Website security is often seen as complicated and expensive. But it is only partially so. While online threats are diverse and sophisticated, there are luckily powerful tools that significantly simplify the process for every website owner. And while a comprehensive security plan can be costly, there are also several budget-friendly, inexpensive and even free alternatives.
The point is there is no excuse not to protect your website from the moment you launch. If you are looking for must-have website security tools on a budget, below you will find the most relevant ones and related website security advice for 2020. In focusing on inexpensive website security tools, we recommend – wherever possible – three alternatives based on the price: free, budget and premium.
Table of Contents
- I. Start with Security in Mind
- II. Protect Against All Threats
- III. Prepare for the Worst
- IV. Remain Vigilant
I. Start with Security in Mind
The basics are often taken for granted. But they are also the foundation of your website’s security. If you are looking for website security advice, you probably already own a website, and thus you have probably chosen your preferred web host, domain name registrar and a professional email provider. We will therefore keep this section short, but keep it nonetheless as a reminder of the basics of website security.
1. Get Secure Web Hosting
Secure web hosting ideally includes fully managed support and private resources for your website. This is why Kinsta, a Managed WordPress host, is our top recommendation. Not only does it include premium DNS, CDN and hardware firewalls, Kinsta also comes with a hack-fix guarantee.
But cheaper hosting can also be secure, whether it is provided on shared or virtual private servers. Two absolute security essentials you should expect from your host are a free Let’s Encrypt SSL certificate and free daily backups. Three other hosts that meet and exceed theses expectations are Cloudways, SiteGround and Hawk Host.
2. Choose a Trusted Domain Name Registrar
You should always separate your web hosting and domain name registration. If one of them is compromised in any way, the other one is still safe.
Two key features of a trusted domain name registrar are free domain privacy (a.k.a. WHOIS privacy) and account security (including 2FA and account notifications). Other features to consider are DNSSEC, Premium DNS, grace periods for renewals and crypto payments. As a good example, NameSilo includes all of these features.
3. Opt for a Private Email Service
If you have chosen shared hosting, your plan probably includes free email accounts. If you are on a budget, there is nothing wrong with using that feature, as long as your web hosting includes spam protection and strong account security.
If you value privacy, however, it is better to opt for an independent email service. Most free email solutions do not include a custom domain. If the price is the main concern, you may want to try Namecheap‘s email hosting. If you need a privacy-focused zero-knowledge email service, ProtonMail is currently the go-to provider.
II. Protect Against All Threats
Two main levels at which you can proactively protect your website against a variety of threats are the app-level and server- or cloud-level. The application-level security refers to making tweaks to the software that powers your website, such as WordPress, making it hard for hackers to force their way in. The server-level security refers to providing a barrier between your website and the rest of the internet by monitoring incoming traffic and blocking anything harmful.
4. Use a Plugin to Protect Your Website
The most important level of security for your website that you are wholly responsible for is at the application level. For example, if you are using WordPress for your website, you need to protect your website at the WordPress level.
The easiest security tool for WordPress users is a security plugin. It may be hard to pick the right one because there is a myriad of free and cheap website security plugins. In choosing one, you need to focus on getting a plugin that locks up all the entry points that a hacker or malware can exploit to compromise your website. A good app stops brute force attacks and disables WordPress vulnerabilities. An app-level plugin’s function is not to analyze and deal with all the traffic thus slowing down your load times.
One of the most powerful plugins today is Defender by WPMU DEV. Even its free version is surprisingly feature-rich. Beyond masking your login page, Defender scans your WordPress site and provides suggestions for quick security fixes, including changing a default database prefix and updating security keys. Defender Pro includes also real-time malware scanning and WordPress core auditing. The Pro version requires a WPMU DEV membership.
A great inexpensive Defender plugin alternative is perfmatters. While it is primarily a performance optimizing plugin, it includes several essential security features. For example, it can change the login page, remove WordPress version number and disable XML-RPC. It thus makes it very hard for hackers to even try to break into your website.
