Website security in plain language

SSL / HTTPS — the padlock

SSL encrypts traffic between browser and server. Without it, passwords, card data and form contents can be intercepted. Google ranks HTTPS sites higher and Chrome warns users on HTTP. A free Let's Encrypt certificate (included with us) is enough for 90% of sites. See our SSL page for when you need an upgrade.

Malware

Malicious code injected into your site — usually via outdated plugins or weak passwords. Symptoms: Google warns visitors, the site is slow, strange redirects. Our Website Security scans daily and auto-cleans.

Web Application Firewall (WAF)

A filter between your site and the internet that blocks known attacks: SQL injection, XSS, CSRF, bot abuse. Works without you having to change your code.

DDoS attacks

A flood of junk traffic that overloads your server. Protection filters suspicious traffic at the network edge. Included by default on all our hosting plans.

Passwords

• Minimum 12 characters, unique per site (use a password manager: 1Password, Bitwarden)
• Two-factor everywhere (TOTP via Authy or Google Authenticator)
• Never reuse passwords — one leak = everything compromised

Backups

Three rules: 3-2-1. Three copies, two different media, one off-site. With us: daily server backups (off-site) + your own UpdraftPlus to cloud storage.

Updates

The #1 cause of hacked sites: outdated plugins. Turn on auto-updates. On Managed WordPress we do it for you, with rollback on failure.