Ultra Web Hosting Docs

Security Hardening Checklist

Good security is a handful of small habits done consistently. Work through this checklist to lock down your hosting account and website. Each item links to a fuller guide when you want the step-by-step detail.

Tip You don't have to do everything at once. Start at the top — strong passwords, 2FA, and HTTPS — and work down. Even the first few items dramatically reduce your risk.

1. Use Strong, Unique Passwords and 2FA

Give every account — cPanel, email, FTP, and database — a long, unique password, and store them in a password manager. Then turn on two-factor authentication so a stolen password alone can't get anyone in. See Password Security and Two-Factor Authentication.

2. Keep Your CMS, Plugins, and Themes Updated

Outdated software is the number one way sites get hacked. Update WordPress (or your CMS) core, plugins, and themes promptly, and remove anything you no longer use. Enable automatic updates where you can.

3. Always Use HTTPS

Serve every page over an encrypted connection. Free AutoSSL issues and renews certificates for you; make sure it's active and that your site redirects HTTP to HTTPS. See SSL Certificates.

4. Keep Backups

A current backup turns a disaster into an inconvenience. Take regular backups and keep at least one copy off the server. See Backups.

5. Let Imunify Scan for Malware

Imunify continuously scans your account for malware and known threats. Leave it enabled and read its notifications rather than dismissing them. See Imunify Malware Protection.

6. Use Least-Privilege FTP and Database Users

Create separate FTP and database accounts scoped to only what each task needs, instead of handing out the main cPanel credentials. If one is compromised, the damage is contained. Delete accounts you no longer use.

7. Limit Login Attempts and Protect Admin Areas

Password-protect sensitive folders such as staging or admin directories, and guard those logins against shared-password abuse. See Directory Privacy and Leech Protection.

8. Remove Unused Apps and Files

Every leftover install, test script, or forgotten subdomain is another door an attacker can try. Delete old applications, demo data, and stray files you no longer need.

9. Set Correct File Permissions

Use 644 for files and 755 for directories in most cases. Never set anything to 777 — world-writable permissions let anyone who reaches the server modify your files.

Warning If a guide or forum post tells you to chmod 777 to fix a permissions problem, don't. It almost always masks the real issue and leaves a serious hole. Ask us via a support ticket instead.

10. Disable Directory Listing

Without an index file, some servers show a browsable list of a folder's contents. Prevent this by adding Options -Indexes to your .htaccess, or by placing an index.html in the folder, so visitors can't snoop through your files.

11. Keep ModSecurity Enabled

ModSecurity is the web application firewall running in front of your site. It blocks many common attacks before they ever reach your code. Leave it on; if a legitimate request is ever blocked, open a support ticket and we'll tune the rule rather than disabling protection wholesale.

Note Security is ongoing, not one-and-done. Revisit this checklist every few months, especially after adding a new application or granting someone access.