How to Secure Your Website

• Cyber Security
• Cloudflare setup, CSRF protection, cybersecurity checklist, free website security, html site protection, HTTPS, malware removal, secure configuration, secure hosting, shopify security, SQL injection fix, SSL, WAF, web hardening, website protection, website security, wordpress security, XSS prevention
• October 23, 2025

16. Lock down configuration & disable debugging

WordPress

• In wp-config.php

  define('WP_DEBUG', false);
define('WP_DEBUG_DISPLAY', false);
define('WP_DEBUG_LOG', false);
define('DISALLOW_FILE_EDIT', true);


• Remove default files:

  rm readme.html license.txt wp-config-sample.php


• Add to .htaccess:

  <FilesMatch "(wp-config\.php|error_log|debug\.log)">
Require all denied
</FilesMatch>


• Use free plugin “WP Hardening by Astra” → one-click disable file editing, PHP execution in uploads, and directory browsing.

Shopify

• Disable unused scripts/snippets:
  In Online Store → Themes → Edit Code, delete unused JS/CSS.

• Remove any “console.log” or debugging outputs from theme code.

• Apps handle debug logs internally — remove any dev/test apps after launch.

Static HTML

• Turn off directory indexing:

  Options -Indexes


• In config.php (if using PHP):

  ini_set('display_errors', 0);
ini_set('log_errors', 1);
ini_set('error_log', '/var/log/site_errors.log');


• Delete test pages (info.php, test.html) and default server pages.

17. Protect sensitive data & encryption

WordPress

• In wp-config.php, use strong salts:
  Refresh at https://api.wordpress.org/secret-key/1.1/salt/

• Move wp-config.php one directory up from /public_html/.

• Use free plugin “Really Simple SSL (Free)” → auto-forces HTTPS on admin and cookies.

• For database encryption (at-rest): host-level AES encryption or use free BitLocker (Windows) / LUKS (Linux) on server disk.

Shopify

• All data stored by Shopify is encrypted at rest + in transit.

• Avoid saving customer data in custom JS; rely on built-in metafields.

• Disable “Storefront API” write permissions for public tokens.

Static HTML

• Use Let’s Encrypt TLS (already set earlier).

• If storing data (contact forms):

  openssl_encrypt($message, 'AES-256-CBC', getenv('KEY'), 0, $iv);


• Never store secrets in JS or Git; use .env files:

  DB_PASS=securepassword


  and load server-side.

18. Enable security logging & monitoring

WordPress

• Install “WP Activity Log (free)” → tracks login, plugin/theme edits, file changes.

• Log to file:

  define('WP_DEBUG_LOG', '/var/log/wp_security.log');


• Set file perms:

  chmod 600 /var/log/wp_security.log


• Review via Tools → Activity Log Viewer.

Shopify

• View Settings → Plan → View your activity → shows admin events.

• Use free Shopify Flow (if available on your plan) → log changes in Orders/Products/Customers.

• Export logs weekly as CSV for archival.

Static HTML

• Apache/Nginx logs:

  sudo tail -f /var/log/apache2/access.log /var/log/apache2/error.log


• Fail2ban (free):

  sudo apt install fail2ban
sudo systemctl enable fail2ban


  → auto-bans brute-force IPs.

• Cloudflare → Security → Events: monitor blocked WAF requests (download CSVs weekly).

19. Secure credentials & remove secrets from code

WordPress

• Move DB credentials to env vars (Apache example):
  Add in .htaccess (above WordPress rules):

  SetEnv DB_USER wpuser
SetEnv DB_PASSWORD strongpass


  Then in wp-config.php:

  define('DB_USER', getenv('DB_USER'));
define('DB_PASSWORD', getenv('DB_PASSWORD'));


• Delete any hard-coded API keys.

• Use plugin “Secret Key Manager (free)” or .env + vlucas/phpdotenv.

Shopify

• Manage private app tokens via Settings → Apps → Develop Apps → rotate every 90 days.

• Don’t store tokens inside theme JS or Liquid; use server-side proxy or environment variable.

Static HTML

• If you have a config.js, replace secrets with placeholders and load them server-side.

• Protect .env files:

  <Files ".env">
Require all denied
</Files>


• Rotate SSH keys and API keys regularly.

20. Harden server-side configuration

WordPress

• Disable dangerous PHP functions in php.ini:

  disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source


• Enforce firewall: use Cloudflare Free WAF or UFW (Linux):

  sudo ufw default deny incoming
sudo ufw allow 443,80/tcp
sudo ufw enable


• Use Free SSL Labs scan (https://www.ssllabs.com/ssltest/) → aim for grade A.

Shopify

• Shopify manages the stack; your job is to keep apps minimal and theme secure.

• Review Content Security Policy meta and block third-party scripts.

• Restrict admin IP (if on Shopify Plus) or via Cloudflare → Firewall → “Allow only your IP”.

Static HTML

• Apache:

  ServerSignature Off
ServerTokens Prod
TraceEnable Off
FileETag None


• Nginx:

  server_tokens off;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";


• Confirm hardened permissions:

  chmod -R o-rwx /var/www/html

   

Related Posts

Hacker vs Bug Bounty Hunters

Cyber Security

Cyber Security Tools

Cyber Security

Top 20 Bug Bounty Platforms to Earn Money from

Cyber Security

This site uses Akismet to reduce spam. Learn how your comment data is processed.