5. Secure All Traffic to Your Website
However well you may have tweaked your application, your website is not immune to malicious traffic, new viruses and large-scale attacks. You need therefore a server- or cloud-level barrier between your website and the outside world.
If you have chosen your web hosting carefully, the good news is that your host likely uses hardware- or platform-level firewalls. Even if you are on inexpensive shared hosting, your website is probably protected by such tools as ModSecurity or Imunify360 (e.g. Hawk Host).
It is, however, crucial to make sure that any direct traffic to your website is scanned and automatically blocked based on the rules defined also by you. The best way to do so is to use a security-focused CDN (content delivery network). A popular free CDN+ provider is Cloudflare. Cloudflare acts as a reverse proxy and DNS service. It includes basic DDoS mitigation and a shared SSL certificate.
A different kind of CDN provider that does not require changing your DNS provider is KeyCDN. It is affordable and comes with a range of advanced security features. KeyCDN includes DDoS protection, Let’s Encrypt or custom SSL, Origin Shield, secure token, access rules and blocking of bad bots. KeyCDN can also be used together with either Cloudflare or Sucuri. You can get $10 to try KeyCDN now.
Why would you want to use KeyCDN along with either Cloudflare or Sucuri? Because the latter two CDNs include WAF (website/web application firewall). WAF is a rule-based tool that instantly blocks bad traffic before it even reaches your website. Both Cloudflare WAF and Sucuri WAF are paid services. Unlike Cloudflare, Sucuri blocks not only layer 7 attacks but also layer 3 and 4. If you are planning to deploy Sucuri as your DNS service and use a Let’s Encrypt certificate, you can start with Sucuri’s Basic plan.
III. Prepare for the Worst
Regardless of how thoroughly you have protected your website, there is never a 100% guarantee that it will not crash or get hacked. However painful a website hack may be, you can minimize the damage by preparing for the worst. The best thing you can do for your website security is prevent data loss by setting up a backup and restore system.
6. Automate Website Backups
All good web hosting providers include complimentary off-site backups. If you read the terms of service, however, none of the hosts can guarantee the availability or integrity of such backups. So, while it is good to have web hosting backups, you are ultimately responsible for any data loss.
The safest way never to lose your data is to have the latest copy of your website stored in a remote safe location. If you are using WordPress, the best way to automate your website backups as well as eventual restoration is by using a plugin. UpdraftPlus is the most advanced backup plugin. Even with the free version of UpdraftPlus you can automatically backup your files and database directly into one of such popular cloud providers as Google Drive.
If you are using a different app or need a dedicated storage for your UpdraftPlus backups, Woktron offers inexpensive FTP backup storage in North America and Europe. Woktron uses Virtualmin control panel for easy file management. To backup your website with UpdraftPlus and Woktron, enter your FTP/FTPs credentials in UpdraftPlus and connect it to your designated Woktron folder as a remote path.
Of course, FTP storage does not offer zero-knowledge data privacy. If you need secure and private cloud storage for your website backups, the easiest option is to get UpdraftPlus Premium which includes 1 GB of space and more at a reasonable fee. A good UpdraftPlus alternative is Snapshot Pro by WPMU DEV. Snapshot includes 10 GB of cloud storage but it does require a WPMU DEV membership.
7. Backup Your Backups and Work
Regardless of whether your host takes disaster recovery backups and whether you have automated your own off-site backups, the final step in preparing for the worst consists in backing up your backups and all your work as well as storing them safely in the cloud.
Whether you download your website backups or use advanced developer tools, you need reliable private remote cloud storage and online backup. We have tried dozens of popular backup and storage products and settled on IDrive as the most versatile, secure and affordable backup provider.
