Website security is one of those topics that most site owners don’t think about until something goes wrong — until they log in one morning to find their site replaced with spam, or receive an email from their host saying the account has been suspended for sending malicious traffic, or discover their visitors are being redirected to a phishing page.

The frustrating truth is that most of these incidents are preventable. The attacks that compromise the vast majority of small and medium websites aren’t sophisticated, targeted operations — they’re automated scans that probe millions of sites simultaneously for known vulnerabilities. A site with basic security hygiene simply isn’t worth the effort and gets passed over in favour of easier targets.

This guide covers every meaningful security measure for a hosted website — what it is, why it matters, and exactly how to implement it. Work through the checklist at the end and you’ll have a hosting setup that’s significantly more secure than the majority of sites on the internet.

1. The Threat Landscape

Understanding what you’re defending against makes every security decision more coherent. Website attacks fall into a handful of categories, each with different mechanics and different defences.

The practical implication of this threat landscape is that most of your security effort should be directed at the highest-risk categories — keeping software updated, using strong credentials, and enabling a firewall. These measures eliminate the vast majority of real-world attack vectors for a typical website.

2. Account and Login Security

Your hosting account, domain registrar account, and CMS login are the three most valuable targets an attacker can go after. Compromising any one of them gives access to everything. This is where security investment has the highest return.

Strong, Unique Passwords

The single most impactful security measure you can take. A strong password for your hosting account should be at least 16 characters, randomly generated, and used nowhere else. This is non-negotiable. Use a password manager — 1Password, Bitwarden, or similar — to generate and store credentials. Never reuse passwords across hosting, registrar, and CMS accounts.

Two-Factor Authentication (2FA)

Enable 2FA on every account involved in your hosting setup — your domain registrar, your hosting provider, and your CMS. 2FA means a stolen password alone isn’t enough to access the account. An attacker also needs physical access to your authentication device. Most hosting providers and registrars offer TOTP-based 2FA via apps like Google Authenticator or Authy.

Priority order for enabling 2FA:

1. Domain registrar — losing control of your domain is the worst possible scenario; it takes everything with it
2. Hosting control panel (cPanel, hPanel, custom dashboard)
3. WordPress / CMS admin
4. Email account associated with all of the above

Protecting WordPress Login

The WordPress login page at /wp-login.php and /wp-admin/ is the most heavily brute-forced URL on the internet. Every public WordPress site receives automated login attempts continuously. Defences:

• Limit login attempts — plugins like Limit Login Attempts Reloaded lock out IPs after a configurable number of failed attempts
• Change the login URL — plugins like WPS Hide Login move the login page to a custom URL, eliminating the default target entirely
• Block xmlrpc.php — WordPress’s XML-RPC endpoint is frequently exploited for brute force attacks; disable it unless you specifically need it
• Use application passwords — if you need API access to WordPress, use WordPress’s built-in application passwords rather than your main admin credentials

3. SSL and HTTPS

SSL/HTTPS is the security baseline for any public website. Without it, data transmitted between visitors and your server travels in plain text — readable by anyone positioned between the two endpoints. With it, all communication is encrypted.

Getting SSL Right

• Activate your free SSL certificate — virtually every reputable hosting provider now includes free Let’s Encrypt SSL. Activate it immediately when setting up your account.
• Force HTTPS site-wide — redirect all HTTP requests to HTTPS. In WordPress, the Really Simple SSL plugin handles this automatically. On Apache, add a redirect rule in .htaccess.
• Verify auto-renewal is active — Let’s Encrypt certificates expire every 90 days. Confirm your host auto-renews them. Check your SSL expiry date periodically — an expired certificate displays browser warnings to every visitor.
• Fix mixed content — even after enabling HTTPS, hardcoded HTTP links to images, scripts, or stylesheets trigger browser warnings. Use a plugin or Cloudflare’s Automatic HTTPS Rewrites to catch these.

HSTS — HTTP Strict Transport Security

HSTS is a response header that tells browsers to always use HTTPS for your domain — never HTTP — for a specified period. Once a browser has seen the HSTS header, it will refuse to connect via HTTP even if a user manually types http://. This prevents downgrade attacks where a man-in-the-middle intercepts an HTTP connection before the redirect to HTTPS occurs.

Enable HSTS only after you’re certain HTTPS is fully working on your site — if something goes wrong, HSTS can make it temporarily inaccessible. Cloudflare makes HSTS easy to enable and disable from the dashboard.

4. Backups: Your Last Line of Defence

A good backup strategy doesn’t prevent attacks — but it determines whether a successful attack is a recoverable incident or a catastrophic loss. Every other security measure can fail. Backups are what you fall back on when they do.

