How We Protect Your Website (And What You Can Do to Help)

Most people think of website security like locking their front door. You have a strong password, maybe even a security plugin, and you figure that is enough to keep the bad guys out.

But hackers do not use the front door.

They do not politely jiggle the doorknob and sigh in disappointment when it does not open. They scour every inch of your house, looking for an unlocked window, a cracked basement hatch, or a hidden spare key you forgot under the doormat. They do not care if you have a high-tech alarm system - if there is an opening, they will find it.

Now, imagine the internet is not just a row of houses - it is millions of houses, all lined up in a giant digital neighbourhood. Hackers are not picking one house at a time - they are running massive, automated scans, testing millions of sites every single day for weak passwords, outdated software, or any tiny vulnerability they can use to gain access undetected.

And the second they find one? They are in.

That is why real security is about layered defences that anticipate weak spots before they are exploited.

At Kualo, we have built a strong, multi-layered security system designed to detect, block, and neutralise threats before they reach your site. But security is not just about what we do - it is also about what you do.

We can build the fortress, staff the guard towers, and install the alarms, but if there is an unguarded back door - an exposed password, an unpatched plugin, or a missing security update - an attacker only needs that one gap to get through.

Here is what we do to keep you safe, and what you also need to do to keep your site locked down.

---

Firewalls: the smart bouncers at the door

Imagine the internet as a massive, lawless nightclub. Some guests are regulars, here to enjoy the music (or, you know, browse your website). Others are looking to cause trouble.

Some of these troublemakers charge straight at the door over and over again, hoping to force their way in. Others blend into the crowd, testing locks, seeing what they can get away with before anyone notices.

Your website needs security at the door - a bouncer who can spot fake IDs, throw out the rowdy ones, and challenge anyone being sneaky before they cause chaos.

But here is the catch: hackers do not all play by the same rules.

Two main hacker strategies (and why regular firewalls struggle)

The sledgehammer approach (flood attacks)

Some hackers try to smash their way in by throwing enormous amounts of traffic at a site, hoping to overload the server and knock it offline (DDoS attacks), or by brute-forcing passwords with thousands of login attempts per second.

This is where traditional firewalls are useful - they can spot a single source flooding traffic and block it.

The pickpocket approach (distributed attacks)

Other hackers play the long game, using botnets - armies of compromised devices spread across the world.

• Instead of hammering the same website repeatedly, they probe thousands of sites one request at a time, from different IP addresses and locations.
• They learn from what gets blocked and tweak their attack patterns in real time.
• They look for unpatched software, vulnerable plugins, or weak passwords, exploiting the smallest openings.

This is where traditional firewalls start to fail - because if an attack is coming from thousands of different locations, how do you spot the pattern?

A firewall that thinks like a hacker (and then outsmarts them)

Instead of just standing at the door reacting to trouble, our firewall is part of a global intelligence network - watching threats unfold across thousands of servers at the same time.

• It learns from attack patterns happening elsewhere, meaning that if a hacker tries a trick on another website, your site is already protected before they even get to you.
• It spots botnet behaviour and can block networks even if each bot is making just one request per site before moving on.
• It adapts in real time, so even if an attack evolves, our defences shift to counter it.

In practice, that means:

• Network firewalls block known malicious sources before they even reach your site.
• Machine-learning WAFs detect and adapt to new threats, even if they change tactics.
• Rate-limiting and brute-force protection stops a wide range of automated login attempts before they become a problem.
• Real-time attack intelligence from thousands of servers means the majority of threats are neutralised before they reach you.

Hackers evolve. So do we.

---

Caged file system: your own private security bubble

At many hosts, hosting your website is like renting an apartment in a large building. Your website is one apartment within a bigger structure (the server), and other tenants (other websites) live in the same space.

Now, imagine if your neighbour accidentally sets fire to their kitchen. In a typical apartment block, that fire could spread to your home. That is what happens on a traditional shared hosting server - if one website gets hacked, others could be at risk too.

Our hosting does not work like that.

We use CageFS, which acts as a fireproof wall around your hosting account, isolating your files, data, and resources from everyone else on the server.

