How to Secure WordPress Using cPanel

WordPress powers millions of websites, making it one of the most common targets for hackers, malware, and brute-force attacks. The good news is that if your hosting includes cPanel, you already have powerful tools available to secure your website.

In this guide, you’ll learn how to secure your WordPress website using cPanel step by step — even if you’re a beginner.

Why WordPress Security Matters

A compromised WordPress website can lead to:

• Website downtime
• Lost customer trust
• Stolen data
• Blacklisting by Google
• Spam or malware injections
• SEO ranking drops

Most WordPress hacks happen because of:

• weak passwords
• outdated plugins/themes
• insecure hosting settings
• poor file permissions
• missing backups

Fortunately, cPanel makes it easy to improve security without advanced technical skills.

1. Enable SSL (HTTPS) in cPanel

SSL encrypts your website traffic and protects visitor data.

How to Enable SSL

1. Log into cPanel
2. Open SSL/TLS Status
3. Select your domain
4. Click Run AutoSSL

Most hosting providers offer free SSL certificates through Let’s Encrypt or AutoSSL.

After SSL is installed:

1. Log into WordPress
2. Go to:
   Settings → General
3. Change:
   • WordPress Address (URL)
   • Site Address (URL)

Use:

https://yourdomain.com

2. Keep WordPress Updated

Outdated WordPress installations are one of the biggest security risks.

Update:

• WordPress core
• Plugins
• Themes

How to Update WordPress

1. Log into WordPress admin
2. Go to:
   Dashboard → Updates
3. Install all available updates

Delete unused plugins and themes to reduce vulnerabilities.

3. Use Strong Passwords Everywhere

Weak passwords are one of the easiest ways attackers gain access.

Important Accounts to Secure

• WordPress admin
• cPanel account
• FTP accounts
• Email accounts
• Database users

Best Practices

• Use at least 12 characters
• Include symbols and numbers
• Avoid dictionary words
• Use a password manager

4. Enable Two-Factor Authentication (2FA)

Two-factor authentication adds an extra layer of security.

Enable 2FA in cPanel

1. Log into cPanel
2. Open Two-Factor Authentication
3. Click Set Up Two-Factor Authentication
4. Scan the QR code using:
   • Google Authenticator
   • Authy
   • Microsoft Authenticator

You should also enable 2FA in WordPress using plugins like:

• Wordfence
• WP 2FA
• miniOrange

5. Secure wp-admin and Login Pages

Hackers often target the WordPress login page using brute-force attacks.

Recommended Security Plugins

Install one of these plugins:

• Wordfence
• Solid Security (formerly iThemes Security)
• Limit Login Attempts Reloaded

These plugins can:

• limit failed login attempts
• block malicious IPs
• add CAPTCHA protection
• enable firewall protection

6. Change File Permissions in cPanel

Incorrect file permissions can expose your website to attacks.

Recommended Permissions

How to Change Permissions

1. Open File Manager in cPanel
2. Right-click files/folders
3. Select Permissions
4. Apply correct values

Avoid setting permissions to 777.

7. Protect the wp-config.php File

The wp-config.php file contains your database credentials and sensitive settings.

Move wp-config.php Above public_html

In many hosting environments, WordPress will still function if the file is moved one directory above public_html.

This prevents direct public access.

You can also add this rule in .htaccess:

order allow,deny
deny from all

8. Disable PHP Execution in Uploads Folder

Hackers often upload malicious PHP files through vulnerable plugins.

How to Disable PHP Execution

1. Open File Manager
2. Navigate to:

/public_html/wp-content/uploads/

3. Create a new .htaccess file
4. Add:

deny from all

This blocks PHP scripts from running inside uploads.

9. Use Automated Backups

Backups are your last line of defense.

Backup Options in cPanel

Use:

• Backup Wizard
• JetBackup (if available)
• Full Account Backups

Best Practice

• Daily backups
• Store copies offsite
• Test restores regularly

You can also use WordPress backup plugins like:

• UpdraftPlus
• BlogVault
• Solid Backups

10. Install a Web Application Firewall (WAF)

A firewall blocks malicious traffic before it reaches WordPress.

Recommended Options

• Wordfence Firewall
• Cloudflare WAF
• Sucuri Firewall
• Imunify360 (hosting-level protection)

Cloudflare is especially useful for:

• DDoS protection
• bot blocking
• CDN performance improvements

11. Secure Your Database

Attackers often target default database configurations.

Security Tips

• Change the default wp_ table prefix
• Use strong database passwords
• Remove unused databases
• Restrict remote MySQL access

You can manage databases in:

cPanel → MySQL Databases

12. Disable Directory Browsing

Directory browsing can expose sensitive files.

How to Disable Directory Listing

Add this to .htaccess:

Options -Indexes

This prevents visitors from viewing folder contents.

13. Scan for Malware Regularly

Regular malware scans help detect infections early.

Malware Scanning Tools

• ImunifyAV
• Wordfence
• Sucuri Scanner
• VirusTotal

Some hosting providers include server-level malware scanning inside cPanel.

14. Use Cloudflare for Extra Protection

Cloudflare improves both security and speed.

Benefits

• DDoS mitigation
• bot protection
• SSL management
• caching
• firewall rules

Basic Setup

1. Create a Cloudflare account
2. Add your domain
3. Change nameservers
4. Enable:
   • SSL
   • Bot Fight Mode
   • WAF rules

15. Disable Unused Services

Remove anything you don’t use.

Delete:

• inactive plugins
• unused themes
• old staging sites
• abandoned databases
• old admin accounts

The fewer attack surfaces your website has, the safer it becomes.

Bonus Security Tips

Rename the Default Admin Username

Avoid using:

admin

Use Security Headers

Add headers like:

• X-Frame-Options
• X-XSS-Protection
• Content-Security-Policy

Monitor File Changes

Security plugins can alert you if files are modified unexpectedly.

Final Word

Securing WordPress doesn’t have to be complicated. With cPanel and a few simple best practices, you can dramatically reduce the risk of hacks, malware, and downtime.

Start with:

1. SSL
2. Updates
3. Strong passwords
4. Backups
5. Security plugins
6. Cloudflare

Even implementing a few of these changes can significantly improve your website security.

Frequently Asked Questions

Is cPanel secure for WordPress?

Yes. cPanel includes built-in security tools like SSL management, backups, IP blocking, and file permissions that help secure WordPress websites.

What is the best WordPress security plugin?

Popular options include:

• Wordfence
• Solid Security
• Sucuri Security

How often should I backup WordPress?

Daily backups are recommended for most websites.

Does Cloudflare improve WordPress security?

Yes. Cloudflare helps block malicious traffic, bots, and DDoS attacks while improving website performance.

Can shared hosting be secure?

Yes, as long as you follow security best practices and keep your website updated.