How to secure a website from hackers?

The vast majority of website breaches don't involve elite hackers finding zero-day exploits. They exploit known, documented problems that have straightforward fixes. Here's a practical, step-by-step guide to securing your website.

Step 1: Install an SSL certificate and enforce HTTPS

An SSL certificate encrypts data travelling between your website and your visitors' browsers. Without it, anything submitted through your site — contact forms, login details, payment information — can be intercepted.

Most hosting providers now offer free SSL certificates through Let's Encrypt. Once installed, make sure all HTTP traffic is redirected to HTTPS. You should also ensure that both the "www" and non-"www" versions of your site redirect to a single HTTPS address. Duplicate URLs without redirects create security gaps and confuse search engines.

After installing SSL, enable HSTS (HTTP Strict Transport Security). This tells browsers to always use HTTPS for your site, even if someone types "http://" deliberately. It prevents SSL stripping attacks where an attacker downgrades the connection to HTTP.

Step 2: Set HTTP security headers

Security headers are small instructions your web server includes in every response, telling browsers how to handle your content safely. The six most important headers are:

• Strict-Transport-Security (HSTS) — Forces browsers to only connect via HTTPS. Prevents downgrade attacks.
• Content-Security-Policy (CSP) — Controls which resources your page can load. Blocks malicious scripts injected by attackers.
• X-Frame-Options — Stops your site from being embedded in frames on other sites, preventing clickjacking attacks.
• X-Content-Type-Options — Tells browsers not to guess file types, preventing content-sniffing attacks.
• Referrer-Policy — Controls how much URL information is shared when visitors click links to other sites.
• Permissions-Policy — Controls which browser features your site can use (camera, microphone, geolocation).

Most of these can be added with a single line in your server configuration or .htaccess file. For a full explanation of each header, see our guide on what HTTP security headers are.

Step 3: Keep all software updated

Outdated software is the single biggest cause of website breaches. This applies to your content management system (WordPress, Drupal, etc.), plugins, themes, server software, and any libraries your site uses.

If you're running WordPress, enable automatic updates for minor releases and make a habit of updating plugins weekly. Remove any plugins you're not actively using — unused plugins are a common attack vector because they're often forgotten and left unpatched.

The NCSC guidance on vulnerability management recommends maintaining an inventory of all software and checking regularly for security patches.

Step 4: Close unnecessary open ports

Every port open on your server is a potential entry point. Your web server needs port 443 (HTTPS) and possibly port 80 (HTTP, for redirection). Everything else — database ports, admin panels, FTP, SSH — should be closed to the public internet or restricted to specific IP addresses.

Common dangerous ports found on UK business websites include 3306 (MySQL), 5432 (PostgreSQL), 8080 (admin panels), 21 (FTP), and 22 (SSH). Use a firewall to block these from external access while keeping them available internally if needed. You can check your open ports with a free scan.

Step 5: Implement proper cookie consent

Under UK PECR (derived from the EU ePrivacy Directive), you must obtain consent before setting non-essential cookies. This means no analytics, advertising, or tracking cookies should load until the visitor has actively consented.

In practice, this means your cookie consent banner must appear before any tracking scripts execute. Many websites get this wrong by loading Google Analytics or Facebook Pixel immediately, then showing the consent banner a second later. That's a breach — the tracking has already happened. Use a consent management platform that blocks scripts until consent is given.

Step 6: Set up email authentication

Email authentication prevents scammers from sending emails that appear to come from your domain. Without it, a criminal can send a convincing email to your customers pretending to be you.

Three DNS records are needed:

• SPF (Sender Policy Framework) — Lists which mail servers are authorised to send emails from your domain.
• DKIM (DomainKeys Identified Mail) — Adds a digital signature to outgoing emails so recipients can verify they haven't been tampered with.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance) — Tells receiving mail servers what to do if an email fails SPF or DKIM checks. Set this to "reject" for genuine protection.

Many businesses set up DMARC with a "none" policy, which monitors issues but doesn't block fraudulent emails. That's a useful first step, but you should progress to "reject" once you've verified your legitimate email flows.

Step 7: Run regular vulnerability scans

Security isn't a one-time task. New vulnerabilities are discovered daily, configurations drift over time, and software updates can introduce regressions. Regular automated scanning catches problems as they emerge.

A monthly scan is the minimum for most small businesses. Weekly or continuous monitoring is better if you handle customer data, process payments, or have been targeted before. Each scan gives you a fresh report showing what's changed since the last one.

Start with a free scan to see where your website stands today. For more detail on the individual steps, read our website security checklist for small businesses or learn about what an SSL certificate is and how it works.