Knowledge Base

A Must-Have Website Security Checklist

By design, our servers are secure. However, the security level of your site depends on the code that is uploaded to Bluehost's servers.

The following checklist is a good collection of security tips offered for review to ensure your website is as secure as possible.

Remove malicious files and/or folders you're not familiar with

While many PHP applications generate files you may not be familiar with, it's important to watch for files or directories that may sound suspicious such as 'wellsfargo' or 'abbybank.'

Update all scripts/applications to the newest versions available

Old security holes are updated and remedied in new software versions. This means you should update to the newest versions available to ensure you're running the most secure option available. If you installed these applications using MOJO Marketplace, automatic updates are available by clicking the Upgrade button. For installations done with Fantastico, the main Fantastico screen will show a link on the right-hand side of the screen with the available versions you can upgrade to. In addition, go to the script's official site and subscribe to their updates list or security announcements list/feed.

Update all plugins to the newest versions available

Just because your applications have been updated doesn't mean the plugins you use have also been. Popular plugins for WordPress, Joomla, Drupal, and more are created for specific application versions. When updating your applications, make sure the plugins you're using are also certified to work with the newest version of your software. In addition, go to each plugin's official site and subscribe to their updates list or security announcements list/feed.

Change passwords on accounts or delete unused ones

In case a hacker got one of your passwords, change them all.

  • In your cPanel, click Update Password to change your cPanel password.
  • Update the password(s) for your FTP Accounts. In FTP Accounts, click Change Password if you still use the account or Delete if the account is no longer being used.
  • If your website has an administrative section or pages, change its password(s) also.

Delete any databases/applications from your account that are no longer in use.

Each database/application you have installed on your account is another possible point of entry for attackers. By removing applications/databases that are no longer used, you'll be eliminating the potential for those outdated scripts to be exploited.

Fix dangerously writeable permissions

Most website files should be set at 644, and folders should be set to 755. This can be adjusted in an FTP client or by manually changing it in the control panel file manager by selecting the file and clicking on the icon at the top of the screen that says, Change Permissions.

Hide your configuration files

Moving your config.php and other files containing passwords to a secure directory outside of the public_html folder will make them inaccessible to general web surfing.

Tweak your php.ini file

The php.ini file on your account is a file that adjusts how PHP behaves on your account. By adjusting the properties of this file, you can greatly increase aspects of your security. This file is generally located in your public_html directory. If you're unable to see this file, you may need to generate one manually. You can manually generate one by logging into your control panel and clicking the PHP Config icon located in the section called Software/Services. You'd then click the button that says, Install Master PHP.ini File . This will install a file in your public_html directory called php.ini.default. To make this file active, you will then need to rename it to php.ini .

  • Tweak 1 - Set register_globals to Off.
  • Tweak 2 - Set display_error to Off.

Connect to your account using a secure network

If you're connecting to the internet using a wireless connection, make sure the wireless network uses a security method such as WPA or WEP encryption.

Make sure your local computer is secure

One of the biggest security holes in internet site security is accessing your site from an unsecure computer. Viruses, malware, and key loggers can be installed on your computer covertly and can be used to obtain your username/password credentials or to infect your website files themselves. Practice good at-home computer security by regularly running a reliable anti-virus/spyware scanner.

Connect to your email securely

If you use an email application, like Outlook or Mac Mail, be sure to use SSL when connecting to the email server. This will help prevent the theft of sensitive information from your email as it travels from your computer to the email server. In addition, you should be able to view and adjust the connection settings inside your email application.

Anti-virus applications

Here are a few high-quality, free applications that can help you maintain a safe, healthy computer.



Linux Based


Related Blog Posts


Our article presents you with a comprehensive website security checklist aimed at ensuring the highest level of protection for your website hosted on secure servers like Bluehost. We emphasize the importance of regular maintenance tasks such as removing unfamiliar or malicious files, updating scripts, applications, and plugins to their latest versions, and more. Additionally, we advise you to fix dangerously writable permissions, hide configuration files, tweak the php.ini file for enhanced security, use secure networks and email connections, and maintain local computer security through anti-virus applications. This checklist serves as a crucial resource for website owners like you to safeguard your website against digital threats and vulnerabilities.

If you need further assistance, feel free to contact us via Chat or Phone:

  • Chat Support - While on our website, you should see a CHAT bubble in the bottom right-hand corner of the page. Click anywhere on the bubble to begin a chat session.
  • Phone Support -
    • US: 888-401-4678
    • International: +1 801-765-9400

You may also refer to our Knowledge Base articles to help answer common questions and guide you through various setup, configuration, and troubleshooting steps.

Did you find this article helpful?

* Your feedback is too short