How to secure your website

Website security isn't a single setting-it's a stack of layers. Each layer you add makes it harder for attackers to cause damage. This guide covers the most impactful steps for shared hosting and VPS environments.

Enable SSL on all pages

HTTPS encrypts data between your visitors and your server. Without it, passwords, form submissions, and session cookies are visible to anyone on the same network.

• In cPanel, go to Security → SSL/TLS Status and run AutoSSL to issue a free Let's Encrypt certificate.
• Add an HTTPS redirect in .htaccess to force all traffic to HTTPS.
• Set your WordPress site address to https:// in Settings → General.

See Fix SSL not working if you run into issues.

Strong passwords everywhere

Weak passwords are the single biggest cause of account compromises. Follow these rules:

• Use a password manager (Bitwarden, 1Password) to generate and store unique passwords.
• Never reuse a password across multiple accounts.
• Use at least 16 characters with a mix of upper/lowercase, numbers, and symbols.
• Change passwords immediately if a service you use reports a breach.

Keep software updated

Outdated software is the leading entry point for attackers. Update regularly:

• WordPress core-Enable automatic updates in Settings → Updates, or update manually from the Dashboard.
• Plugins and themes-Check for updates weekly. Remove plugins and themes you don't actively use.
• PHP-Update to a supported PHP version (8.1+). Old PHP versions don't receive security patches.
• Server packages-On a VPS, run apt update && apt upgrade -y (or dnf update -y) regularly.

File permissions

Incorrect file permissions are a common vulnerability. Use these as a baseline for web files:

Web application firewall

A WAF filters malicious requests before they reach your application. Options available to UnderHost customers:

• Cloudflare (free tier)-Point your domain through Cloudflare to enable their WAF, DDoS protection, and bot filtering.
• Wordfence (WordPress plugin)-Adds a WAF layer directly inside WordPress with malware scanning and brute force protection.
• ModSecurity-Available on cPanel hosting via Security → ModSecurity. Enable it for your domain to filter common attack patterns.

Regular backups

Backups are your last line of defence. A backup can restore your site after a compromise, accidental deletion, or server failure.

• cPanel backups-Use Backup Wizard to create full or partial backups and download them.
• Automated backups-UnderHost offers periodic server-level backups on some plans. Check your plan details in CustomerPanel.
• Off-site backups-Store a copy outside your hosting account-on your local machine or a service like UnderHost Backup.

Malware monitoring

Attackers often inject malware silently-your site may look normal while serving malicious content to visitors. Signs of compromise:

• Unexpected redirects to spam sites
• New files in public_html you didn't create
• cPanel reports sending a high volume of email
• Google Search Console flags your site for malware
• Your IP appears on spam blacklists

Tools to scan: Wordfence (WordPress), or the malware scanner included with your UnderHost plan (often Imunify 360 on shared hosting). On VPS or dedicated servers, you can also scan via the command line: clamscan -r /home/youruser/public_html.

Two-factor authentication

Two-factor authentication (2FA) adds a second login step-a time-based code generated by an app on your phone. Even if your password is stolen, the attacker can't log in without your physical device.

• CustomerPanel-Enable 2FA in Account → Security Settings using an authenticator app (Google Authenticator, Authy, etc.).
• WordPress-Use a plugin like Two Factor Authentication or Wordfence to add 2FA to the WordPress admin login.
• cPanel-Some cPanel versions support 2FA via Security → Two-Factor Authentication.

Related articles