The 3-2-1 Backup Rule

• 3 copies of your data
• 2 different storage media or locations
• 1 offsite copy

For a website: your hosting account has the live site, your host’s automated backup system has a copy, and you have a separate copy stored offsite — in cloud storage like Dropbox, Google Drive, or Amazon S3. The offsite copy is critical: if your hosting account is compromised and the attacker deletes your files and backups, you need a copy that wasn’t touched.

What to Back Up

• All website files — the full contents of your public_html directory or equivalent
• The database — for WordPress and most CMS platforms, the database contains all your content, settings, and user data. The files without the database are incomplete.
• Email — if you host email on the same account, email data should be backed up separately
• DNS records — export a copy of your full DNS zone; if something goes wrong during a migration, having the exact records saves significant time

Backup Frequency and Retention

5. Malware and Intrusion Protection

Even with strong credentials and updated software, malware can enter through compromised plugins, themes, or supply chain attacks. Detection and containment are as important as prevention.

Web Application Firewall (WAF)

A WAF sits between the internet and your web server, inspecting incoming requests and blocking traffic that matches known attack patterns — SQL injection attempts, XSS payloads, bad bots, and more — before it ever reaches your application. It’s one of the highest-value security additions for any website.

Options by cost and complexity:

• Cloudflare Free — basic WAF rules included with the free plan; blocks the most common attack patterns with zero configuration
• Cloudflare Pro ($20/mo) — full OWASP Core Rule Set, advanced bot management, rate limiting
• Wordfence (WordPress) — free plugin that adds a WAF at the application level; excellent for WordPress specifically
• Sucuri — dedicated security service with WAF, malware scanning, and incident response

Malware Scanning

Regular malware scanning detects infections that have already occurred — changed files, injected code, suspicious outbound connections. Many sites run with malware for weeks or months before the owner notices. Options:

• Host-provided scanning — many hosts (SiteGround, FastComet, HostArmada) include malware scanning in their plans
• Wordfence — free tier scans WordPress core, plugins, and themes against known malware signatures
• Sucuri SiteCheck — free remote scan that checks for blacklisting, malware, and injected content visible in page source
• Imunify360 — server-level protection included with many cPanel hosts; scans all files continuously

File Integrity Monitoring

File integrity monitoring tracks changes to your website’s files and alerts you when unexpected modifications occur. A WordPress core file that’s been modified, a new PHP file in an unusual location, or a changed configuration file — these are the fingerprints of a compromise. Wordfence includes file integrity monitoring in its free tier.

6. WordPress-Specific Security

WordPress powers over 43% of all websites, which makes it the most targeted CMS by a wide margin. Most WordPress security issues stem from three sources: outdated software, nulled (pirated) themes and plugins, and poor credential management. All three are entirely preventable.

Keep Everything Updated

The majority of WordPress compromises exploit known vulnerabilities in outdated plugins, themes, or the WordPress core itself. When a vulnerability is publicly disclosed and a patch is released, automated scanners immediately begin probing sites for the unpatched version. The window between disclosure and exploitation is often hours, not days.

• Enable automatic updates for WordPress core (minor/security releases at minimum)
• Update plugins within 24 hours of a security release being available
• Remove plugins and themes you aren’t actively using — inactive code can still be exploited
• Delete inactive themes except the default WordPress theme (required as a fallback)

Never Use Nulled Themes or Plugins

Nulled software — pirated premium themes and plugins distributed for free — is one of the most common vectors for WordPress infections. These packages frequently contain backdoors, malware injectors, or hidden spam links inserted by the distributor. The “free” theme costs far more in cleanup and downtime than the legitimate license would have. Only ever install plugins and themes from the official WordPress repository or from the legitimate developer’s website.

Harden the WordPress Configuration

• Disable file editing — add define(‘DISALLOW_FILE_EDIT’, true); to wp-config.php to prevent editing themes and plugins from the WordPress admin dashboard (removes an attack vector if admin is compromised)
• Protect wp-config.php — move it one directory above the web root if your host supports it, or add server rules to block direct access
• Set correct file permissions — directories should be 755, files should be 644, wp-config.php should be 600
• Disable directory listing — add Options -Indexes to your .htaccess to prevent visitors from browsing directory contents
• Change the default admin username — never use “admin” as a WordPress username; it’s the first credential brute-force tools try

7. DNS and Domain Security

Your domain is the gateway to everything — hosting, email, and your online identity. Losing control of your domain is arguably worse than losing control of your hosting account, because an attacker who controls your domain can redirect all traffic, intercept email, and impersonate your site to any visitor.

Domain Locking

Enable domain locking at your registrar. This setting prevents any transfer of your domain to another registrar without first explicitly unlocking it — a step that requires authentication. Keep it locked at all times; only unlock briefly when initiating a genuine transfer.

