How to secure a website for free (& paid site protection upgrades)

Once every 39 seconds, someone somewhere around the globe will fall victim to a successful hack. Depending on how fast you read this article, around 34 hacks will have been pulled off without a hitch. There’s a growing concern about how to secure a website in this day and age and nobody is exempt. We’d be remiss to downplay the gravity of this very serious problem and it’s only gaining more steam.

We’ll be exploring some options to help you batten down the hatches before someone pirates your ship. Some are free; some are paid. But the fact remains — doing nothing leaves you incredibly vulnerable because it can happen to anyone. It could be happening to you right now.

How confident are you with your bank password these days?

Do we have your attention?

What is site security & why is website security essential?

Hypertext Transfer Protocol Secure, or HTTPS in your browser’s URL bar, is the internet protocol that protects data transmission between your site and the user’s device. More acronyms, yay! This very powerful "S", for security, is absolutely essential because we live in a time in polite society where there are threats around every corner. With more places and ways than ever for those threats to play out in reality, it isn’t so much an "if" but a "when."

When this happens to you, will you be ready?

There’s a saying — if it can go online, it can be hacked. Security isn’t a courtesy or a convenience feature anymore. Security is an expectation. As it should be. But it’s twofold; while you’re protecting your data from being altered, destroyed, stolen, blocked and ransomed, you’re also protecting your customers and their personal data transmissions.HTTPS example in Safari

Website owners and those who use these internet products both need to be proactive in fighting against this. It isn’t one side’s responsibility more than the other. Don’t know how to do all this yourself? Most people don’t. Luckily some apps do this stuff for you with a few clicks and it’s super easy. Others take more finessing.

One page website vs multiple pages? App? Intranet? Doesn’t matter. Security is security and it’s essential.

The benefits of a solid website security plan

There’s an endless list of benefits to having solid website security plans in place, but we’ve chosen a few big items. The most obvious is protecting sensitive data and valuable assets from ending up in the wrong hands. Hackers can "earn" a lot of money by selling off sensitive information to the highest bidders in the deepest bowels of the dark web. Medical record safety, public utility operation, financial information, and much more — can all be compromised and brought to their knees in the blink of an eye.

We rely so heavily on these data systems and operations running smoothly and without compromise. There’s a key phrase; "we rely so heavily…." For this reason, maintaining effective, defensive, and proactive security measures is crucial to never knowing the panic, stress and chaos that comes with losing these systems.

We tend to quickly forget how convenient life has become and how used to it we are now. For example, imagine not having your banking app. Do you know the phone number to your bank’s automated info line? Do you use a cloud-based password manager? How trusting are you of what’s in your phone’s camera roll if you didn’t have some form of security? Keep going through the Rolodex of everyday conveniences we all cosign to the internet without a second thought and you’ll soon realize the scope of the potential issues.

What can go wrong if you don’t follow website security best practices?

The short answer: all hell breaks loose. The deeper we get into advanced systems running our day-to-day lives — websites we use, IoT devices, mobile devices, more passwords, etc. — the more we rely on these things, the greater the risk that something can go wrong. Oddly enough, the best description of this issue comes from a quote from one of the "bad guys" on Fox’s hit tv series Bones:

The giant flaw in our system. Trying to make the system secure, we make it more complex. But the more complex we make it, the more insecure we actually are.

Scary stuff. Use this as a motivator for eliminating the immediate vulnerabilities around you.

Without proper security, many things can go wrong. Let’s take the above example about your bank’s app, website, and phone number. This affects the bank and its customers, so it’s a great example. We’ll start with a simple Google search of your bank. Sadly, someone’s changed the listing slightly, but it isn’t plainly obvious, and there’s the phone number. You think it looks accurate and assume that it’s ok. Calls are now rerouting to another number, and it sounds just like your actual bank’s automated phone tree.

