This article shares eight practical tips to help you protect your website – no advanced technical knowledge required. Most of these measures can be applied to a variety of CMS platforms, such as Joomla, TYPO3, or Drupal. For each tip, we show you how it works using WordPress – the most widely used system in the world.
1. Keep your software up to date
2. Deactivate and delete outdated plugins
3. Secure your admin login
4. Use a malware scanner
5. Restrict file uploads
6. Automate your backups
7. Activate an SSL certificate
8. Use strong passwords and two-factor authentication (2FA)
1. Keep your software up to date
You run a small blog and have the “Contact Form 7” plugin installed. A new version fixes a security vulnerability related to file uploads. If you don’t update the plugin, attackers could use your contact form to upload malicious files – something a simple update could have easily prevented.
Outdated software is one of the biggest entry points for attackers. Whether it's WordPress itself, plugins, or themes – once a vulnerability becomes public, it often takes only hours for automated bots to start scanning websites for that specific weakness. That’s why regular updates are essential to protect your website.
Current versions fix known security vulnerabilities while also improving performance and compatibility.
- Check and update your WordPress version:
- In the WordPress dashboard, go to Dashboard > Updates to view available updates
- Create a backup before you click on “Update now”
- Enable automatic updates (recommended for smaller websites):
- Go to Plugins > Installed Plugins to select the plugins you want to update automatically.
- In the dropdown menu, select “Enable Auto-updates.”
- Click “Apply” to activate the setting.
2. Deactivate and delete outdated plugins
You installed a plugin for an Instagram gallery years ago but haven’t used it in a long time. The developer no longer maintains it. A security vulnerability has since been discovered and attackers are now exploiting it to inject malicious code into your site. If you had removed the plugin, your website would have remained secure.
Important note
Even deactivated plugins can pose a security risk! Their code remains on the server, and if it contains a known vulnerability, it can often be exploited directly via specific URLs or paths – even if the plugin isn’t actively in use.
- Identify and remove unnecessary plugins:
- Go to Plugins > Installed Plugins in your dashboard
- Deactivate anything you no longer use
- Then delete the deactivated plugins
- Regularly review your plugins:
- When was it last updated?
- How many active installations does it have?
- Is it compatible with your current WordPress version?
- Look for better alternatives:
- Search specifically for popular plugins with good ratings and regular updates
- Instead of using an outdated SEO plugin, you could switch to something like Yoast SEO
3. Secure your admin login
Your website uses the default login path “yourwebsite.ch/wp-admin” – just like millions of others. Bots automatically scan for common login URLs and launch attacks from there. With a custom login link and limited login attempts, you can stop bots from ever getting that far – or from trying repeatedly.
The WordPress login area is publicly accessible – and that’s exactly what many attackers take advantage of. With just a few simple measures, you can make it much harder for them – and effectively protect your website. Because the less attractive your site is to bots, the faster they’ll move on to easier targets.
1. Change the login URL:
Many WordPress sites still use the default “wp-login.php” URL. With a plugin like WPS Hide Login you can easily change the address – for example, to something like “my-login-area”. This makes it harder for automated bots to find your login page and helps protect your website.
2. Limit login attempts:
You should also restrict the number of login attempts. Plugins like Limit Login Attempts Reloaded can block IP addresses after too many failed tries. After several incorrect attempts, access is automatically blocked – a simple but effective security measure.
3. Avoid the username “admin”:
Last but not least: avoid using „admin“ as your username, as it's one of the first that automated attacks will try. Instead, use unique, hard-to-guess usernames for your logins.
Advanced option:
If you or your team use static IP addresses, you can restrict access to the login page to specific IPs – either through your hosting panel or directly via the .htaccess file.
This is highly effective but only recommended if your access points are fixed.
4. Use a malware scanner
Your website is suddenly marked as “not secure” in the browser – even though you haven’t changed anything. An attacker has silently injected malicious code, possibly through an outdated plugin. A regular malware scan could have detected the code early and stopped the attack before it became visible.
Malicious code (malware) can take down your website, endanger visitors, or even get your site removed from Google’s index. Unfortunately, these infections often go unnoticed – until it’s too late.
