Steps to Secure Your Website
A practical checklist for locking down a new website: SSL, strong auth, updates, security headers, backups, and monitoring.
You launched a site. It works. Now make it hard to break into. This guide walks through the security steps that matter most, in the order you should do them. It applies whether you’re on GoZen Host shared hosting, WordPress hosting, or a VPS.
Before You Start
You’ll need:
- A live website with a domain name pointing to it
- Admin access to your hosting control panel (cPanel, Enhance, or SSH on a VPS)
- 30–60 minutes
If you’re on a VPS and haven’t done initial server setup yet, start with the VPS Security Checklist first. That covers SSH keys, firewalls, and OS-level hardening. This guide focuses on the website itself.
Step 1: Force HTTPS Everywhere
An unencrypted site leaks every form submission, login, and page view to anyone watching the network. Fix this first.
On GoZen shared or WordPress hosting:
AutoSSL is already enabled. Your site has a free Let’s Encrypt certificate. Verify it’s working:
curl -I https://yourdomain.com
# Look for: HTTP/2 200
# Look for: strict-transport-security header
If your site still loads over HTTP, force the redirect:
- cPanel: Go to Domains → your domain → toggle Force HTTPS Redirect on
- WordPress: In Settings → General, make sure both URLs start with
https://
On a VPS:
Install a certificate with Certbot and configure your web server. Full walkthrough: How to Install SSL Certificates Manually.
Verify Your SSL Grade
Run your domain through SSL Labs. You want an A or A+. Anything below that means your TLS configuration needs work. See Secure Nginx and Apache for the fix.
Step 2: Lock Down Authentication
Weak passwords and missing 2FA are responsible for more breaches than any software vulnerability. Fix this before worrying about anything else.
Use Strong, Unique Passwords
If any of your hosting passwords are reused from another service, change them right now. Credential stuffing attacks test leaked password databases against every login form on the internet.
Every account should have a unique password, at least 16 characters, generated by a password manager:
- Hosting client area (cp.gozenhost.com)
- cPanel / Enhance panel
- WordPress admin
- FTP / SFTP
- Database users
Enable Two-Factor Authentication
Add 2FA to every login that supports it:
- GoZen client area: Security Settings → Two-Factor Authentication
- cPanel: Security → Two-Factor Authentication
- WordPress: install the Two-Factor plugin or use Wordfence
Full setup guide: Enabling Two-Factor Authentication.
WordPress-Specific Auth Hardening
If you run WordPress:
- Delete the default
adminusername. Create a new admin with a different name. - Install Limit Login Attempts Reloaded to block brute-force bots
- Change the login URL with WPS Hide Login
- Disable XML-RPC if you don’t use the WordPress mobile app or Jetpack
Details: Securing WordPress.
Step 3: Update Everything
Outdated software is how most sites get compromised. Automated scanners test every known vulnerability within hours of public disclosure.
What to Keep Updated
| Component | How to Update |
|---|---|
| CMS core (WordPress, Joomla, etc.) | Enable auto-updates in the CMS dashboard |
| Plugins and extensions | Enable auto-updates or check weekly |
| Themes | Delete unused themes. Update active ones. |
| PHP version | cPanel → MultiPHP Manager → select the latest stable version |
| Server OS (VPS only) | sudo apt update && sudo apt upgrade -y + enable unattended-upgrades |
WordPress Auto-Updates
WordPress auto-updates minor releases by default. For plugins:
- Go to Plugins → select all plugins
- Click Enable auto-updates from the bulk actions menu
Test updates on a staging site first if you run WooCommerce or a complex plugin stack. A broken checkout page costs more than a few minutes of testing.
Step 4: Add Security Headers
Security headers tell browsers how to treat your content. They shut down clickjacking, MIME sniffing, and XSS at the browser level, and they cost you nothing in performance.
On shared hosting (via .htaccess):
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "camera=(), microphone=(), geolocation=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
On a VPS (Nginx or Apache): See the full header configuration in Secure Nginx and Apache.
