Hardening Your WordPress Site on iWebVault Hosting

WordPress runs roughly 43% of the internet — which makes it the most attacked CMS in existence. Every WordPress site on the open web sees brute-force login attempts within hours of going live, regardless of how small or unknown it is.

The good news: most attacks rely on the same handful of default weaknesses. Close those, and you’ve eliminated 99% of the attack surface. This is the working checklist we recommend for every WordPress install on iWebVault hosting. It takes about 90 minutes to work through completely. Do it once, and you’re done.

The hardening checklist

1. Use strong, unique credentials

Your WordPress admin password should be at least 16 characters, generated by a password manager (Bitwarden, 1Password, KeePass), and used nowhere else. Same applies to your cPanel password, FTP password, and database password. Password reuse is how site compromises become catastrophic — one leaked credential opens everything.

2. Never use “admin” as a username

Brute-force bots try the username admin first on every WordPress site they find. If your admin user is called admin, the attacker has already done half the work. Create a new admin user with a unique username, log in as them, then delete the admin account (reassigning their posts to the new user).

3. Enable two-factor authentication

Two-factor authentication is the single biggest security upgrade you can make. Even if your password is leaked or guessed, the attacker still needs your phone.

Most security plugins include 2FA, but if you only want this one feature, install the lightweight Two Factor plugin (by WordPress contributors). Activate it, go to Users → Your Profile, and enable Time-Based One-Time Password. Scan the QR with Google Authenticator, Authy, or your password manager. Done.

4. Limit login attempts

Out of the box, WordPress lets attackers try infinite passwords. Install Limit Login Attempts Reloaded (free, 2 million+ active installs). Default settings are fine. After 4 failed attempts, the attacker’s IP is locked out for 20 minutes; repeat offenders get longer bans.

5. Move or hide /wp-login.php

Standard WordPress login lives at /wp-login.php and /wp-admin/. Bots scan for these URLs constantly. The WPS Hide Login plugin (free) lets you change the URL to anything you want — /staff/, /portal/, anything memorable but non-obvious. Suddenly most bots can’t even find your login form.

6. Force HTTPS site-wide

Every iWebVault hosting plan includes free Let’s Encrypt SSL. Activate it in cPanel under Security → SSL/TLS Status → Run AutoSSL. Then in WordPress, install Really Simple SSL (or set the Site URL to https:// manually). Force HTTPS at the server level via .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

7. Disable file editing in the dashboard

WordPress lets admins edit theme and plugin files directly from the dashboard. If an attacker gets in, that’s how they inject malicious code. Disable it by adding one line to wp-config.php (above the /* That's all, stop editing! */ line):

define( 'DISALLOW_FILE_EDIT', true );

8. Disable XML-RPC

XML-RPC is a legacy WordPress feature used by some mobile apps and Jetpack. It’s also a favourite target for amplified brute-force attacks. Unless you’re actively using a service that requires it, turn it off. Add to .htaccess in your WordPress root:

<Files xmlrpc.php>
    Order Allow,Deny
    Deny from all
</Files>

9. Protect wp-config.php

This file contains your database password. It should be readable by PHP but invisible to the outside world. Add to .htaccess:

<Files wp-config.php>
    Order Allow,Deny
    Deny from all
</Files>

Also set its file permissions to 600 via File Manager → right-click → Change Permissions.

10. Set proper file permissions

The WordPress-recommended permissions are:

• Folders: 755
• Files: 644
• wp-config.php: 600

If permissions have drifted (you’ll see this if files aren’t editable from the dashboard, or PHP errors mention “Permission denied”), reset them via SSH:

find /home/user/public_html -type d -exec chmod 755 {} ;
find /home/user/public_html -type f -exec chmod 644 {} ;
chmod 600 /home/user/public_html/wp-config.php

11. Use a custom database table prefix

WordPress defaults to wp_ as the table prefix (so tables become wp_posts, wp_users, etc.). Bots writing SQL injection attacks assume this default. Setting a custom prefix during installation (e.g. iwv_) blocks an entire class of attacks. If you missed it during install, plugins like Brozzme DB Prefix Change can change it after the fact — back up first.

