it to break—but that’s why you have backups (more on this in a second)! If something seems off after an update, you can quickly restore and it’s no big deal. Then, you simply wait for the developer to release a fix, and you try the update again.

The real risk with updates is delaying them. The more time you let pass between updates, the higher your risk. It’s easier (and less risky) to update from 1.1 to 1.2, and 1.2 to 1.3, and so on, then it is to update from 1.1 to 2.0 when there’s been 10 versions in between.

With each subsequent update you ignore, your website becomes incrementally less secure. But keep up with regular updates, and you have nothing to be afraid of. That’s why at HostGator, once you install WordPress with HostGator, we keep it updated on your behalf. You’ll still need to update your plugins and themes, but we’ll handle the core WordPress updates for you!

Updates are so effective it’s almost funny. Embrace them! A regularly updated website is a well-defended website.

2. Use secure, unguessable passwords

Yes, it’s 2019, but passwords are still critically important. When it comes to creating a secure password, make sure you do these three things:

  1. Make them hard. Create a unique combination that’s not a word from the dictionary or a phrase clearly identifiable to you. Include at least 12 characters of numbers, symbols, and upper and lower case letters.
  2. Don’t reuse them. Every account you create should have its own unique password. Every single one.
  3. Change them often. Set up a calendar reminder to go through and update your passwords every few months. A password manager like LastPass, KeePassX, iCloud Keychain, or Google Password Manager can be a good tool for this.

This password guidance applies to your hosting account, your cPanel, and your CMS logins. It also applies to every user to whom you grant access to your site (speaking of which, you should keep a detailed list of these folks so you can revoke their access when needed).

Need help creating a password? Try HostGator’s free Secure Password Generator.

3. Make your user names just as secure

Password security is still important, but in 2019, a secure password isn’t enough. Your user names need to be just as secure.

If possible, follow the same three tips I outlined above when creating your usernames. Your usernames should be just as tough to guess, and just as unique, as your passwords—and you should update them just as frequently, too.

Those same brute force attacks that go after passwords are equally effective at cracking usernames.

Take my name, for example. Automated software can easily start hammering through all the Sean Dundons in the world, eventually guessing that my username is sdundon, seandundon, or some other variant. What’s not as easy? Figuring out that my username is SD4812abb.

Don’t let the “name” in username confuse you. It’s better to have a username that anonymizes you, versus one that makes it clear you’re the person behind the account. Just as you wouldn’t use your social security number as your email address, you shouldn’t use your name as your user id.

4. Back up your website often, and in more than one place

Here’s something scary to think about. In the modern internet age, it’s safe to assume that every website will become compromised at some point, just like everyone’s home or car will inevitably be broken into.

Here’s something even scarier: It takes 197 days on average before you find out you’ve been compromised and someone’s accessed your website data.

Your website getting hacked is bad luck. Not being prepared to boot it back up is bad business, when you consider the number of easy, automatic, and low-cost website backup services you have out there.

At HostGator, we have CodeGuard. Even the most basic plan starts at just a couple bucks a month, and includes automatic daily backups for 5 websites, unlimited databases and files, and 3 restores.

Once you purchase CodeGuard, you’ll need to login to your HostGator portal to start the backups. Click the Hosting tab on the left, then Manage.

This will take you to the CodeGuard dashboard. There, CodeGuard will begin an initial backup on your website. Once that’s finished, CodeGuard will continue making automatic daily backups whenever there is a change to your website. You don’t have to do anything else – it really is that easy. Moving forward, you can follow these same steps to login to the HostGator portal and check the status of your CodeGuard backups:

Regardless of which website backup service you use, I strongly recommend the following:

  • Schedule your backups to run often (at least daily). 
  • Create a new backup with each change you make on your website. This allows you to instantly restore your site to a specific moment in time.
  • Keep your old backups for at least a year. Even if your website is acting fine, it doesn’t mean it can necessarily be trusted. Like I said above, it could take half a year before you find out you’ve been hacked.
  • Make a backup of your backups, and store it in another secure place, like on a different server or on a separate hard drive at your house.
  • Backup your database, too. People often don’t realize they need to backup more than their files, but those are only part of your website. For a successful restore, you need to backup your files and your database at the same time, and save them together.

5. Choose a well-known, reliable website building option

It seems like a new web builder gets released every day. Okay, that’s a bit of a stretch, but my point is: there are a ton of options for building a website today.

There are the big names we’re familiar with. These are the established Content Management Systems (CMS), like WordPress, Magento, Drupal, and Joomla. Many web hosts also offer drag-and-drop web builders (we even have one here, named Gator).

Then there are dozens (hundreds?) of newer options, many of which aren’t quite baked yet.

Whatever you choose to build your website, make sure you pick something that you’re comfortable with, and that is established. By established, I mean something that you can Google and find no shortage of videos, blog articles, support documentation. There should be forums, social media, and a community.

For example, if you search for “set up wordpress with hostgator,” you’ll find our own branded help articles, along with blogs and YouTube tutorials by other users and IT pros.

Your website is not the place to be experimenting; it’s your business. If you run into an issue with your website, you want to be able to find knowledgeable experts easily. Your website building software should be established enough for you to be able to hire the kid down the street to help you out if you run into a jam.

6. Follow a simple approach to web design

Along the same lines, you don’t need to be bleeding-edge with your website design. Sure, it should feel unique, and it should represent you or your brand, but you want to keep things simple and recognizable for your users.

Don’t get creative with standards. If there’s a common mechanism for menus and navigation, stick with that. You want the design of your website to be familiar enough that people instantly understand how to use it.

Use the same approach with your site functionality, too. Don’t go add a hundred plugins to your site in an attempt to piecemeal together some functionality. Instead, seek out plugins that offer a more comprehensive feature set so you can minimize the total number of plugins you use.

Everything you add to your website makes it less secure. For instance, the WordPress platform itself is super secure and rigorously tested. The same can’t necessarily be said for their plugin library. If you’re on WordPress, always vet your plugins to confirm that they’re compatible with your version of WordPress, that they’re regularly updated, and that the reviews are positive.

7. Use SSLs

An SSL certificate is that handy little green lock you see when you visit a secure website.

SSL stands for Secure Sockets Layer, a technology which protects and encrypts any data transferred between a visitor’s browser and your web server. In simpler terms, it shields your customer’s data (like their name, credit cards, account info) form getting hacked. Even if your site is hacked, and this data gets stolen, the hacker won’t be able to decode it.

SSLs have become quite popular in recent years, as privacy becomes a growing concern. It’s also been a Google ranking factor since 2014, so you’ll enjoy a nice (albeit little) SEO boost from adding SSL to your site.

As they increasingly become a web standard, SSL certificates are more affordable than ever. At HostGator, we include them for free with all of our hosting plans. Activating your free SSL with HostGator just takes a few steps. I walk you through the process in this video:

 

Securing Your Website for the Future

If I could leave you with one last piece of advice, it’d be this: Be creative with your content and your services, not with your website. It’s not the 1990s anymore. Crazy mouseover effects and Comic Sans are no longer the “it” thing.

If you want a secure website that works well, avoid beta technologies and flashy new software. Stick with reliable providers that have been around for years, with a large user base and a wealth of online resources for you to lean on.

For even more protection, check out SiteLock. This website security checker scans your site for malware, removing it automatically and protecting your site from attack.

Here’s to your secure, stable website! 

Sean has been working with HostGator customers for over 8 years, leading a variety of teams from systems administration and monitoring to support and customer experience. An unabashed Linux geek at heart, Sean’s #1 priority as product manager is to ensure that everyone can make their voice heard around the world, regardless of their technical level.