Next, you’re entering in account numbers to what you think is your bank’s automated line (they’ve tossed in some "press pound" prompts to make it sound more legit) with nary a second thought about it.Bank email phishing example

Finally, you notice an email from your bank about a weird debit charge you don’t recognize. They offer a link to click to resolve the matter. The domain name looks pretty much like your bank, but you weren’t paying attention and you missed the one tiny letter they swapped out that now directs you to their site that looks just like your bank. One single character swapped for a similar-looking one has now changed the path you took in a split second. You type in your login credentials and voilà, now your login info for your actual account is visible to God only knows who. Your credit cards, debit cards, account numbers and maybe even your social security number — all free today!

This is just the first part of your day-gone-wrong when cybersecurity practices aren’t followed. Your computer and address bar have already taken you for a rough ride — and it’s only the morning. At this rate, by lunch, nothing’s going to be private. Who’s up for some shopping? "Steve’s" credit card is paying.

There are many issues customers can face directly, but the problem is a shared one. Your website getting hacked isn’t just your problem; it’s theirs too. This can include ransoms for data with complete takeovers, being shut down entirely, redirecting traffic away from the real things, and private customer data being stolen. This happens all too often; you see headlines like "[company name] experiences massive data breach affecting 10 million customers."

Web security basics: here’s how to secure a website for free

When researching how to design a website, one thing is a constant: the need for security. Cybersecurity comes in two flavors: free and paid. It just depends on your needs. If you’re wondering how to secure your website for free? You’re in luck, the basics of web security are actually typically free. And it’s not because they’re ineffective, but because it isn’t a service (SaaS) or even a human doing the work. It’s just a one-time action that can be taken at no cost.

Here are the basic website security steps that any site can take without spending money (aside from obvious hosting provider costs). Your website information architecture can and should be built with some of these options in mind.

  • SSL certificate
  • DoS/DDoS mitigation
  • Backups
  • Updates
  • Web application firewall

1. SSL certificate

This option can be free or paid and is a quick and simple way to add some security that’s visible to your customers. SSL stands for Secure Sockets Layer. The free ones are good but depending on what activities take place on your site, a more advanced/paid version may be necessary. This tool is one of the easier but more effective basics of web security. eCommerce is an excellent example of where the more advanced and paid version is the go-to. Data encryption from server to end-user is the big draw, and it can be done super easily — even the free one.

Take a look at the URL/search bar in this browser window. You may see "HTTPS", note the added 'S'. That part of the URL may be hidden for convenience by your browser (double click the URL to see the full URL). You’ll likely also see a lock symbol. If you click on that while using Slickplan in Chrome, a menu drops down, and you can then click “connection is secure,” which takes you to our SSL certification.

How do I make my website secure using an SSL certificate?

Sticking to the theme of free, two options stand out. Let’s Encrypt is a great way to do this for free if you’re willing to do it yourself. If you click the link and expect a "signup" or some sort of call to action to begin a walk-through process, you’ll be disappointed. It’s a bit more involved. Think of that lack of a walk-through as saving yourself time and frustration though and consider the next option.

Option two: check with your host provider. If you’re making a WordPress site, for example, A2 Hosting can provide you with an SSL certificate for free on any one of their paid service plans. Other solutions below may include free certificates.

2. DoS/DDoS mitigation

Short for Denial of Service, DoS in basic terms, is when a server, network, or other target is bombarded with traffic with the goal of exhausting resources and infrastructure. This takes away from legitimate traffic conducting everyday business and causes a major headache in the process.

There are many different types of DoS attacks — DDoS (Distributed Denial of Service) is mostly the same but uses two or more computers to do the work, hence "distributed". Other attacks include Permanent Denial-of-Service (PDoS), the yo-yo attack for cloud-hosted apps using autoscaling, Internet Control Message Protocol flood (ICMP), and many more. All variations on the same theme and the names definitely get… let’s say…"creative" i.e., R-U-Dead-Yet? and SACK Panic.

How to protect your website from hackers and other malicious attacks using DDoS mitigation

The quick and easy solution for mitigating those pesky DDoS attacks is finding a service that matches your needs (like using a WordPress website or services like Shopify that have protections for ecommerce, etc.). Cloudflare is an option that offers a free tier of service and even includes an SSL certificate. There are paid tiers, but this is a viable option if you’re just getting started or your budget is smaller.

