How to Secure Your Website

• Cyber Security
• Cloudflare setup, CSRF protection, cybersecurity checklist, free website security, html site protection, HTTPS, malware removal, secure configuration, secure hosting, shopify security, SQL injection fix, SSL, WAF, web hardening, website protection, website security, wordpress security, XSS prevention
• October 23, 2025

6. Enforce MFA (Multi-Factor Authentication)

WordPress (free)

• Install plugin “Two-Factor” (by WordPress.org) — 100 % free, no upsell.

• Go to Users → Profile → Two-Factor Options → enable TOTP + Backup Codes.

• Scan the QR code with Google Authenticator / Authy / Microsoft Authenticator.

• Enforce MFA site-wide: install “WP 2FA” (free edition) → Settings → “Force 2FA for all users.”

• Disable XML-RPC unless needed (functions.php):

  add_filter('xmlrpc_enabled', '__return_false');


Shopify (free)

• In Settings → Users and permissions, click each staff member → Require two-step authentication.

• Shopify sends setup link via email → each user activates MFA with authenticator app.

Static HTML

• Use Cloudflare’s free Zero Trust Access for admin areas (protect /admin or /cpanel paths).

  • Cloudflare → Zero Trust → Access → Applications → Add → Self-hosted.

  • Protect with One-Time-PIN or TOTP.

• Or, for SSH/SFTP, enable Google Authenticator PAM or SSH key-based login only:

  sudo apt install libpam-google-authenticator
google-authenticator
sudo nano /etc/pam.d/sshd # add "auth required pam_google_authenticator.so"
sudo systemctl restart ssh


7. Limit login attempts & block brute-force

WordPress (free)

• Install “Limit Login Attempts Reloaded” or “WPS Limit Login” (free).

  • Settings → set lockout after 3–5 failed logins, ban for 15 min–1 hr.

• Add .htaccess protection on /wp-login.php:

  <Files "wp-login.php">
order deny,allow
deny from all
allow from your.ip.address.here
</Files>


• Cloudflare → Security → WAF → Rule:

  • “URI contains /wp-login.php” → block after 10 req per minute.

Shopify (free)

• Built-in rate limiting.

• Optionally enable Cloudflare free WAF rate-limit rule for your custom forms (contact, newsletter).

• Avoid adding custom login forms in theme — use Shopify’s default /account/login.

Static HTML (free)

• Cloudflare → WAF → create rule:

  • “URI Path contains /admin or login” → block > 5 req/min → JS Challenge.

• Apache .htaccess basic auth:

  <Directory "/var/www/html/admin">
AuthType Basic
AuthName "Restricted"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>

  htpasswd -c /etc/apache2/.htpasswd username


8. Secure sessions & cookies

WordPress

• In wp-config.php add:

  define('FORCE_SSL_ADMIN', true);
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);


• Add to .htaccess:

  Header always edit Set-Cookie (.*) "$1; SameSite=Strict"


• Plugin option: “HTTP Headers” plugin → Security → enable “Secure + HttpOnly + SameSite Strict”.

Shopify

• Native platform enforces secure cookies.

• For custom Liquid forms, wrap cookies in:

  <meta http-equiv="Set-Cookie" content="name=value; SameSite=Strict; Secure">


• Use Shopify’s built-in session system; avoid inline JS storing tokens.

Static HTML

• If using PHP:

  session_set_cookie_params([
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
]);
session_start();


• Or via server header (Apache):

  Header always edit Set-Cookie (.*) "$1; SameSite=Strict"


9. Remove unused components / themes / apps

WordPress

• Dashboard → Plugins → Inactive → Delete all inactive.

• Appearance → Themes → keep one default theme (e.g., Twenty Twenty-Five), delete others.

• SSH:

  wp plugin delete $(wp plugin list --status=inactive --field=name)
wp theme delete $(wp theme list --status=inactive --field=name)


• Free scanner: install “Wordfence Free” → scan → see outdated or vulnerable plugins.

Shopify

• Settings → Apps and sales channels → click “…” → “Delete”.

• Online Store → Themes → remove old unpublished themes.

• In each theme’s theme.liquid, delete unneeded external JS/CSS calls.

Static HTML

• Audit folder for unused JS/CSS:

  du -sh * | sort -h


• Remove obsolete libraries (old jQuery, bootstrap, etc.).

• Check with Retire.js CLI (free):

  npm install -g retire
retire --path ./public_html


10. Keep everything updated (core + components)

WordPress

• Enable auto-updates:

  add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'allow_major_auto_core_updates', '__return_true' );


• CLI:

  wp core update
wp plugin update --all
wp theme update --all


• Verify with:

  wp core check-update


• Free plugin: “Easy Updates Manager” → configure auto-core + plugins + themes.

Shopify

• Shopify auto-updates the core.

• Go to Apps → check “View details” → update to newest.

• For custom themes, Online Store → Themes → Update if alert appears.

Static HTML

• Use CDN for external libs (latest secure versions) e.g.:

  <script src="https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js" integrity="sha384-..." crossorigin="anonymous"></script>


• Use Git:

  git pull origin main
npm audit fix


• Rebuild dependencies periodically if using Node or build tools.

Related Posts

Download These Free NIST Cybersecurity Docs to Boost Your CISSP Prep

Cyber Security

Covering a broad Spectrum of Pentesting

Cyber Security

How I Secured My WordPress Blog – A Real-World Cybersecurity Walkthrough

Cyber Security

This site uses Akismet to reduce spam. Learn how your comment data is processed.