Registrar Account Security

Apply the same credential standards to your registrar account as to your hosting account — unique strong password, 2FA enabled. Registrar accounts are targeted specifically because domain theft is highly lucrative. Use a registrar with a strong security reputation (Cloudflare Registrar, Namecheap, or Porkbun are solid choices).

DNSSEC

DNSSEC adds cryptographic signatures to your DNS records, allowing resolvers to verify that the records they receive are authentic and haven’t been tampered with. It specifically prevents DNS cache poisoning attacks that could redirect your visitors to attacker-controlled servers. Enable it at both your registrar and your DNS provider — Cloudflare offers free DNSSEC with a single toggle.

Monitor for Unexpected DNS Changes

Set up monitoring to alert you if your DNS records change unexpectedly. Tools like UptimeRobot’s monitoring or a dedicated DNS monitoring service can alert you within minutes of a change. An unexpected A record change is a serious warning sign — it may indicate your registrar or DNS account has been compromised.

8. Server-Level Security

For shared hosting users, most server-level security is managed by your host. For VPS and cloud hosting users, server security becomes your responsibility — or your managed hosting provider’s. Here’s what matters at the server level.

Keep Server Software Updated

On a managed host, the hosting provider handles OS and server software updates. On an unmanaged VPS, you are responsible for running updates — apt upgrade on Debian/Ubuntu, yum update on CentOS/RHEL — and doing so promptly when security patches are released. A VPS running an unpatched OS is an extremely high-value target.

SSH Hardening (VPS Users)

• Disable root login — add PermitRootLogin no to /etc/ssh/sshd_config and use a non-root user with sudo privileges instead
• Use SSH key authentication — disable password-based SSH login (PasswordAuthentication no) and authenticate only with SSH keys
• Change the default SSH port — moving SSH from port 22 to a non-standard port dramatically reduces automated scan noise
• Use fail2ban — automatically blocks IP addresses with multiple failed SSH login attempts

Firewall Configuration

A server firewall (UFW on Ubuntu, firewalld on CentOS) should be configured to allow only the specific ports your services need — typically 80 (HTTP), 443 (HTTPS), and your SSH port. Block everything else by default. Many attacks probe unusual ports looking for exposed services that were never meant to be public-facing.

PHP Configuration

Several PHP configuration settings meaningfully affect security. In your php.ini or hosting control panel:

• Disable allow_url_fopen and allow_url_include if not needed (prevents remote file inclusion attacks)
• Keep PHP updated to a supported version — unsupported PHP versions receive no security patches
• Set display_errors = Off in production (error messages can expose sensitive server information to attackers)
• Set appropriate open_basedir restrictions to confine PHP to its allowed directories

9. What Your Host Should Provide

Security is a shared responsibility between you and your hosting provider. Understanding what your host should be providing — and what you need to verify — helps you evaluate providers and identify gaps.

10. The Master Security Checklist

Work through this checklist when setting up a new hosting account, auditing an existing site, or after any security incident.

Account Security

• Strong unique password set on hosting control panel (16+ characters, password manager generated)
• Strong unique password set on domain registrar account
• Strong unique password set on WordPress / CMS admin
• 2FA enabled on hosting control panel
• 2FA enabled on domain registrar
• 2FA enabled on WordPress admin (via plugin or built-in)
• 2FA enabled on email account associated with all of the above

SSL and HTTPS

• SSL certificate active and valid for root domain and www
• All HTTP traffic forced to redirect to HTTPS
• Auto-renewal confirmed active in hosting dashboard
• No mixed content warnings in browser console
• SSL Labs test returns A or A+ rating

Backups

• Automated daily backups enabled (files and database)
• Backups stored offsite — not only on the same hosting account
• Backup restoration tested at least once
• Retention period covers at least 30 days

WordPress Security

• WordPress core updated to latest version
• All plugins updated; unused plugins deleted
• All themes updated; unused themes deleted (keep one default)
• Admin username is not “admin”
• Login attempts limited via plugin
• xmlrpc.php disabled unless actively needed
• Security plugin active (Wordfence or equivalent)
• File permissions set correctly (755 directories, 644 files, 600 wp-config.php)
• DISALLOW_FILE_EDIT set in wp-config.php

DNS and Domain

• Domain lock enabled at registrar
• DNSSEC enabled if registrar and DNS provider support it
• DNS records monitored for unexpected changes
• SPF, DKIM, and DMARC records configured if sending email from the domain

Firewall and Monitoring

• Cloudflare or equivalent CDN/WAF active in front of origin server
• Uptime monitoring configured (UptimeRobot or equivalent)
• Malware scanning scheduled or continuous
• Alert notifications configured for security events