3. Keep a backup copy of your site

You can probably guess this doesn’t stop attacks from happening to your site, but why is it on the list? Simple. Remember when we said it’s a matter of when not if your security will be tested by someone with an agenda? That doesn’t necessarily mean they’re going to come and destroy everything. But they could — or they could alter it or just disappear it entirely.

Having a backup copy at the very least gives you the peace of mind that if something happens that can’t easily be fixed, you have a fresh copy that works the way it was intended. You’re not starting from scratch trying to rebuild. There are plenty of security plugins and content management systems with options built-in that’ll even do automatic backups. But if you’re concerned about it being stored online, make a copy and store it on a flash drive. However, you won’t be doing yourself any favors if you don’t keep that physical copy up to date as changes are made. If version 20 gets hacked and taken down and you only have a backup of version 16, it brings new meaning to WYSIWYG. This is one of the basic website security steps you can take with little to no effort.

How do I secure my website using backups?

The options for backing up are abundant. As mentioned, many host sites offer built-in options, so check with whatever platform you’re using now as you may already have an option ready to go. Often, they’ll include an option to export a copy from the web server for the flash drive if you choose to go that route.

Think of this not as protecting your site’s security but as safeguarding your investment. If things go south, you’re prepared to quickly get it back to normal.

4. Keep things updated

This is so incredibly simple, but for some reason, people hate updates. They’re not there just for doling out new gimmicks on your iPhone or computer. Updates carry new security patches and ways the system can take care of itself and fight off people exploiting vulnerabilities. Many headaches could be avoided with just routine updates. WordPress specifically, with it being so open-ended, requires things to be updated manually; the site software itself and the plugins. This is such an important thing to keep track of and stay on top of, and yet it’s overlooked a lot.

How to secure your website using updates

Updates, for the most part, are free. It’s rare to find an update that’s paid unless you’re using a product or service with a one-time fee for a specific set of services or product access time. Things like hosting services and the like are usually monthly or annual charges, so they’ll always include updates. It’ll depend on what platform you’re working on, but updates are typically not hard to find. They want you to use these tools. It only makes them look better and it’s less work for them later when things don’t get hacked because you chose to stay updated.

5. Web application firewall

This option includes paid and free tiers but is definitely worth looking into for just about anybody. Cloudflare describes a web application firewall, or WAF, as the following:

A WAF or web application firewall helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others.

To put into perspective how often this kind of thing happens, Amazon Web Services (AWS) offers a free tier to mitigate against the first 10,000 attempts. Yes. 10,000. Free tier. So you can imagine the issue must be pretty dramatic if that kind of number falls under the "no sweat" category.

How to make your site secure against attacks using WAF

Host-based and cloud-based are the two less expensive and potentially free options. Network-based, while it is local and does experience less latency, does tend to cost more to deploy and manage, so if you’re trying to cut costs or go for free, this isn’t the one. You can check with your hosting plan provider for available options and other cloud-based services, including AWS.

🎬 Learn what Slickplan can do!

We filmed a short video to show you exactly how to use Slickplan

How to make your website secure using paid methods

You may be asking how do you make your website secure when there seem to be problems around every corner? You use your resources. There’s something for everything out there. As we like to say, if you can’t find something, you probably aren’t looking. We’ve given you more than a couple of options to easily add layers of security to your website, but those are just the free ones. Like most things in life, you get what you pay for and what you don’t. They’re not bad options but paid always has its advantages. Solutions include:

  • Vulnerability scanner
  • Human intervention
  • Sandboxing
  • Security software that includes a backup plan
  • Use a secure website builder

1. Vulnerability scanner

There are tons of scanners out there that track every detail of security for your site, constantly evaluating flaws in the system and identifying them to be taken care of immediately. They vary in what they look for and report, so it’ll depend on your needs.

