Why an SSL Certificate Is Only the First Step Toward Web Security

SSL Is a Door Lock, Not Complete Protection

Ever since Chrome began flagging every HTTP page as "Not secure," SSL has become the standard. That is the right development. Anyone who assumes a green padlock secures a website, however, is underestimating the situation.

SSL encrypts the transfer between browser and server. The server itself stays untouched, as do the form data, the credentials and the plugins in use. That is exactly where the real work begins.

The Seven Pillars of Web Security

1. SSL/TLS as the Foundation

SSL does three things. It encrypts data during transfer, prevents man-in-the-middle attacks, and is a prerequisite for a strong Google ranking.

What SSL does not do matters just as much. It does not protect the database, it does not make weak passwords safer, and it does not detect malware on the server.

In practice, the minimum should be TLS 1.2, ideally TLS 1.3. Older versions are considered insecure.

2. HTTP Security Headers

These headers work quietly in the background and belong in every clean configuration.

• Content-Security-Policy (CSP) defines which resources may load
• Strict-Transport-Security (HSTS) enforces HTTPS
• X-Content-Type-Options prevents MIME sniffing
• X-Frame-Options guards against clickjacking
• Referrer-Policy controls which data is passed on

3. Regular Updates

A large share of successful attacks on WordPress sites use outdated plugins as the entry point. Updates are not optional, they are mandatory.

• Update the CMS core immediately
• Check plugins and extensions weekly
• Review server software monthly
• Keep the PHP and Node.js version current

4. Strong Access Control

• Unique passwords for every account (at least 16 characters)
• Two-factor authentication for admin access
• No "admin" as a username
• An IP allowlist for the backend
• Brute-force protection through limited login attempts

5. Backup Strategy

Without a backup, a compromised site has no second life. A solid strategy covers four elements.

• Daily automated backups of the database
• Weekly full backups of files and database
• Offsite storage, not on the same server
• Regular restore tests, because a backup that cannot be restored is no backup at all

6. Form and Input Security

Contact forms are a popular target for attacks.

• CSRF tokens for every form
• Server-side input validation, not only in the browser
• Rate limiting against spam bots
• Honeypot fields as invisible spam protection
• Captcha only as a last resort, since it burdens the user experience

7. Monitoring and Incident Response

Security does not end with setup. It calls for ongoing operation.

• Uptime monitoring with instant notification on outages
• Automated security scans, run monthly
• Log analysis to trace who accesses what
• An incident response plan for the event of a hack

GDPR and Security Belong Together

The GDPR requires technical and organisational measures to protect personal data. In concrete terms, that means:

• encryption via SSL/TLS
• access control with clear permission levels
• pseudonymisation where possible
• documented security measures
• an obligation to report data breaches within 72 hours

The Security Quick Check

These free tools provide a first assessment.

Security Is a Process, Not a State

Web security is not a project with an end date. It is a continuous process of prevention, monitoring and rapid response. SSL marks the beginning, not the end. That outlook reflects our commitment to go one step further, looking past the one-time setup to keep operations secure over the long term.

---

How secure a website really is can be measured. We run the security check and show where action is needed. More about our stance is available on the Mission page.