Blog Winston AI @CustomerPanel
UnderHost
Knowledgebase Docs
/
Tools
DirectAdmin Security Beginner

Basic security checklist for DirectAdmin

Harden your DirectAdmin hosting account: use strong passwords, correct file permissions, HTTPS, and protect admin login areas.

UnderHost NOC Network Operations
5 min read Updated June 2026
On this page

A compromised hosting account can affect every website, email account, and database under it. These steps cover the most impactful things you can do to protect your DirectAdmin account without needing server-level access.

Strong passwords

  • Use a password of at least 12 characters with uppercase, lowercase, numbers, and symbols
  • Do not reuse passwords across DirectAdmin, email accounts, WordPress, and CustomerPanel
  • Change the DirectAdmin password immediately if you believe it has been compromised
  • Change email account passwords separately-they are not linked to your DirectAdmin password
  • Use a password manager to generate and store strong, unique passwords

HTTPS and SSL

  • Issue a free Let's Encrypt SSL certificate for every domain on your account-see Free SSL in DirectAdmin
  • Force HTTPS in .htaccess so all traffic is encrypted
  • Verify that no pages or resources load over HTTP (check for mixed content warnings)

File permissions

Incorrect file permissions are one of the most common causes of compromised accounts. Use these as a baseline:

TypePermission
Directories755
PHP and HTML files644
WordPress wp-config.php600 or 640
.htaccess644

Avoid setting any file or folder to 777 (world-writable). If an application requires 777 permissions to function, it is a sign that the application itself has a security issue.

WordPress-specific security

  • Do not use admin as your WordPress username-attackers target this username specifically
  • Keep WordPress, themes, and plugins updated to the latest versions
  • Remove inactive themes and plugins-even disabled plugins are a security risk if they are outdated
  • Install a WordPress security plugin such as Wordfence or Sucuri
  • Add password protection or IP restriction to /wp-admin/ via .htaccess if only you access it
  • Set up a regular backup schedule-see Creating backups in DirectAdmin

Monitor and review

  • Check error logs periodically for unexpected 404 errors to non-existent files (a sign of scanning activity) or PHP errors in unusual files
  • Review FTP accounts-remove any FTP accounts created for contractors or developers that are no longer needed
  • Watch for unexpected files in public_html/-malware often creates hidden PHP files with random names

Quick security checklist

  • ☐ Strong, unique DirectAdmin password
  • ☐ SSL certificate issued and HTTPS forced for all domains
  • ☐ File permissions set correctly (755 dirs, 644 files)
  • ☐ wp-config.php set to 600 or 640
  • ☐ No unused FTP accounts
  • ☐ WordPress admin username is not "admin"
  • ☐ WordPress, themes, and plugins are up to date
  • ☐ Backups created and stored off-server
  • ☐ Error logs reviewed for unexpected activity

Related: DirectAdmin SSL | Change DirectAdmin password | Secure your website | Create secure passwords

Was this article helpful?

Need DirectAdmin hosting?

DirectAdmin is available for customers who want a lightweight hosting control panel on compatible UnderHost services.

View DirectAdmin CustomerPanel

Related articles

Back to DirectAdmin