Regular malware scans detect suspicious changes early and help protect your website.
With our hosting plans, an automatic malware scan is already included. Your website is scanned regularly – no additional plugin or manual action required.
5. Restrict file uploads
Your website includes a contact form with a file upload feature – for example, for job applications or project inquiries. An attacker uses this field to upload a .php file. Once executed on the server, it gives them access to your site. A simple restriction to allow only specific file types could have prevented this.
File uploads offer a direct way to transfer data to your server – and potentially malicious code along with it. This is especially relevant for forms, customer portals, or media libraries. Unwanted file types or poorly validated uploads are among the most common causes of security vulnerabilities.
1. Review allowed file types:
If you've enabled additional file types, it's worth reviewing them carefully. Plugins like File Upload Types or security tools with upload filters can help you control access more precisely.
2. Secure upload functions in forms:
If you’re using forms with file uploads, like WPForms, Contact Form 7 or Gravity Forms, you can usually define which file types are allowed (e.g., only PDFs). You can also set a maximum file size to reduce the risk of misuse.
3. Store uploads outside the public web directory:
Some form plugins allow uploaded files to be saved in protected folders that are not publicly accessible. This is especially important when collecting sensitive information – for example, in application forms.
6. Automate your backups
You install a new plugin – and suddenly, your website stops working. Panic! But thanks to an automatic backup, you can restore the last working version with just a few clicks. Without a backup, you might have lost hours or even days of work – or had to rebuild everything from scratch.
Mistakes happen – whether through an update, an attack, or simple user error. A recent backup ensures you can restore your website quickly and with minimal disruption. Most importantly: backups should be automatic and regular.
1. Automatic backups with KreativMedia:
We create a full backup of your website every day – automatically. Each backup is stored for 30 days. If something goes wrong, just get in touch with us: We’ll restore a previous version of your site quickly and free of charge.
2. Manage your own backups via Plesk:
You also have the option to create your own backups in the Plesk dashboard – either manually or on a schedule. This is especially useful if you want to create a quick backup before making major updates or changes.
How do I use the Backup Manager in Plesk?
7. Activate an SSL certificate
You enter a website in your browser and get a warning: “This connection is not secure.” Many visitors leave the site immediately and prefer to look for an alternative. The warning is not only a deterrent, but also justified: Without a valid SSL certificate, the identity of the website cannot be reliably confirmed - the server is not considered trustworthy. With an active, valid certificate, your site will load securely via https:// and create trust.
Without SSL, third parties – for example, on public Wi-Fi networks – can intercept form submissions or login credentials. This applies even to simple contact forms or newsletter sign-ups.
At the same time, SSL is a visible trust signal. Modern browsers clearly label sites without SSL as not secure. Especially in a business context or for first-time visitors, this can seriously damage your image – no matter how good your content is.
And last but not least: Google prefers https:// websites in its search rankings.
How do I install and use the free SSL certificate from Let’s Encrypt?
8. Use strong passwords and two-factor authentication (2FA)
You’re using the default password „admin123“ for your WordPress login. An attacker runs a script to try common password combinations – and gains access to your site within seconds. If you had used a strong password and enabled 2FA, the attack would have failed.
User accounts – especially admin accounts – are a common target for hackers. A weak password is often enough for them to take full control of your website. With an extra layer of protection like two-factor authentication (2FA), your login is secured twice: An attacker would need not only your password, but also a one-time code from your smartphone.
1. Use strong passwords:
2. Enable two-factor authentication (2FA):
Add a second layer of security to your password. Plugins like WP 2FA or Wordfence Login Security let you secure your login with an app like Google Authenticator. When logging in, you’ll be asked to enter a one-time code that changes every 30 seconds.
Security doesn’t have to be complicated. With just a few focused steps, you can significantly improve your website’s protection – even without any technical expertise. The eight tips in this article can be implemented gradually and will help ensure your site runs smoothly while building trust with your visitors.
If you’re unsure how well your site is currently protected – or if you’d like help implementing these steps – our support team is happy to assist you.
