How to Secure Your WordPress and Laravel Sites on a Hosting Marketers Shared Accounts

by | Feb 24, 2025 | security, Hosting Marketers News, Web Hosting Sites, worpress security | 0 comments

How to Secure Your WordPress and Laravel Sites on a Hosting Server with CSF Firewall

Website security is critical for protecting your data, preventing hacks, and ensuring your site runs smoothly. While your hosting provider has CSF Firewall to protect the server from external threats, securing your WordPress or Laravel site is your responsibility.

Many hacks happen because of poor security practices—such as outdated plugins, weak passwords, and misconfigured files. In this guide, we’ll walk through essential security measures and how to use the .htaccess file to protect your site.

1. Understanding the .htaccess File and Its Role in Security

What is the .htaccess File?

  • The .htaccess file (Hypertext Access) is a hidden configuration file used by Apache servers.
  • It controls security settings, redirects, access restrictions, and caching.
  • By default, it is hidden in the File Manager.

How to View the .htaccess File in cPanel

  1. Log in to cPanel and open the File Manager.
  2. Navigate to your website’s root directory (public_html for WordPress, public/ for Laravel).
  3. Click the Settings button in the top-right corner.
  4. Check the box “Show Hidden Files (dotfiles)”.
  5. Click Save—now you will see the .htaccess file.

How .htaccess Helps Secure Your Website

With .htaccess, you can: ?

Block access to sensitive files (e.g., wp-config.php, .env).
Disable directory browsing to prevent hackers from seeing your files.
Prevent PHP execution in vulnerable folders.
Restrict bot spam and brute-force attacks.

Let’s explore how to use .htaccess for better security.

2. Securing WordPress with .htaccess

Hackers target WordPress because of its popularity. With a few simple .htaccess tweaks, you can make your site significantly more secure.

A. Restrict Access to wp-config.php

The wp-config.php file contains database credentials and must be protected.

Solution: Add this to your .htaccess file in the root directory (public_html):

<Files wp-config.php>
    Require all denied
</Files>

This prevents unauthorized access to the most sensitive file in WordPress.

B. Disable Directory Browsing

If a hacker visits a folder without an index.php file, they might see all the files inside.

Solution: Prevent this by adding:

Options All -Indexes

Now, if someone tries to access a directory, they will see a 403 Forbidden error instead.

C. Block XML-RPC to Prevent Brute-Force Attacks

WordPress XML-RPC allows remote connections, but hackers exploit it for brute-force attacks.

Solution: Disable it with:

<Files xmlrpc.php>
    Require all denied
</Files>

If you don’t use Jetpack or external WordPress apps, this should be disabled.

D. Restrict Access to wp-includes

The wp-includes folder contains core WordPress files. Hackers try to inject malicious scripts here.

Solution: Block access by adding this to .htaccess in the root directory:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-includes/ - [F,L]
</IfModule>

This prevents direct access to the wp-includes folder.

If there is no .htaccess file in wp-includes/, create one and add the above code.

E. Prevent PHP Execution in wp-content/uploads

The wp-content/uploads/ folder stores images and files but should never execute PHP scripts.

If there is no .htaccess file in wp-content/uploads/, create one by:

  1. Opening cPanel File Manager.
  2. Navigating to /wp-content/uploads/.
  3. Creating a new file named .htaccess.
  4. Adding this code:
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|php8)$">
    Require all denied
</FilesMatch>

?This ensures only media files can be accessed, preventing malware execution.

F. Prevent PHP Execution in wp-content

Some plugins store files inside wp-content/. Hackers may try to run PHP scripts in these directories.

? If there is no .htaccess file in wp-content/, create one and add:

<FilesMatch "\.(php|phtml|php3|php4|php5|php7|php8)$">
    Require all denied
</FilesMatch>

This stops hackers from running unauthorized PHP scripts in wp-content/.

G. Set Up Browser Caching for Security & Performance

This prevents browsers from reloading unnecessary resources.

Solution: Add this to .htaccess in the root directory:

<IfModule mod_expires.c>
    ExpiresActive on
    ExpiresByType text/css "access plus 1 year"
    ExpiresByType image/jpeg "access plus 1 year"
    ExpiresByType image/png "access plus 1 year"
    ExpiresByType text/javascript "access plus 1 year"
</IfModule>

This improves performance and security.

3. Best Practices for WordPress Security

Always Update WordPress, Plugins, and Themes

  • Why? Outdated software is the #1 cause of hacks.
  • How? Go to Dashboard > Updates and update everything regularly.
  • Enable automatic updates for security patches.

Delete Unused Plugins and Themes

  • Inactive themes/plugins can still be hacked.
  • They consume server resources and increase security risks.
  • Go to Appearance > Themes and Plugins > Installed Plugins to delete unused ones.

Use a Security Plugin

  • Wordfence, iThemes Security, or Sucuri Security can:
    • Monitor login attempts and block suspicious activity.
    • Scan for malware.
    • Enable two-factor authentication (2FA).

4. Regular Backups: Your Last Line of Defense

No matter how secure your site is, always have backups in case something goes wrong.

Recommended Backup Methods:

  • cPanel > Backup Wizard (Manual backups).
  • UpdraftPlus (WordPress Plugin) for automatic backups.

Final Thoughts For WordPress

Securing your WordPress website is not difficult, but it requires ongoing effort.

