WordPress powers over 40% of all websites — which makes it a prime target for hackers. If you’re hosting with cPanel and using WordPress, security should be your top priority.
At Hosting Marketers, we give you the tools (LiteSpeed, CloudLinux, CPGuard, Cloudflare) — but here’s what you need to do inside your site to keep everything locked tight.
1. Use a Secure PHP Version
Older PHP versions are slow, vulnerable, and unsupported.
Recommended:
- ? PHP 8.1 (Fully supported)
- ? PHP 8.2 (Preferred)
- ? PHP 8.3 / 8.4 / 8.5 (Test before use)
How to Check:
- Go to cPanel
- Open PHP Selector
- Check the version next to your domain
- Set PHP to 8.1+
2. Lock Down wp-config.php
This file contains your database access and encryption keys.
File Permission on File Manager
wp-config.php to 400
Use cPanel File Manager or SSH. This setting allows only the file owner (you) to read it — nobody else.
3. Harden .htaccess File
If you’re using Apache or LiteSpeed, your .htaccess file is your firewall.
Add these rules:
# Block access to wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>
# Block access to .htaccess itself
<Files .htaccess>
order allow,deny
deny from all
</Files>
# Prevent directory browsing
Options -Indexes
# Protect uploads folder (except images)
<Directory /wp-content/uploads/>
<FilesMatch "\.(php|php5|php7|php8)$">
Order deny,allow
Deny from all
</FilesMatch>
</Directory>
# Disable XML-RPC (unless you use Jetpack)
<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>
4. Keep WordPress Core, Themes, and Plugins Updated
This is the most critical step. Over 70% of hacked WordPress sites were running outdated code.
Update Guide:
- ? Always update WordPress to the latest stable version
- ? Only use themes and plugins from trusted sources
- ? Delete any unused plugins/themes (don’t just deactivate them)
- ? Enable automatic updates for minor versions and security patches
5. Use Correct File Permissions
Permissions that are too loose can allow attackers to upload or edit files.
| File/Folder | Recommended Permission |
|---|---|
wp-config.php | 400 |
| All folders | 755 |
| All files | 644 |
wp-content/uploads | 755 |
Use File Manager or SSH to apply permissions.
6. Scan for Malware (Available via cPanel)
With Hosting Marketers, you have CPGuard and ClamAV available via cPanel.
- Go to cPanel > CPGuard Malware Scanner
- Or use ClamAV Antivirus
- Scan your files and quarantine anything suspicious
7. Add Security Headers (Optional via .htaccess)
These headers add protection against XSS, clickjacking, and data leaks:
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Content-Security-Policy "default-src 'self'"
8. Backup Frequently (And Keep Copies Off-Site)
Even with Hosting Marketers’ secondary drive backups, it’s smart to:
- Use UpdraftPlus or JetBackup (if available)
- Schedule weekly backups
- Store backups in Dropbox, Google Drive, or locally
9. Disable File Editing in WP Admin
Hackers often exploit the Theme Editor to inject code.
Add this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
10. Use a Security Plugin (Optional but Helpful)
We already protect your server with LiteSpeed, CloudLinux, CPGuard, and Cloudflare — but on your site, you can also install:
- Wordfence Security – full firewall + login protection
- iThemes Security – brute-force protection
- WPFail2Ban – logs suspicious login attempts
Only use one security plugin at a time to avoid conflicts.
Final Tips from Hosting Marketers
- Don’t reuse passwords between websites
- Use 2FA on your WordPress login
- Change your login URL from
/wp-login.phpto something custom (via plugin) - Always log out from public Wi-Fi or shared devices
Conclusion
Securing your WordPress site is not just about installing a plugin. It’s about maintaining updates, locking down sensitive files, using correct permissions, and staying vigilant.
At Hosting Marketers, we’ve already done the heavy lifting server-side. Now, make sure your WordPress is just as strong on the inside.