Web Hosting Security Checklist: 12 Things to Do Right Now

Why Hosting Security Gets Ignored

Most site owners set up hosting once and never think about security again. The attacks that cause breaches are rarely sophisticated. They exploit basic, well-known weaknesses that a checklist like this prevents.

Account Security

1. Use a Strong, Unique Hosting Account Password

Use a password manager to generate a 20+ character random password. Enable two-factor authentication (2FA) if your host supports it.

2. Secure Your Domain Registrar Separately

Enable 2FA and domain lock to prevent unauthorised transfers.

3. Use SSH Keys Not Passwords

SSH key pairs are exponentially harder to brute-force than any password.

SSL and Encryption

4. Verify Your SSL Certificate is Valid and Auto-Renewing

Check your certificate at ssllabs.com. Aim for an A or A+ rating.

5. Force HTTPS Everywhere

Redirect all HTTP traffic to HTTPS at the server level.

WordPress Security

6. Keep WordPress Themes and Plugins Updated

90% of WordPress hacks exploit known vulnerabilities in outdated plugins.

7. Limit Login Attempts

After 5 failed attempts, lock the IP for 20 minutes.

Backups

8. Set Up Automated Off-Site Backups

Your host backup is not enough. Back up to Google Drive or S3 daily and keep 30 days of history.