How secure is WordPress on cPanel hosting?

As the largest and most widely used platform for creating websites, using WordPress itself creates a large attack surface for your business. Companies providing WordPress hosting usually take some precautions to secure WordPress. cPanel hosting platforms have security mechanisms enabled by default.

But WordPress itself is not insecure. The sole reason why it’s constantly under attack is that it’s the gateway to millions of websites. More than 43% of websites currently use WordPress.[1]

Many WordPress websites start receiving brute-force attacks and form submissions as soon as they’re brought online.

Due to this, if an attacker finds a weakness in one WordPress website, there’s a good chance the same vulnerability can be exploited on another site as well.

Eltris provides a tool called WordPress Toolkit which is part of our cPanel hosting and includes many features to protect your WordPress website. This feature makes running WordPress on cPanel all the more secure.

Common WordPress Attack Vectors

Every attack on websites is unique in its own way, however, most attacks on WordPress fall into one of the below categories.

Brute-Force attacks

With this attack type, the attacker will try to guess the login to your WordPress website by using many username/password combinations in an attempt to guess the correct one. Attackers can use the WordPress API, XML-RPC, or the wp-admin login page to facilitate this attack.

Brute-force attacks are not hard to defend against, most security plugins include functionality to limit the login attempts or to hide the wp-admin page. WordPress Toolkit which is available on cPanel hosting also includes functionality to secure your website against this attack type.

DDOS (Distributed Denial of Service) attacks

Bombarding your site with so much traffic that it slows down to a halt or starts returning errors on further requests. DDOS attacks are not very dangerous as their aim is usually to take your website offline and not to take control of it.

In the worst-case scenario, you will need to wait for the attack to stop. However, there are easy methods to protect yourself from this attack such as using good WordPress hosting which has DDOS protection such as Eltris.

Plugin and Theme Vulnerabilities

Unfortunately, when it comes to Plugins and Themes, they’re perhaps the biggest attack vector for WordPress. A most recent attack on a plugin for WPBakery (one of the most popular page builders) is still ongoing while the vulnerability has been leaked to the public, but a patch to fix it has not been applied.

This is one of the reasons why you should always use Themes and Plugins from reliable vendors and always keep up to date to ensure that vulnerabilities are patched. But even with reputable vendors, there is always a possibility this will happen.

WordPress Toolkit includes a feature to detect vulnerabilities in Themes and Plugins and also an auto-updating feature with a smart backup option to ensure everything works correctly with the update.

Securing WordPress on cPanel

We’ve already mentioned that WordPress by itself is not insecure, the code base is open-source and that means thousands of developers can take a look to identify issues and suggest resolutions for them.

However, you can still take plenty of actions to secure WordPress.

WordPress Toolkit is a utility of cPanel which provides a complete and intuitive management solution for your WordPress websites. To sum it up, the functions of WordPress Toolkit are related to:

  • Installation and Maintenance
  • Security and Updates
  • Plugin and Theme Management
  • Development (Staging, Cloning, and more)
  • Backup and Restore

Important security options to consider

Sometimes you do not necessarily need or want to apply all security measures. Here are the ones that you we recommend you always apply.

Block directory browsing
Files in the directories can contain information about your configuration, the plugins you have, and the themes you are using, among other things. This can reveal to the attackers that you’re using vulnerable plugins, so they can attack you much easier.

Change the default administrator’s username
The default “admin” username of WordPress is attackers use in most brute-force attacks. Simply changing this to something non-standard will cause most brute-force attacks on your website to never succeed due to the username being incorrect.

Turn off Pingbacks
While pingbacks can be useful, the XML-RPC protocol that is being used here can cause more headaches and security issues. This option turns off the XML-RPC feature of WordPress for the full website.

Enable bot protection
While bots can sometimes be useful, allowing rogue bots to scan your website will also allow attackers to scan your website for vulnerabilities. This option blocks bad bots and disallows scanning.

Forbid execution of PHP Scripts
PHP Scripts should not be executed from the wp-includes or uploads folders. These rules will disable the execution of PHP scripts from those two folders.

How to secure WordPress on cPanel

Securing WordPress on cPanel is a task that only takes a minute or two and can save your life.

While logged in cPanel, click on the search field and type “WordPress Toolkit”, then click on the result that comes up. Under “Status”, you’ll see the Security line, click the link next to it, and a new screen will come up on the side.

You can toggle all the security settings manually, however, if you want to secure your website quickly without messing with too many settings, just use the checkbox at the top-left to select all the security measures.

Then, click the “Secure” button to apply all the security measures.

Ending thoughts

While being the victim of a successful attack does not have a very high chance of happening, it’s always better to secure your website to block attackers and prevent them from even slowing down your website.

Eltris cPanel hosting provides you with all the necessary tools to secure your WordPress website so that you can have more peace of mind and focus on your business instead of focusing on your website.