Website Security: Best Practices for 2026

Q: Are managed WordPress hosts more secure than shared hosts?

Yes, significantly. Managed hosts include WAFs, automatic security updates, malware scanning, and faster server-level patching. Shared hosts offer none of this.

Q: What should I do if my website gets hacked?

Take the site offline, snapshot the compromised state, restore from a clean backup, close the attack vector, rotate all credentials, and notify affected users if data was exposed.

Website security in 2026 is a stack of seven layers: HTTPS with valid certificates, a Web Application Firewall, hardened authentication, software update discipline, regular backups, security monitoring, and incident response. Most breaches do not come from sophisticated zero-day exploits. They come from outdated plugins, weak passwords, missing two-factor authentication, and exposed admin pages. The fixes are inexpensive. The cost of skipping them runs $50,000 to $500,000 per breach for a typical small business.

The Real Threat Model

Most website attacks are automated and indiscriminate. Botnets scan the entire internet for vulnerable WordPress installations, exposed admin panels, and known plugin exploits. The attackers do not target specific businesses; they target weaknesses at scale. Any site with a known vulnerability gets compromised within days of being scanned.

The common attack patterns:

Credential stuffing: automated bots try thousands of stolen username/password combinations against login pages.
Brute force on /wp-admin: repeated login attempts against WordPress admin pages.
Plugin and theme vulnerabilities: known exploits in outdated plugins (especially form plugins, caching plugins, page builders).
SQL injection: abuse of poorly-validated form inputs.
Cross-site scripting (XSS): injecting malicious JavaScript through comments, forms, or URL parameters.
Supply chain attacks: compromised npm packages, plugin updates, or third-party scripts.

The fix for 90 percent of these is the same: keep software updated, use strong authentication, deploy a WAF, and monitor for unusual activity.

HTTPS and SSL Certificates

HTTPS is non-negotiable. Modern browsers warn visitors on any site without it. Google ranks HTTPS sites preferentially. The certificate ecosystem has been free since Let’s Encrypt launched in 2016.

Three options for SSL in 2026:

Let’s Encrypt: free, automated, 90-day renewal. The default for most managed hosts and CDNs.
Cloudflare Universal SSL: free, automatic when the domain is on Cloudflare.
Paid certificates (DigiCert, Sectigo): $50 to $300 per year. Required only for Extended Validation green-bar certificates, which are rarely needed.

Configure HSTS (HTTP Strict Transport Security) once SSL is working:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

HSTS forces browsers to use HTTPS even if a visitor types http:// or clicks an old http link. Submit the domain to the HSTS preload list (hstspreload.org) for maximum protection.

Web Application Firewall (WAF)

A WAF sits in front of the website and blocks malicious requests before they reach the origin. It catches SQL injection attempts, XSS payloads, brute-force login attempts, and known exploit patterns.

Three options that work well in 2026:

Cloudflare WAF (free or $20/month for Pro): the most-deployed WAF on the internet. Free tier blocks the most common attacks. Pro adds custom rules and image proxying.
Sucuri WAF ($20-$100/month): WordPress-focused, strong against plugin exploits. Includes malware scanning and cleanup if compromised.
AWS WAF or Azure Front Door: for sites already on those platforms, integrates cleanly with the broader infrastructure.

The WAF is the highest-leverage security investment a small business can make. A $20-per-month Cloudflare Pro subscription stops 95 percent of automated attacks before they reach the origin.

Authentication and Access Control

Most breaches start with compromised credentials. Three rules drastically reduce risk.

Strong, unique passwords for every admin account. Use a password manager (1Password, Bitwarden) to generate and store 20+ character passwords. Never reuse passwords across services. Never share admin accounts.

Two-factor authentication (2FA) on every admin account. Use an authenticator app (Authy, 1Password, Google Authenticator) or hardware key (YubiKey). SMS 2FA is better than nothing but vulnerable to SIM swapping.

Limit login attempts and rate-limit the admin URL. WordPress sites should install Limit Login Attempts Reloaded or use Wordfence. Cloudflare Pro includes rate-limiting rules. Move /wp-admin to a custom URL on WordPress to reduce automated attacks.

For WordPress specifically, also disable XML-RPC unless required for a specific integration. XML-RPC is a common attack vector that most sites do not need.

Software Updates: The Most-Skipped Discipline

The single biggest cause of WordPress breaches is outdated plugins. The attack pattern is: a security researcher discloses a vulnerability in a popular plugin. Within 24 to 72 hours, exploit code is in the wild. Within a week, automated scanners are hitting every site running that plugin.

Rules for software updates:

Enable automatic updates for security releases on WordPress core (default since WP 5.6)
Enable automatic updates for security releases on every plugin
Manually review and apply major version updates within 30 days of release
Audit plugins quarterly: remove unused, replace deprecated, evaluate alternatives for any plugin not updated in 12 months
Keep PHP versions current (PHP 8.2+ as of 2026)

Hosted platforms (Framer, Webflow, Squarespace) handle the underlying software updates automatically. WordPress requires active management. The maintenance gap is the largest hidden security cost in the platform decision. The Framer vs WordPress comparison covers this in detail.

Security Headers

Six HTTP headers harden the site against common attacks. Add them at the server, CDN, or framework level.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.googletagmanager.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:;
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

Test header configuration with securityheaders.com (free) or Mozilla Observatory. Aim for an A or A-plus grade. The Content-Security-Policy header is the most powerful and the most likely to break things; deploy it carefully and test thoroughly.

