Blog Winston AI @CustomerPanel
UnderHost
Knowledgebase Docs
/
Tools
WordPress Security Intermediate

Securing your WordPress website

Harden your WordPress installation against hacks, brute force, and malware. Covers login security, file permissions, security plugins, updates, and backups.

UnderHost NOC Network Operations
9 min read Updated June 2026
On this page

WordPress powers over 40% of the web, which makes it a constant target for automated attacks. The good news: most successful WordPress hacks exploit known vulnerabilities in outdated plugins or weak passwords-both easily preventable.

Keep everything updated

Outdated WordPress core, plugins, and themes are the leading cause of successful hacks. Enable automatic updates:

  • WordPress core-In Dashboard → Updates, enable automatic minor version updates
  • Plugins-In Plugins → Installed Plugins, enable auto-updates for trusted plugins
  • Themes-Enable auto-updates for your active theme
  • PHP-Use PHP 8.1 or newer in cPanel → MultiPHP Manager (see Changing PHP version)

Secure the login page

  • Change the default login URL-Use a plugin like WPS Hide Login to move /wp-admin to a non-standard URL
  • Limit login attempts-Wordfence or Login LockDown block brute force attacks
  • Enable 2-factor authentication-Wordfence supports 2FA for admin accounts
  • Never use "admin" as username-Create a new admin with a different username, delete the "admin" account

Strong admin passwords

All WordPress admin accounts should have strong, unique passwords (16+ characters, random). Use a password manager to generate and store them. See Creating secure passwords.

File permissions

Set correct file permissions to prevent unauthorized write access:

Correct WordPress permissions 
# Directories
find /home/username/public_html -type d -exec chmod 755 {} \;

# Files
find /home/username/public_html -type f -exec chmod 644 {} \;

# wp-config.php (most sensitive file)
chmod 600 /home/username/public_html/wp-config.php

Security plugins

A security plugin provides multiple protections in one package:

  • Wordfence Security-Firewall, malware scanner, login security, 2FA, real-time threat blocking
  • iThemes Security-File change detection, brute force protection, strong password enforcement
  • Sucuri Security-Security hardening, malware scanner, audit log
UnderHost includes malware scanning

UnderHost shared hosting includes Imunify 360, which scans for malware across your account. On VPS and dedicated servers, similar malware scanners are available as add-ons or with managed security plans. Access the scanner from cPanel if it is included on your plan.

Backups

Backups are your recovery plan when something goes wrong. UnderHost shared hosting includes daily automated backups; other plans may use separate backup services or add-ons. Supplement with:

  • A WordPress backup plugin (UpdraftPlus, BackWPup) that stores copies in remote storage
  • Manual cPanel backups before any major changes (plugin update, theme switch, )

Remove unused themes and plugins

Unused themes and plugins still pose a security risk if they contain vulnerabilities. In WordPress → Plugins, deactivate and delete any plugin you don't use. In Appearance → Themes, delete all themes except your active one and one default theme as a fallback.

Was this article helpful?

Need managed WordPress hosting?

Run WordPress on UnderHost managed hosting with performance tuning, SSL, backups, security guidance, and expert support.

View WordPress Hosting CustomerPanel

Related articles

Back to WordPress