LochStudios  /  Help Centre  /  Security  /  Keep your website secure (updates, backups, least privilege)

Keep your website secure (updates, backups, least privilege)

Essential practices to protect your website from attacks: keep software updated, maintain backups, and limit unnecessary access.

Updated

Website security isn't a one-time setup—it's an ongoing practice. The three pillars are keeping software updated, backing up regularly, and controlling who has access. Together, they protect you from most common attacks and ensure you can recover quickly if something does go wrong.

1. Keep software updated

Hackers find vulnerabilities in outdated software and exploit them before patches are available. Updates close these holes.

What needs updating:

  • Your CMS or web application (WordPress, Drupal, custom code, etc.)
  • Plugins and extensions – These are prime targets because they're often overlooked
  • Web server software (Apache, Nginx)
  • Server operating system (Linux, Windows)
  • Database software (MySQL, PostgreSQL)

How to stay on top of updates:

  • Enable automatic updates if your hosting provider offers them (especially for security patches)
  • Check for updates weekly if automatic updates aren't available
  • Test updates on a staging environment first if you run custom code
  • Subscribe to security mailing lists for your CMS or framework
  • Remove or update any unmaintained plugins – If the developer has abandoned a plugin, replace it or remove it

Red flag: An outdated WordPress installation is a common entry point for attackers. If you use WordPress, update it and all plugins as soon as security patches are released.

2. Maintain regular backups

A backup is your insurance policy. If you're hacked, infected with malware, or make a catastrophic mistake, a clean backup lets you restore your site quickly and minimize damage.

Backup best practices:

  • Back up daily (or at least weekly) – The more recent your backup, the less data you lose
  • Store backups off-site – Don't keep them only on your web server; if the server is compromised, backups go too
  • Test restores – A backup is only useful if you know it works; test recovery quarterly
  • Keep multiple versions – Maintain at least the last 2 weeks of daily backups so you can roll back to a clean version
  • Back up both files and database – Your website files and your database must both be included
  • Automate backups – Manual backups are often forgotten; use your hosting provider's backup tools or a third-party service

Who handles this:

  • If your hosting provider offers managed backups, enable and test them
  • If you manage backups yourself, use backup plugins (for CMS platforms) or your control panel's backup feature
  • Consider cloud backup services that sync and store versions automatically

3. Use least-privilege access control

The principle of least privilege means: give people only the access they need to do their job, and no more. This limits the damage if an account is compromised.

Practical steps:

- Admin accounts – Only use the admin login when you truly need full access; use a regular account for day-to-day work
- SSH/FTP credentials – Don't share your main hosting account; create separate, limited FTP or SSH accounts for developers or contractors
- FTP account A for developers: restricted to /public_html only
- FTP account B for backup process: restricted to /backups only
- Each account gets a unique, strong password
- Database access – Create separate database users for different purposes
- A read-only user for analytics or reports
- A limited user for a specific plugin that doesn't need full database access
- Third-party integrations – If a plugin needs API access, use API keys with minimal permissions (read-only, specific endpoints, IP whitelisting if supported)
- Revoke access promptly – When a developer leaves, contractor finishes, or team member changes roles, disable or delete their access immediately
- Audit access regularly – Monthly, review who has access to what and remove unnecessary accounts

Example: If you hire a developer to build a feature, create a temporary FTP account restricted to /public_html/new-feature only. Disable it the day the project ends—don't leave it active "just in case."

Putting it together

A secure website follows a cycle:

  1. Update all software weekly or when security patches are released
  2. Back up daily to an off-site location
  3. Audit access control monthly and revoke unnecessary permissions
  4. Monitor for suspicious activity (covered in separate articles on hacked websites and log monitoring)

These three practices stop most attacks before they start and ensure you can recover quickly if something does slip through. The time you invest now saves you days of cleanup and data loss later.


Was this article helpful?

← Back to Security