Backups: The Last Line of Defense

Backups need to satisfy three rules: automated, offsite, and tested. Automated means scheduled, not manual. Offsite means stored on different infrastructure than the live site. Tested means actually restored on a regular cadence to verify the backup works.

Backup tools that work:

WordPress: BlogVault, Solid Backups, UpdraftPlus. $90 to $300 per year for offsite backups with one-click restore.
Framer, Webflow, Squarespace: the platform stores version history and revisions. Export periodic backups manually.
Self-hosted Next.js, custom apps: database snapshots through the cloud provider, code in version control, file storage in S3 with versioning enabled.

Restore drills happen quarterly. A backup that has never been restored is a backup that probably does not work. Document the restore procedure so anyone on the team can execute it under pressure.

Monitoring and Detection

The faster a breach is detected, the smaller the impact. Three monitoring layers catch most issues.

Uptime monitoring: UptimeRobot, Better Uptime, or Pingdom. Pings the site every 1 to 5 minutes from multiple regions. Alerts via email, Slack, or SMS when down.

Malware and integrity monitoring: Sucuri, Wordfence, or MalCare scan files for known malware signatures and detect unauthorized changes to core files.

Log monitoring: review server logs and CDN logs weekly for unusual patterns: spikes in 4xx errors, unusual user agents, requests to /wp-admin or other sensitive paths from unfamiliar IPs.

For sites with revenue tied to uptime, also deploy synthetic monitoring (Checkly, Better Stack) that runs scripted user journeys (load homepage, submit form, log in) every 5 to 15 minutes from multiple regions.

Incident Response

If a breach happens, the response sequence matters. Document this before it is needed.

Take the site offline (or put up a maintenance page) to stop ongoing damage
Take a forensic snapshot of the compromised state for investigation
Restore from the most recent clean backup
Identify the attack vector and close it
Rotate every credential: admin passwords, API keys, database passwords, SMTP credentials
Notify affected users if personal data was exposed (legally required under GDPR, CCPA, state breach laws)
Document the incident and update security controls

Most small businesses do not have the in-house capability to investigate a breach. Sucuri, Wordfence, and a handful of specialized firms provide breach cleanup services for $200 to $1,500 per incident.

Compliance Considerations

Several regulatory frameworks affect website security. The most common:

GDPR (EU): requires breach notification within 72 hours, applies to any site collecting EU visitor data
CCPA (California): similar to GDPR for California residents
HIPAA (US healthcare): requires encryption at rest and in transit, audit logs, business associate agreements with vendors
PCI DSS (payment cards): applies to any site processing credit cards, requires annual self-assessment or audit
SOC 2 (B2B SaaS): not legally required but increasingly required by enterprise customers

Compliance is not the same as security but is a useful framework for prioritizing security investments. The website accessibility guide covers the related ADA compliance landscape.

Common Security Mistakes

Six mistakes show up in nearly every audit. Running outdated WordPress core or plugins. Sharing admin accounts across team members. Skipping 2FA. Storing credentials in plain text in code or config files. Hosting on a shared host with no WAF. Not having a backup that has been tested in the last 90 days.

Each is a 30-minute fix. The hardest part is making time for the audit.

The 30-Day Hardening Sprint

Most marketing sites can implement reasonable security in 30 days.

Week 1: deploy Cloudflare in front of the site. Enable Universal SSL. Configure security headers. Move /wp-admin to a custom URL on WordPress.

Week 2: rotate all admin credentials. Enable 2FA on every admin account. Audit user accounts and remove anyone who no longer needs access. Deploy a password manager team plan.

Week 3: audit plugins and themes. Remove unused. Update everything to latest versions. Configure automatic updates for security releases.

Week 4: set up automated offsite backups. Run a restore drill. Document the incident response plan.

For Framer-built sites that ship with platform-managed security (HTTPS, DDoS protection, no plugin attack surface), see our pricing.

Frequently Asked Questions

Do I really need a Web Application Firewall?

Yes, especially on WordPress. A WAF blocks 90+ percent of automated attacks before they reach the origin. Cloudflare’s free tier provides meaningful protection; Pro at $20 per month adds custom rules and stronger defenses. The investment is small compared to a single breach.

How often should I update my website software?

Security patches within 7 days of release. Major version updates within 30 days. Plugin and theme audits quarterly. PHP version upgrades annually. Skip a year of updates and the site is essentially unprotected against known exploits.

Are managed WordPress hosts more secure than shared hosts?

Yes, significantly. Managed hosts (WP Engine, Kinsta, Cloudways) include WAFs, automatic security updates, malware scanning, and faster server-level patching. Shared hosts ($5/month) offer none of this. The price difference is justified by security alone.

What should I do if my website gets hacked?

Take the site offline. Take a forensic snapshot. Restore from a clean backup. Identify the attack vector and close it. Rotate every credential. Notify affected users if data was exposed. Specialized cleanup services (Sucuri, Wordfence) handle the technical work for $200 to $1,500.

Is Framer or Webflow more secure than WordPress?

For the same level of effort, yes. Hosted platforms handle infrastructure security, software updates, DDoS protection, and SSL automatically. WordPress can be made just as secure but requires active maintenance. The platform choice is also a security choice.

If you want a Framer build that ships with platform-managed security (HTTPS, DDoS protection, no plugin attack surface), talk to our team.