How to secure my website using a vulnerability scanner

This one’s pretty self-explanatory in terms of including this feature. Take into account your website’s needs and what it’s used for, search for a vulnerability scanner and testing software, match it to your needs, and tada, Bob’s your uncle. Implementation will be specific to your chosen tool, and setup difficulty will likely be explained in the feature tour before you pay. Most of them have free trials to get the ball rolling.

2. Human intervention

As wonderful as automated systems can be at finding things humans can miss, humans also have a touch that computers and AI just can’t manage. Having IT professionals, developers, back-end folks, whatever you want to call them, will always be en vogue. Your site might be finished and online doing business, but the work is never done. Having people actively monitoring threats and correcting issues in real-time is invaluable. It’s worth whatever the cost to keep your site safe and operational. Bots be warned!

How do you secure a website using human intervention?

The people that helped get your website off the ground should be your first choice. They know the site better than anyone, so they don’t need training again. That means spending less money. At some point, you may begin receiving bug bounty offers via email after you launch — not always the best option, but the legit ones are great at what they do. However, there’s a right way to hire an ethical, or white-hat, hacker.

Plenty of sites and services offer access to trusted sources to help with these things. In addition, there are tons of options for adding a human touch to your site’s security. While this may be a higher cost option, getting a text at 3 in the morning from your security advisor that an attempt was made to access confidential data but that the issue has been resolved and logged is a lot more reassuring than getting an email the following day about a problem that might still be happening.

3. Sandboxing

A brilliant option with a clever name to boot. You’ve probably heard sandbox mode, maybe in SIMS or every version of Roller Coaster Tycoon. An open ticket to mess around and run amuck. But how does that apply to a website? Sandboxing allows you to section off part of a system to mimic the actual site to basically test fire malicious code and all sorts of creepy crawlies to see how it reacts — without compromising the real thing.

This is extremely useful because you can see firsthand what’ll happen to your product. It might defeat the threat, it might fail, but you’ll know why and won’t be risking the live version in the process. Workshopping this on a dummy version is beneficial because with some things you just can’t afford to have even the test go badly. It could mean catastrophic results. Imagine something going wrong while testing the software for a large dam that protects a town downstream from devastating flooding.

How to protect a website from hackers and malicious code with sandboxing

Advanced malware detection is a simple yet effective way to keep things running smoothly. There are apps and cloud-based services such as Forcepoint that offer these tools. It’s a full-service option and well worth the money. There are other options, and of course, it depends on the scale and needs of your site.

4. Security software with backup plans

Like a vulnerability scanner, software services like Sucuri can monitor and mitigate attacks and resolve problems quickly and efficiently. They take it a step further by adding solutions for sites that have already been hacked and need help getting things back together.

How to secure your site’s data using software as a backup plan

Sucuri offers immediate assistance in situations that have already gone south. Setting up a service like this beforehand is always recommended and they have all the tools one could hope for, but their real party piece is getting sites out of hot water. So yes, this is a good option in the paid category for prevention but if you didn’t have it already, it’s a great backup plan.

5. Use a secure website builder

If you’re in the process of building a brand new site and are looking to bake in security features right off the bat, using a secure and trusted builder is the way to go. For instance, if you’re building a storefront and plan on having ecommerce functions, using a builder such as Shopify or Squarespace is a great way to beat that baddies to the punch. These services offer tools and built-in security from the moment you start, leaving absolutely no room for error or the chance of going live without a safety net or shield.

How to build a secure site with a website builder

Since every site is different in terms of functionality and scope of abilities, selecting a builder is really down to asking what your needs are. If you’re looking for options, we come bearing gifts; a handy list of website builders we like most and all the facts to choose what’s right for your project. Getting started is easy once you’ve decided what you need and many offer step-by-step assistance along the way. Security features are abundant in all tiers of service and even more specialized options can be added as needed.

