Need help?

Our experts will login to your server within 30 minutes to fix urgent issues.

We will keep your servers stable, secure and fast at all times for one fixed price per month.

A definitive checklist to ensure a secure WordPress hosting for your customers

A definitive checklist to ensure a secure WordPress hosting for your customers

WordPress takes security very seriously. WordPress releases “minor” revisions regularly to address even vulnerabilities reported just hours before. Latest WordPress websites have automatic background updates to prevent any possible exploits.

Even with such a proactive approach towards security, news vines are flush with reports of WordPress sites affected with one vulnerability or another. So, what’s the deal here? How can you ensure a secure WordPress hosting for your customers?

In our role as Outsourced hosting support specialists for web hosts, our key priority is to help them provide a secure hosting environment for WordPress sites, which enables them to retain their customers better.

See how we help WordPress hosting companies

Checklist for a secure WordPress hosting

Listed here are the common ways in which WordPress sites are hacked.

    • Exploiting unpatched WordPress vulnerabilities
    • Exploiting unaddressed vulnerabilities in themes and plugins
    • Exploiting undetected vulnerabilities in hosting environment
    • Using stolen login credentials

Now let’s address each of these issues one by one and look at the solutions available to mitigate them. I’m going to lay off using plugins as much as possible because even security plugins are known to have vulnerabilities.

We’ll employ defense in depth (or multi-layered defense), security by obscurity (denying target information), access restriction and penetration testing in this checklist.

1. Securing WordPress core

As mentioned earlier, WordPress is serious about security, and come bundled with a lot of security options that works out of the box. Along with it, we’ll add a few hosting level security to make your WordPress extra secure.

Use non-standard table prefix

By default WordPress uses “wp_” as a prefix for all tables. Mass SQL injection exploits depend on this prefix to work. So, we change this at installation time to something else, like “mysite_”, as a good hedge against undisclosed exploits.

Put wp-config.php outside document root

Due to vulnerabilities in hosting environment, hackers might be able to download wp-config.php, thereby disclosing the database login details. WordPress by default looks at the parent directory for wp-config.php. So, we move it out of there, for an additional layer of security.

Remove “admin” user

Most brute force attacks just focus on getting the password of “admin” user. We work around this angle of attack by creating another user with administrative privilege and re-assigning all posts of “admin” to the new user and deleting the “admin” user.

[ You don’t have to lose your sleep over hosting security. Our expert hosting support specialists are online 24/7/365 to help you provide secure services. ]

Password protect “wp-admin” directory

Most brute force attacks depend on “wp-admin” folder being readily accessible. We password protect the “wp-admin” directory using .htaccess file, to blunt those attacks and thus provide a two-layer security to the admin interface.

Lock down files and directories

We conduct a detailed inspection in the server for insecure files and folders. Permissions of all files and directories are limited to 644 and 755 respectively. This helps us to shunt many malware upload attempts.

Replace default WordPress security keys

WordPress uses password “salts” to improve encryption in visitor’s cookies. It’s trivial for hackers to determine the default keys shipped with each version. So, we get a different set of keys and replace the old ones in the wp-config.php, as a security measure.

Wordpress secret key in wp-config.php

WordPress secret key


Update WordPress on the release date

Do not wait till later. We upgrade the WordPress as soon as we see the message “WordPress XX.YY is available! Please update now” in the admin panel. Custom themes and plugins in some sites can get messed up with auto-update settings. To ensure zero downtime upgrades, we first test the upgrade in our staging server, before rolling it out into the live.


Never again lose customers to server errors! Sign Up once. Enjoy Peace Of Mind For Ever!


Server Management


  1. If we go for Cloudways Platform, these Security are already assembled in it. Bob try Cloudways Platform.

    • Thanks for the heads up Fahad. Do you have specific information on file upload monitoring?


Submit a Comment

Your email address will not be published. Required fields are marked *