Domain SearchInstantly check and register your preferred domain name
Web Hosting
cPanel HostingHosting powered by cPanel (Most user friendly)
KE Domains
Reseller HostingStart your own hosting business without tech hustles
Windows HostingOptimized for Windows-based applications and sites.
Free Domain
Affiliate ProgramEarn commissions by referring customers to our platforms
Free HostingTest our SSD Hosting for free, for life (1GB storage)
Domain TransferMove your domain to us with zero downtime and full control
All DomainsBrowse and register domain extensions from around the world
.Com Domain
WhoisLook up domain ownership, expiry dates, and registrar information
VPS Hosting
Managed VPSNon techy? Opt for fully managed VPS server
Dedicated ServersEnjoy unmatched power and control with your own physical server.
Website Builder
Online Store BuilderLaunch a professional e-commerce store without writing code.
Web Design ServiceGet a custom-designed website tailored to your brand and goals. From just KES 15,600
BlogRead our guides on web hosting, online business, digital marketing, and more
SupportOur support guides cover everything you need to know about our services
ContactContact us via chat or email
You lock your front door when you leave the house. You do have a PIN on your phone. But what about your website?
For many of us, it’s the most valuable piece of digital real estate we own, yet we often leave the windows wide open without realizing it.
Hackers don’t care if you’re a giant corporation or a small bakery; they deploy bots that scan the internet looking for easy targets.
The good news? You don’t need a computer science degree or a massive budget to stop them. You just need a simple checklist.
Let’s walk through the basics of locking the door, setting the alarm, and keeping your corner of the internet safe in 2026 and beyond.
How to Use This Checklist
Think of this as a home security audit for your website.
We’ve broken it into four simple stages. Start at the top and work your way down, each step you tick off makes you a much harder target.
Stage 1: Lock the Doors (The Non-Negotiable Basics)
Start here. These are the website equivalent of having a front door that actually locks.
☑ 1) Install an SSL Certificate (That Little Padlock)
You know that padlock icon in the address bar? It’s not just decoration.
An SSL certificate encrypts the connection between your website and its visitors, so passwords, contact form entries, and credit card numbers can’t be snooped on.
Most good hosting providers offer these for free with one click. If your site still says “Not Secure,” drop everything and fix this first.
Don’t have an SSL? You can explore our affordable ssl plans here.
☑ 2) Enforce Strong Passwords and 2FA
"Password123" is an invitation.
Every single account linked to your website; your admin login, hosting panel, database; must have a long, unique password.
Better yet, use a password manager to generate and store them. Then, switch on Two-Factor Authentication (2FA).
It’s a second step after your password, usually a code from an app like Authy or Google Authenticator.
This way, even if a hacker guesses your password, they can’t get in without that code.
☑ 3) Manage User Accounts Like a Guest List
If you’ve ever given someone a “quick admin access” and never removed it, you’ve left a spare key under the mat.
We do this often:
- A web designer needs to update your site
- A developer needs to deploy something on a web developer
- Digital marketers need to publish content, etc.
The rule is that only those actively working on your site need to have access.
Plan to audit your users regularly. Remove ex-employees, inactive freelancers, and that developer you hired three years ago.
Give every user the lowest level of access they actually need, author, editor, not administrator.
Introduce a lower role e.g assistant admin if need be. I’ve done this often for authors who needed to edit and manage some aspects of SEO, but didn’t need to install plugins or themes.
Stage 2: Guard the Entry Points
Now, control how people (and data) get inside.
☑ 4) Put a Bouncer on the Door (A Web Application Firewall)
A Web Application Firewall (WAF) acts like a security guard who checks ID before anyone enters.
Such application filters out malicious traffic;blocking sketchy characters before they can even knock on your door.
Services like Cloudflare or Sucuri for WordPress offer easy setup and will stop common attacks like SQL injections in their tracks.
You set it once and it quietly works in the background.
Wordfence is another great option for WordPress users though I found it too complex for simple use cases.
☑ 5) Change the Locks on Your Login Page
By default, WordPress admin pages are at /wp-admin, and many other platforms use predictable URLs like /admin.
Bots know this. That’s why you’re probably seeing several login attempts with your actual username.
Change that URL to something unique that bots can’t possibly guess.
In WordPress, plugins like WPS Hide Login make it trivial.