How to get a secure website built for you

Building a secure web design can be a real pain, especially when you add in the security considerations that need to be made on top of the design, UX, content choices and beyond. Outsourcing to the pros allows you to focus on other aspects of your business — your actual bread and butter — while saving your sanity in the process. We’ve hand-selected a few web design agencies that we personally dig and who can handle projects of any size and scope:


Located in the Mile High City of Denver, Colorado, Groundwrk specializes in bespoke, handmade websites for existing brands and startups alike. Additionally, they offer support services for when "stuff happens."A great option for businesses of any and all sizes.

Visit site


Out of Rockville, Maryland, this marketing heavyweight comes equipped with an arsenal of options, including print, digital, and other visual media. Web design being one of their areas, they offer services for clients of any size, with lots of options as they grow.

Visit site

Accomplish Agency

The fine folks at Accomplish Agency, hailing from Boston, Massachusetts, offer services in a wide range of modern options. Web design is just the tip of the iceberg. WordPress, Drupal, Apple Services, Salesforce, Mailchimp, Shopify — just to name a few.

Visit site


Epicosity has a theory that doesn’t skip right to the end result. Instead, they follow what they call the five Ds. Discover, define, develop, do and deliver. They focus on brand strategy in an SEO-heavy world, straight out of Sioux Falls, South Dakota.

Visit site

BIG (Brand Innovation Group)

Our friends from Fort Wayne, Indiana, at BIG, or Brand Innovation Group, are self-proclaimed brand nerds. Offering services in just about every flavor of internet; a list too long for this but seemingly capable of handling any project thrown their way.

Visit site

Actualize Studio

Also out of Rockville, Maryland, Actualize Studio (AS Creative services) specializes in web services for small and medium-sized businesses, construction and real estate as well as non-profit organizations. Although focused mainly on design and development, they offer a wide range of services.

Visit site

How to make sure a website is secure

Making sure your website is secure should be a top priority. While there are, in fact, many top priorities in website planning, security really does need a lot of attention. A website security review can be done manually or with the ocean of apps and services out there. The options are there and it can be done for a cost or for free, depending on your budget. So there’s really no excuse to let it slide. The damage that could happen isn’t worth saving a little money or time on skimping.

Take into account your needs, your site’s functionality, your clientele, whether it’s eComm or not, and any other factors that define your site, then match it up to what’s available. Take advantage of the resources.

Our conclusion on website protection methods

Site security is really easy to tackle if you know what needs to be tackled. We’ve gone over some free and paid options available, but there are plenty more where these came from. You’ll notice we mentioned having to match up your needs with what’s offered quite a few times. We played that on repeat because it’s essential. Using the wrong thing for the right reason won’t get the job done correctly, wasting time and money in the process.

Some options are too large for small business needs and, conversely, some options will be too small scale for larger operations. Take our word for it; the dangers are out there and going without proper security can quickly turn into a mess. Do yourself and your customers a favor and get it right the first time. Be prepared!

Share & discuss UX/UI designs

Add mockups from Figma or your computer to ensure UX/UI is moving in the right direction.

14-day free trial
No credit card required


  • What does a website need to be secure?

    What makes a website secure, at the very least, is using HTTPS (remember, the "S" here means secure) via SSL certification. This makes your site secure and shows your users their data is being cared for. Luckily for all, this level of security is obtainable for free.

  • How do you ensure a secure connection to a website?

    Making sure data transmissions are properly encrypted is the most direct way to ensure that connections to a website are secure. There are a few ways to handle that, both free and paid, and it's an easy way to provide peace of mind to users.

  • What is external website security?

    External website security is the steps taken to collectively secure your site from outside security risks. Everything to keep the outside on the outside. This is opposed to internal security issues. External can include SQL injection and phishing attacks. It's another name for the attacks we've discussed here.

Sean LeSuer

Want more free content like this?

Tips & tricks, how-to’s and deep dives delivered to your inbox 🚀

Share, discuss & improve UX/UI designs

14-day free trial
No credit card required

You might also like

Website structure A to Z (with examples)

Website structure A to Z (with examples)

Imagine a city without road signs or a building without a clear layout – navigating through them would be a nightmare. The same goes for a website, the structure is…

Share and discuss UX & UI designs

Sign up