12. Keep WordPress, themes, and plugins updated

Most compromises happen through unpatched plugins. Enable automatic updates for minor WordPress releases (default on) and check your dashboard weekly for plugin updates. If a plugin hasn’t been updated in 2+ years, replace it — abandoned plugins are a liability regardless of how well they worked at launch.

13. Remove unused themes and plugins

Inactive plugins still get scanned by attackers and exploited if vulnerable. Same for themes — even if not “Active,” they’re on disk. Delete (don’t just deactivate) anything you’re not using. Especially the default Twenty Twenty-Three / Twenty Twenty-Two themes if you’re using a custom theme.

14. Install a security plugin (one, not three)

Pick one security plugin and use it well — multiple plugins fighting over the same hooks cause conflicts. The leading free options:

• Wordfence Security — full-featured, with an application firewall, malware scanner, and live traffic view. Best for sites with regular admin attention.
• Solid Security (formerly iThemes Security) — heavier on automated hardening, lighter on day-to-day monitoring. Good for “set and forget” sites.
• WPS Cerber — lightweight, strong anti-spam, less UI bloat. Good if Wordfence feels overwhelming.

All three include 2FA, login limiting, and malware scanning — so if you install one, you can skip plugins for those features individually.

15. Set up automated backups

The single best recovery tool is a recent, clean backup. iWebVault provides JetBackup on most plans (cPanel → JetBackup section). Set up automatic daily backups, with at least 7 days of retention, stored either remotely or as a separate plan from your hosting.

The classic 3-2-1 backup rule applies: 3 copies of your data, on 2 different media types, with 1 stored offsite. UpdraftPlus (free WordPress plugin) handles remote backups to Google Drive, Dropbox, or S3 — pair it with JetBackup and you’re well-protected.

What iWebVault handles for you

Some hardening happens automatically on iWebVault hosting and doesn’t require any action from you:

• ModSecurity — a web application firewall running at the server level, blocking common attack patterns (SQL injection, XSS, common exploit signatures) before they reach WordPress.
• CSF firewall — IP-level firewall with automatic brute-force detection across all accounts on the server.
• PHP open_basedir restrictions — even if PHP is compromised, it can’t access other accounts on the same server.
• CageFS (CloudLinux) — your account runs in an isolated virtual filesystem; a breach on a neighboring account can’t affect yours.
• Daily malware scans at the server level via Imunify360 (on most plans), with automatic quarantine of detected malicious files.

These are belt-and-braces additions to the in-WordPress hardening above, not replacements for it. Both layers are needed.

If you suspect compromise

Warning signs: unfamiliar admin users appearing, search results showing your site full of unfamiliar content (pharma, gambling, foreign language), browsers flagging your domain as “deceptive”, or sudden spikes in outbound email traffic.

The first move is not to panic-delete things — preserve evidence and restore from a clean backup. The recovery sequence:

1. Change every password — WordPress admin, cPanel, FTP, database — using a clean device.
2. Take the site offline via .htaccess (block all traffic except your IP).
3. Run a malware scan with your security plugin and with cPanel’s Imunify360.
4. Restore from the most recent known-clean backup. If you don’t have one, see step 5.
5. Open a support ticket with all details. iWebVault’s team can assist with malware cleanup and have experience identifying the entry point.
6. Once clean, work through this entire hardening checklist before bringing the site back online. Compromises usually recur within days if you fix only the symptom.

What’s next

• Worried about email being a weak link? Read our deliverability guide — properly authenticated email also reduces the risk of your domain being spoofed.
• Running multiple WordPress sites? Consider a centralised management tool like ManageWP or MainWP to apply updates and security policies across all of them at once.
• Need to recover from a compromise? Open a ticket with as much detail as you can — what you noticed, when, and what you’ve done so far.

WordPress security is a continuous discipline, not a one-time project. Re-run this checklist any time you take over a site from someone else, after recovering from a compromise, or once a year as a routine audit.