Protect .htaccess, wp-config.php, .env
Disable unnecessary scripts (XML-RPC, directory browsing, PHP execution in storage)
Update regularly & delete unused themes/plugins
Use security plugins (Wordfence, iThemes Security, Laravel Rate Limiting)
Perform regular backups

Even though your hosting provider, Hosting Marketers, has CSF Firewall, website security is your responsibility. Follow these best practices, and your site will be far less vulnerable to attacks.



Securing Laravel Websites on Apache and Nginx Servers

Laravel is one of the most secure PHP frameworks, but misconfigured settings, exposed files, and weak authentication can still lead to vulnerabilities. Whether you’re running Apache or Nginx, you must take extra security measures to protect your application.

Your hosting server already has CSF Firewall, but you need to harden your Laravel application to prevent common attacks like SQL injection, file uploads, unauthorized access, and brute-force login attempts.

1. Protect the .env File

The .env file stores database credentials, API keys, and application settings. If exposed, attackers can steal sensitive data and take over your site.

For Apache (Add to .htaccess in Laravel Root)

? If there is no .htaccess file in the Laravel root directory, create one and add:

<FilesMatch "^\.env$">
    Require all denied
</FilesMatch>

For Nginx (Add to Server Block)

For Nginx users, edit your site’s configuration file (e.g., /etc/nginx/sites-available/yourdomain.com) and add:

location ~ /\.env {
    deny all;
}

This ensures no one can access yourdomain.com/.env.

2. Prevent PHP Execution in Storage and Public Uploads

Laravel allows users to upload files, but hackers may try to upload malicious PHP scripts disguised as images.

For Apache (Add .htaccess to /storage/ and /public/uploads/)

? If there is no .htaccess file in these directories, create one and add:

<FilesMatch "\.(php|phtml|php3|php4|php5|php7|php8)$">
    Require all denied
</FilesMatch>

For Nginx (Add to Server Block)

For Nginx users, edit your site’s configuration file and add:

location /storage {
    location ~* \.php$ {
        deny all;
    }
}

location /public/uploads {
    location ~* \.php$ {
        deny all;
    }
}

This stops hackers from running unauthorized PHP files inside storage and uploads folders.

3. Disable Debug Mode in Production

By default, Laravel’s .env file contains:

APP_DEBUG=true

Leaving APP_DEBUG enabled in production can expose sensitive errors to hackers.

Change it to false in .env:

APP_DEBUG=false

This hides error messages that attackers could use to find vulnerabilities.

4. Implement Rate Limiting to Prevent Brute-Force Attacks

Laravel has built-in rate limiting to prevent hackers from making multiple login attempts.

In routes/web.php, apply rate limiting to login routes:

Route::middleware(['throttle:5,1'])->post('/login', 'LoginController@login');

This limits login attempts to 5 per minute, reducing brute-force risks.

For Nginx: Limit Requests at the Server Level

To further enhance security, add rate-limiting to your Nginx configuration:

limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;

server {
    location /login {
        limit_req zone=login burst=10 nodelay;
    }
}

This prevents bots from hammering your login page with repeated requests.

5. Restrict Public Access to Laravel Folders

By default, only the /public/ folder should be accessible to visitors. Exposing other folders like app/, storage/, and vendor/ can lead to serious security risks.

For Apache Users

If Laravel is installed directly in public_html/, move all files except the /public/ folder to a subdirectory, such as:

/home/youruser/laravel_project/
/home/youruser/public_html/  (Only contains Laravel’s /public folder)

Then, edit index.php inside /public/:

require __DIR__.'/../laravel_project/bootstrap/autoload.php';
$app = require_once __DIR__.'/../laravel_project/bootstrap/app.php';

This ensures only the public files are accessible, keeping your Laravel core files safe.

For Nginx Users

Edit your Nginx configuration and point the document root to the /public/ folder only:

server {
    listen 80;
    server_name yourdomain.com;
    root /home/youruser/laravel_project/public;

    index index.php index.html index.htm;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }
}

Now, only files inside /public/ are accessible, preventing unauthorized access to Laravel’s core files.

6. Force HTTPS for Secure Connections

Always enforce HTTPS to prevent data interception.

For Laravel (Edit app/Providers/AppServiceProvider.php)

public function boot()
{
    if (config('app.env') === 'production') {
        \URL::forceScheme('https');
    }
}

For Nginx (Force Redirect to HTTPS)

Edit your Nginx configuration file and add:

server {
    listen 80;
    server_name yourdomain.com;
    return 301 https://$host$request_uri;
}

Now, all traffic is automatically redirected to HTTPS.

7. Remove Unused Packages & Keep Laravel Updated

Unused packages increase security risks.

Check for Unused Packages

Run:

composer show --all

To remove an unused package:

composer remove package-name

Regular updates fix security vulnerabilities, so always run:

composer update

Keeping Laravel updated ensures your site stays protected against new threats!

Final Thoughts

Laravel is a secure framework, but misconfigured settings can expose your application to attacks.

Summary of Key Security Steps:

Protect .env with .htaccess (Apache) or Nginx rules
Disable PHP execution in storage/ and public/uploads/
Turn off APP_DEBUG in production
Enable rate limiting for login and API routes
Restrict access to core Laravel folders (Apache & Nginx)
Force HTTPS for secure connections
Regularly update Laravel and remove unused packages

By implementing these steps, your Laravel application will be far more secure against attacks! ?

Submit a Comment

Your email address will not be published. Required fields are marked *