Verify Your Headers
curl -I https://yourdomain.com
Check that each header appears in the response. You can also use securityheaders.com for a graded report.
Step 5: Set Up Backups
Security isn’t only about keeping attackers out. Something will eventually break, and when it does, a recent backup means you’re back online in minutes instead of days.
On GoZen Shared Hosting
GoZen runs daily automatic backups on all shared plans. You can restore from cPanel → JetBackup or R1Soft Restore Backups.
That said, keep your own copies too:
- cPanel: Backup Wizard → Full Backup → download to your local machine
- WordPress: Use UpdraftPlus to schedule backups to Google Drive, Dropbox, or S3
On a VPS
You’re responsible for backups. Options:
- GoZen automated backup add-on (server snapshots)
- Automated Backups with Restic or Rclone for a proper off-server backup pipeline
- Database-only:
mysqldumpon a cron job
Test your backups. If you’ve never actually restored one, you don’t know whether it works.
Step 6: Use a Firewall or WAF
A firewall blocks malicious traffic before it reaches your application code.
Shared Hosting
GoZen includes cPGuard on every cPanel plan. It’s a server-level WAF with malware scanning and brute-force protection built in. It runs automatically. Check its dashboard in cPanel to see what it’s blocking.
For an extra layer, put Cloudflare in front of your site. The free plan gives you DDoS protection, a basic WAF, and bot filtering.
VPS
Configure your server firewall:
- UFW (Ubuntu/Debian) or CSF (cPanel servers)
- Only open ports your services actually need: 22, 80, 443, and nothing else by default
- Add Fail2Ban for dynamic IP blocking
Full guide: How to Set Up a Firewall (UFW and CSF).
Step 7: Monitor and Scan
Set up monitoring so you find out about problems before your visitors do.
Uptime Monitoring
Use a free monitoring service to alert you when your site goes down:
- UptimeRobot: free for up to 50 monitors, checks every 5 minutes
- Better Stack: includes status pages and incident management
Security Scanning
- GoZen cPGuard: automatic malware scanning on shared hosting (check the cPanel dashboard)
- GoZen Security Scanner: run an external audit against your site
- WordPress: Wordfence (free) does file integrity checks and vulnerability scanning
- SSL Labs: re-check your SSL configuration every few months
Watch Your Logs
On a VPS, check access logs for suspicious patterns:
# Most active IPs hitting your site
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20
# Failed login attempts (WordPress)
grep "POST /wp-login.php" /var/log/nginx/access.log | wc -l
If you see thousands of login attempts from a single IP, your brute-force protection is either missing or not working.
Security Checklist
Run through this after completing the steps above:
Print this or bookmark it. Come back every quarter and verify everything still holds.
| Step | Check | Status |
|---|---|---|
| HTTPS | Site loads over HTTPS, HTTP redirects, SSL grade A or above | ☐ |
| Passwords | All accounts use unique 16+ character passwords | ☐ |
| 2FA | Enabled on hosting panel, cPanel, and CMS admin | ☐ |
| Updates | CMS, plugins, themes, and PHP are current | ☐ |
| Auto-updates | Enabled for CMS minor releases and plugins | ☐ |
| Headers | Security headers present in HTTP response | ☐ |
| Backups | Automated and tested within the last month | ☐ |
| Firewall | Active (cPGuard, UFW/CSF, or Cloudflare) | ☐ |
| WAF | Server-level or CDN-level WAF active | ☐ |
| Monitoring | Uptime alerts and security scanning configured | ☐ |
| Unused software | Inactive plugins, themes, and test installs removed | ☐ |
What to Do Next
- Securing WordPress: WordPress-specific hardening beyond the basics
- VPS Security Checklist: server-level hardening for unmanaged VPS
- Server Hardening Basics: Fail2Ban, sysctl, and service management
- How to Secure Nginx and Apache: web server hardening deep dive
- How to Set Up Cloudflare with GoZen Host: CDN and DDoS protection layer
Last updated 24 Apr 2026, 08:56 +0300.