Also, limit the number of failed login attempts, after three wrong tries, that IP address gets locked out for a while.
This single step stops the vast majority of brute-force bot attacks.
☑ 6) Never Trust What Visitors Hand You
Every contact form, search box, or file upload field is a potential entry point for malicious code that can take down your site.
If your website blindly trusts whatever is typed in, an attacker can slip hidden commands into your database.
“Input validation” sounds technical, but it just means your site checks that an email field actually contains an email, and a name field doesn’t contain malicious code. Most modern CMS platforms handle this well, but make sure you aren’t using ancient, abandoned form plugins.
Stage 3: Keep It Clean (Don’t Set It and Forget It)
Security isn’t a one-and-done project. These habits run on autopilot.
☑ 7) Update Everything, the Moment Updates Arrive
Out-of-date software is the number one way websites get hacked.
Those update notifications for your CMS, plugins, and themes are not nagging you; they’re patching known security holes.
Enable auto-updates for minor releases if you can, and schedule a short maintenance window monthly to apply the rest.
Also, delete any plugin or theme you aren’t using, even an inactive one can be an open window.
☑ 8) Run Automatic Backups (Your Big Undo Button)
If the unthinkable happens, a backup means you can restore your site to a clean state in minutes.
Follow the 3-2-1 rule: keep 3 copies of your data on 2 different types of storage, with 1 stored offsite (like in cloud storage).
Many backup plugins and hosting plans can do this automatically every day and send the file to Dropbox or Google Drive.
☑ 9) Let a Robot Watch for Malware
Antivirus isn’t just for your laptop.
You can use a security tool that actively scans your website files and database for suspicious code.
Wordfence, Sucuri, and MalCare all offer always-on monitoring. They’ll email you the moment something looks off, often before Google even notices.
☑ 10) Glance at Your Security Logs (Once a Week)
This sounds more tedious than it is.
And no, you don’t need to be an analyst—just look for spikes in failed login attempts or file changes at odd hours.
A sudden jump from 5 failed logins a day to 500 means a bot is trying to muscle its way in.
Knowing this lets you tighten your lockout rules before it gets lucky.
Stage 4: Add the Alarm System (Go the Extra Mile)
This is for when you’re ready to move from “hard target” to “fortress.”
☑ 11) Shield Yourself with a CDN
A Content Delivery Network (CDN) makes your site faster by spreading it across servers worldwide, but it also absorbs traffic before it hits your server.
That means a DDoS attack, where thousands of bots try to overwhelm your site, can be filtered out without your visitors ever noticing.
Cloudflare’s free tier is a popular choice and essentially acts like a bulletproof vest for your site.
☑ 12) Set the Correct File Permissions
On your web server, every file and folder has a permission level that says who can read, write, or execute it.
If you leave the permissions too loose, a hacker who sneaks in a malicious file can actually run it.
A general safe rule is folders set to 755 and files set to 644.
If that sounds alien, ask your hosting support or a developer to check; it’s a quick fix that closes a big vulnerability.
☑ 13) Vet Your Third-Party Plugins and Code
Not all plugins from the official directory are safe, and that free “premium theme” you found on a shady forum almost certainly contains malware.
Treat anything you add to your site like a guest you’re inviting in.
Check the developer’s reputation, last update date, and reviews.
Keep a list of what’s installed, and if something hasn’t been updated by the author in two years, replace it whenever possible.
☑ 14) Keep an Eye on the Future (Post-Quantum)
This is an emerging concern, not today’s emergency.
In the coming years, powerful quantum computers may be able to break the encryption we currently use.
You don’t need to panic, but start asking your hosting provider or security team if they have a plan for “post-quantum cryptography.”
Being aware now puts you ahead of the curve.
Your First 3 Steps (Do These Today)
Seeing a list of 14 points can feel overwhelming, but you don’t have to do everything at once.
Start right now with these three action items:
- Turn on an SSL certificate (your host likely has a free one-click option).
- Enable Two-Factor Authentication on your main admin account.
- Hit “Update All” on your dashboard and delete any plugins you don’t use.
That’s it.
In under 15 minutes, you’ve moved from an open window to a locked door.
Security is a layering process, not a product you buy once. Check back on this list every few months, and you’ll sleep better knowing those automated bots are picking on someone else’s website tonight.
Which of these steps have you been neglecting? Let me know in the comments, or share this checklist with the person who manages your website.
