CRAFT CMS DEVELOPER

7 Expert Tips to Keep Your Craft CMS Website Secure

Published on May 28, 2025

Secure craft

Keeping your Craft CMS website secure is essential for protecting sensitive user data, maintaining business continuity, and preserving your brand reputation. While Craft CMS is built with security in mind, your implementation and server practices play a critical role in hardening your site against potential threats.

This guide highlights 7 expert tips to help you keep your Craft CMS website secure and compliant with modern web standards.

 

 

1. Keep Craft CMS and Plugins Updated

 

Running outdated versions of Craft CMS or its plugins increases the risk of vulnerabilities. The development team regularly releases updates that include security patches, performance improvements, and new features.

Best Practice:

Enable update notifications within the control panel

Regularly schedule updates in your development workflow

Review the Craft CMS changelog for known vulnerabilities

Tip: Always back up your site before applying any updates.

 

 

2. Use Secure Hosting and HTTPS

 

Choose a hosting provider that prioritizes security and performance. Look for features like firewalls, DDoS protection, daily backups, and server-level scanning.

In addition, enable HTTPS with an SSL certificate to encrypt all data between the browser and server. Craft CMS fully supports HTTPS, and using it also improves SEO rankings.

External Resource:
HTTPS: Enabling Secure Web – U.S. General Services Administration

 

 

3. Implement Strong Passwords and User Permissions

 

Weak passwords are one of the most common attack vectors. Enforce strong password policies across all user accounts and use two-factor authentication (2FA) where possible.

For user permissions:

Use Craft's user groups and permissions to restrict access.

Avoid giving admin rights to all users—assign roles based on need.

External Resource:
NIST Guidelines on Password Security

 

 

4. Use a Web Application Firewall (WAF)

 

A WAF helps protect your site against common attacks like SQL injection, cross-site scripting (XSS), and brute-force attempts. This is especially helpful if your site handles form inputs or user data.

You can use tools like:

Cloudflare WAF

Sucuri

ModSecurity (for Apache servers)

WAFs filter malicious traffic before it hits your Craft CMS application.

 

 

5. Disable Dev Mode on Production

 

Craft CMS offers a developer mode that provides detailed error messages and debugging information. While helpful during development, it should never be enabled on a live site.

Why?

Dev mode can expose sensitive paths, database info, and stack traces to attackers.

How to check:
Ensure your .env file includes:

ini

  • CRAFT_ENVIRONMENT=production   DEV_MODE=false 



6. Set File and Folder Permissions Properly

 

Incorrect file permissions can leave your website open to tampering or deletion.

Recommended settings:

Files: 644

Folders: 755

Configuration files (e.g., .env): 600

Avoid setting anything to 777, as it grants full access to all users and processes.

Pro tip: Limit write access to folders like storage/ and web/uploads/.

 

7. Monitor Logs and Enable Security Alerts

 

Craft CMS generates logs for various activities, including errors, updates, and user actions. Regularly reviewing these logs can help detect suspicious behavior.

Also:

Enable server-side monitoring tools (e.g., fail2ban, auditd)

Subscribe to security bulletins from Craft and plugin developers

Set up email alerts for login attempts or permission changes

 

 

Bonus: Regular Backups and Disaster Recovery Plan

 

Even with the best precautions, things can go wrong. Make sure you maintain:

Daily automated backups of files and database

Offsite storage (e.g., AWS S3, Google Cloud)

A documented recovery procedure

Test your backups periodically to ensure they're reliable and restorable.

 

 

Conclusion

 

Proactively managing your site’s security is a responsibility, not an option. Whether you're a developer, agency, or business owner, these 7 expert tips will help you keep your Craft CMS website secure and resilient against threats.

Craft CMS provides the tools—you provide the vigilance. With consistent updates, secure hosting, and smart user management, your site can remain both powerful and protected.