Security hardening checklist for shared hosting.

You don't need a sysadmin background to harden a hosted site. Eight checks, 30 minutes, dramatically smaller attack surface.

1. Strong, unique passwords everywhere

• cPanel password: 16+ characters, generated by password manager
• WordPress admin: same
• MySQL: same
• FTP/SFTP: same

If you reuse passwords across services, one breach compromises all. Use Bitwarden, 1Password, or KeePass. Free options work.

2. Enable 2FA on the panel

Already covered: Enabling 2FA. Do it now.

3. Force HTTPS

In public_html/.htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Visitors hitting http:// get auto-redirected to https://. Necessary for SEO and modern browser trust.

4. Disable directory browsing

Add to public_html/.htaccess:

Options -Indexes

Without this, visiting yourdomain.com/uploads/ shows a file listing — attackers love this for finding sensitive files.

5. Hide WordPress admin URL

WordPress's /wp-admin/ and /wp-login.php are the most-attacked URLs on the internet. Move them.

Plugin: WPS Hide Login. Pick a custom URL like /secret-portal-43. Now /wp-login.php returns 404 to bots.

This breaks 99% of brute-force attempts immediately.

6. Limit login attempts

WordPress plugin: Limit Login Attempts Reloaded (free). Block IPs after 4 failed attempts for 20 minutes.

7. Update everything weekly

Most hacks happen via known vulnerabilities in outdated plugins/themes/core. Update weekly:

• WordPress core
• All plugins
• Themes (active and inactive — yes, even inactive ones have files an attacker can exploit)
• PHP version (in cPanel MultiPHP Manager)

8. Remove unused themes, plugins, files

Unused = unmaintained = vulnerability waiting. Delete:

• Inactive themes (keep one default as fallback)
• Inactive plugins
• Old backup files in public_html/ (move them off the server)
• Old install folders (/old, /staging-2024, etc.)

Bonus: file change monitoring

Want to know if files change unexpectedly (sign of compromise)?

Plugin: Wordfence (free tier sufficient). Monitors core file integrity, alerts via email if any core or plugin file is modified.

Permissions

Sensitive files should not be world-readable:

# Via SSH:
chmod 600 wp-config.php   # WordPress config — only owner can read
chmod 644 .htaccess       # readable but not writable by web
chmod 755 wp-content/     # standard directory perms

What about WAF?

We run ModSecurity at the server level — automatic protection against SQL injection, XSS, common exploits. No setup on your side.

For more, Cloudflare WAF (free tier) sits in front of your site and filters requests before they hit the server.

After all this

Run a security scan to verify:

• Wordfence scans WordPress core/plugin/theme files for known issues
• Sucuri SiteCheck (free, online): paste URL → external scan
• Mozilla Observatory (observatory.mozilla.org): security headers grade

You're aiming for green/A grades. Anything red is a real issue, fix it.

When to stop hardening

These 8 steps cover 95% of small-business risk. Beyond this is diminishing returns unless you have specific threats (high-profile target, regulatory requirements). Pareto principle applies — 20% of the effort for 80% of the protection.