How to Secure Your Website

• Cyber Security
• Cloudflare setup, CSRF protection, cybersecurity checklist, free website security, html site protection, HTTPS, malware removal, secure configuration, secure hosting, shopify security, SQL injection fix, SSL, WAF, web hardening, website protection, website security, wordpress security, XSS prevention
• October 23, 2025

11. Sanitize & validate all input (XSS / SQLi / OS Injection)

WordPress (free)

• Use built-in escaping:

  echo esc_html( $user_input );
echo esc_url( $link );
echo intval( $_GET['id'] );


• Replace direct SQL with $wpdb->prepare():

  $result = $wpdb->get_results( $wpdb->prepare(
"SELECT * FROM wp_users WHERE ID = %d", $user_id
));


• Install “Wordfence Security – Free” → enables live firewall + sanitization checks.

• Bonus: enable Cloudflare WAF → Managed Rules → OWASP → enable SQL/XSS protections.

Shopify (free)

• Avoid unescaped Liquid: use

  {{ customer.first_name | escape }}
{{ form.email | escape }}


• Never use {{ ... | raw }} in templates.

• Add Cloudflare free WAF to block injection patterns on your storefront domain.

Static HTML (no CMS)

• Validate forms in JS before POST:

  const name = document.getElementById('name').value;
if(!/^[a-zA-Z0-9\s]{1,40}$/.test(name)){ alert('Invalid input'); return false; }


• Server-side (PHP example):

  $name = htmlspecialchars($_POST['name'], ENT_QUOTES, 'UTF-8');
$stmt = $pdo->prepare('INSERT INTO users(name) VALUES(?)');
$stmt->execute([$name]);


• Use ModSecurity OWASP Core Rule Set (CRS) free module on Apache/Nginx.

12. Validate output encoding / CSP (Content Security Policy)

WordPress

• Add CSP headers in .htaccess:

  Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; script-src 'self' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com"


• Or use “HTTP Headers” plugin → Security → enable CSP, X-XSS-Protection, X-Content-Type-Options.

• Sanitize template variables using esc_attr(), esc_html().

Shopify

• Add <meta http-equiv="Content-Security-Policy" content="default-src 'self' https://cdn.shopify.com https://*.shopifycdn.com;"> inside theme.liquid head.

• Escape all variables with | escape filter.

• Avoid inline JS; load from assets.

Static HTML

• Add headers in Apache or Nginx:

  Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Content-Security-Policy "default-src 'self'"


• Run Mozilla Observatory scan (free) → https://observatory.mozilla.org to confirm grade ≥ A.

13. Secure file uploads (CWE-434 / CWE-22 Path Traversal)

WordPress

• If file uploads are needed, install “File Upload Types by WPForms” → whitelist safe MIME types only.

• Prevent PHP execution in uploads:

  • Create /wp-content/uploads/.htaccess:

    <FilesMatch "\.php$">
Deny from all
</FilesMatch>


• Validate filename before saving:

  $filename = sanitize_file_name( $_FILES['file']['name'] );


• Use plugin “MalCare Free” or Wordfence → scans uploaded malware.

Shopify

• Files uploaded by customers go to Shopify CDN — already validated.

• For custom forms, limit accepted file types:

  <input type="file" accept=".jpg,.png,.pdf">


• Cloudflare WAF: block requests with multipart uploads > 10 MB or double extensions (.php.jpg).

Static HTML

• In upload handler (PHP/Python):

  $finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['upload']['tmp_name']);
if(!in_array($mime, ['image/png','image/jpeg','application/pdf'])) die('Bad file');
move_uploaded_file($_FILES['upload']['tmp_name'], '/var/www/uploads/'.basename($name));


• Apache .htaccess:

  <Directory "/var/www/uploads">
php_flag engine off
</Directory>


• Cloudflare WAF: block .php, .exe, .sh, .pl, .cgi uploads.

14. CSRF (Cross-Site Request Forgery) Protection

WordPress

• Use nonces (built-in anti-CSRF tokens):

  wp_nonce_field('my_action', 'my_nonce');


  Verify on submit:

  check_admin_referer('my_action', 'my_nonce');


• Many plugins include this automatically (check forms).

Shopify

• All admin & customer POST routes include authenticity tokens automatically.

• For custom forms, use:

  {{ form | csrf_token }}


• Cloudflare free Turnstile CAPTCHA (replace reCAPTCHA):

  • https://dash.cloudflare.com → Turnstile → Create site key → Add widget to forms.

Static HTML

• Add hidden CSRF token:

  <input type="hidden" name="token" value="<?=$_SESSION['token']?>">


  Server validation:

  if ($_POST['token'] !== $_SESSION['token']) { http_response_code(403); exit; }


• Or include Cloudflare Turnstile or hCaptcha free widget on every POST form.

15. Prevent path traversal / directory exposure

WordPress

• In .htaccess:

  Options -Indexes
<FilesMatch "(wp-config\.php|readme\.html|license\.txt)">
Order allow,deny
Deny from all
</FilesMatch>


• Disable directory browsing.

• Validate file paths in custom code:

  $path = realpath($upload_dir.'/'.$filename);
if(strpos($path, realpath($upload_dir)) !== 0) die('Invalid path');


Shopify

• No direct file-system access → safe by design.

• Review theme files; remove /templates/customers/*.liquid not used.

• Avoid using asset_url to reference user-controlled names.

Static HTML

• Apache:

  Options -Indexes
<FilesMatch "\.(bak|conf|env|sql)$">
Require all denied
</FilesMatch>


• Nginx:

  location ~* \.(env|bak|sql)$ { deny all; }
autoindex off;


• Don’t let uploaders specify folder paths — strip ../.

Related Posts

Top 20 Bug Bounty Platforms to Earn Money from

Cyber Security

Cyber Security Tools

Cyber Security

Covering a broad Spectrum of Pentesting

Cyber Security

This site uses Akismet to reduce spam. Learn how your comment data is processed.