If you have a website that you need to protect-perhaps you even want to be sure that no one other than the hand picked people you choose can see it, what measures would you take to protect it?

Also, how would you personally log visitors to see whether there were any unauthorised visits?

Well I am not sure if you are looking for this but you can use password protection for your website. In cpanel there is 'Password Protect Directories' feature, you may use it.

Personally I would use a pretty basic splash page that simply provides a login, something similar to the wordpress admin login would suffice, then proceed with possible security techniques such as:

• IP logging | Record the time, date, visit count and IP of all incoming connections to the page, use the IP address as the unique ID in the database meaning the simple PHP logging the IP's will retrieve an error when adding duplicates which you handle by +1 to the existing records visit count. Run a script on cron to remove all 1/2 visit records after 1 month, 3/4 an additional month and so on dependant on what number of visits you deem a threat, ensure that you exclude the IP of your users.
  
• Login | Use their IP, a Hidden field (CSS), username, password and potentially 3 drop downs containing chars A-Z and numbers 0-9 of which they will be asked to enter selected characters from a set length (often 12) secret answer (no question for the required answer). Often the username and password are asked on step 1 of login, step 2 for the drop downs.
  
• Using the hidden field (css) to detect bots by ensuring you have duplicate username or password field to validate for blank entry.
  
• Brute force, Cross site scripting, SQL injection, Cross-site request forgeries (CSRF) | All of these are exceedingly important threats and though the use of careful "escaping" of the data accepting and ensuring that only a reasonable number of attempts are given you should ensure you avoid many of these issues, though other techniques are available.
• The last part really ties into the login and there are a number of ways to proceed in terms of cookies, session variables etc, personally I would use session variables and include a file in the top of every page to check said session variable for every administrative action or click.

Ensuring that sessions expire and are ended correctly to avoid the above threats is also important, and simply redirecting the user to the login page on failure, possibly use. htaccess to redirect all request s to the site to the login and then navigate from there also.

Hope some of that helps, it's pretty much what most web developers or programmers consider when creating logins in its most basic form.

Along with the above options, when we have exploits on a site and we need the developer to modify content but not let anyone else have access to the site, a simple DENY statement in an .htaccess file will block everyone from seeing the website. Then an ALLOW statement with just their IP number allows them to continue to test and work on things until everything is resolved and we then remove the DENY statement.

So depending on the content, a login like the above suggestions could be used, or a simple IP DENY statement would work too.

Thank you for the replies, and handson, that's perfect. I need a high level of security for a very small site, with access to only a very few people, and that would be a nice and secure way around it (combined with the password protection we already have).

.htaccess password protect, firewall, and denyhosts

Indeed, the IP logging/allowing is a good choise.