Every IDrive plan includes generous backup space for unlimited devices, including Linux and mobile. IDrive can also be used as cloud storage to sync any files and folders across your devices, with the size of the sync storage mirroring that of the backup storage (e.g. 2 TB plus 2 TB). Other features include versioning, true archiving and continuous data backup. Most importantly, you can – and should – set up your own private encryption key so that only you can access your data.
IV. Remain Vigilant
Once you have protected your website against bad bots, DDoS and brute force attacks and set up a backup system, you may feel that you are done. But the work is not over yet. In fact, keeping your website secure is an ongoing process. The key thing to remember is to keep your software up-to-date. Beyond that, you need to keep an eye on your website’s uptime, pay attention to your password hygiene and to how you securely access your website as an admin.
8. Monitor Your Website's Uptime
A website can become unavailable for many reasons, including DDoS attacks and malicious code. If your website goes down, you need to know it immediately so you can respond properly.
The easiest way to keep an eye on your website’s availability is by using a website monitor. The tool monitors as a minimum a website’s uptime and load time but usually also a domain name’s and SSL certificate’s expiration.
The cheapest feature-rich and reliable website monitor is updown. You can control the price by setting the checkup interval at as high as 15 seconds and as low as 1 hour, although the recommended frequencies are usually 1 to 10 minutes. While there is no free plan, you get 100,000 free credits to try updown.
If you are looking for a free uptime monitor with a 1-minute checkup interval, HetrixTools has a very generous free plan. It includes 15 websites tested from four locations. If you need a white label public page, more test locations or up to 50 SMS a month, HetrixTools also has a business plan. Additionally, HetrixTools has a free blacklist monitor for your domain name or IP address.
9. Change Passwords Frequently
Nothing threatens your website’s security more directly than a weak re-used password. Once you have masked your admin login page, you need to set a strong password and change it regularly.
Although most browsers can suggest and save passwords, it is not a secure way to store them and there are many limitations (such as using a different browser or sharing a password). It is therefore good practice to use a password manager (along with 2FA). You can use one or both of the following two password managers.
If you are looking for a free or cheap password manager that works across all your devices, Bitwarden may be a good choice. It is a fully functional password manager for unlimited passwords. Many choose Bitwarden also because it is 100% open source.
Another great free password manager is Sticky Password. Created by a team of security experts, Sticky Password can be used to generate and save unlimited passwords across all browsers and devices. Along with biometric authentication, Sticky Password can be used as a portable password manager with all your encrypted data saved on a USB or hard drive. The premium version additionally includes cloud and WiFi sync, backup storage and secure password sharing. Sticky Password is the only password manager that lets you get a lifetime licence. As a feel-good bonus, your purchase contributes to a worthy cause: Sticky Password supports a foundation that saves endangered manatees.
10. Access Your Website Safely
Using a VPN is the easiest and fastest way to secure all your internet traffic. As a webmaster, developer and website owner, you get several benefits by using a trustworthy VPN provider:
- securely access your admin area on public networks (including airports and cafes)
- do research for your SEO and business strategy with stealth and privacy
- unblock websites in different countries and see hidden features and better prices
- reduce spying and tracking by internet providers, governments and competitors
- add security and privacy to your workflow by encrypting your connection
There are dozens of popular VPN services and most of them will enhance your privacy and cybersecurity. Specifically for website owners, we recommend ProtonVPN Plus. It ensures great speeds on its Plus Servers (10 Gbps networks) and the highest levels of data security on its Secure Core Servers (wholly owned and provisioned by ProtonVPN).
A website can be compromised on many levels: app-level and server-level, authentication & encryption, DNS and email, identity and data loss. It is therefore essential that you utilize all of the most essential must-have website security tools early on.
Whatever tools you choose to use, the best website security advice is that you are ultimately responsible for how you make use of them. It is also worth remembering that website security is a continuous effort, so you will need to revise your options now and again.
For the foreseeable future, though, the 10 tools listed above will ensure you are well equipped against hackers, bad bots and data loss.