• Each account runs in its own secure "cage" - other users cannot see or access your files.
• Processes and resources are locked down, so if another site on the server is compromised, it cannot affect you.
• It stops attackers from jumping between accounts, eliminating one of the biggest risks of traditional shared hosting.

It is like living in a detached house instead of an apartment block - your space is completely your own.

What about multiple websites in one account?

If you host multiple websites or applications in a single hosting account, they are isolated from other customers but not from each other - they share the same space. So if one site gets compromised, it could affect the others.

If you want absolute separation between your websites, the best approach is to host them in separate cPanel accounts. See our article on when addon domains are a good idea (and when you should rethink them) for more detail.

---

Backups and self-restoration via JetBackup: your safety net

Even with all the security in the world, sometimes things still go wrong - which is why backups are critical.

• We take regular backups using JetBackup, so you can restore your files or database at any time.
• Backups are taken daily, with higher-frequency backups available on our premium plans.
• You can restore files directly from cPanel, without needing to contact support (though we are happy to help if you need us).

It is like having a reset button - if something goes wrong, you can roll back to a clean version of your site in minutes.

---

Real-time malware protection and proactive defence

Hackers do not always barge through the front door - sometimes they are sneaking in through a tiny, overlooked window. And once inside, they do not just sit around - they plant backdoors, hide malicious scripts, and wait for the perfect moment to strike.

That is where our security systems do more than just react - they prevent.

Step one: stopping known threats in their tracks

Our real-time malware scanner works like a 24/7 security guard, scanning every file the moment it is uploaded:

• It automatically detects and cleans a wide range of malware before it has a chance to cause harm.
• For WordPress and Magento, it even scans the database, because malware is not just about files - it can hide in your content too.
• It continuously updates with new threat signatures, ensuring that even the latest known malware does not stand a chance.

It is like having a bouncer who instantly removes anyone on a watchlist - the moment they step inside, they are gone.

Step two: catching sneaky attacks in real time

But what about threats that have not been discovered yet?

Most security software works by matching threats to a known list of malware signatures. That is useful - but it does not stop brand-new attacks that have not been identified yet.

That is where Proactive Defence steps in.

• It watches scripts in real time, blocking anything suspicious before it can execute.
• It does not rely on known signatures - it can stop malware even if it is brand new.
• It is especially useful against stealthy, memory-based malware that does not leave files behind but instead runs in memory to avoid detection.

Imagine a bouncer who does not just check IDs at the door - they watch for suspicious behaviour inside the club. If someone is acting suspiciously, they are stopped before they cause trouble.

---

Automated patching and security updates

Firewalls, malware scanners, and real-time exploit protection do an incredible job - they block millions of attacks every single day. But no security system is 100% infallible.

Why? Because security is an arms race.

Hackers do not need to break down the front door if they can find a window left unlocked.

• A botnet with brand-new, unseen IPs can slip past firewalls before they are flagged as malicious.
• A never-before-seen attack technique can bypass traditional malware detection.
• A new vulnerability in a popular plugin can open the door for attackers before anyone knows it exists.

We defend against the vast majority of attacks - but in security, it only takes one success. That is why patching vulnerabilities before hackers can exploit them is absolutely critical.

Most hosting providers leave security updates in your hands - if you do not update your software, you are vulnerable. We take a different approach.

We use Patchman, a system that automatically detects and patches vulnerabilities in:

• WordPress
• Joomla
• Drupal
• Other common CMS platforms

The best part? Patchman applies security fixes without forcing you to update everything immediately.

With most software, you either update and risk breaking things, or hold off and stay vulnerable. Patchman removes that dilemma by backporting security patches, meaning your site stays protected without the risk of compatibility issues.

Think of it like a vaccine - it protects you before you get infected.

But not everything can be patched automatically

Patchman is one of the strongest proactive security measures available, but like any tool, it has limits.

• It focuses mainly on core CMS vulnerabilities - it cannot patch every app, every plugin, or every theme.
• It covers some widely-used plugins like WooCommerce, but not all third-party plugins and themes, and it cannot patch your custom code.

That is why some vulnerabilities still require you to keep your code up to date.

---

General security practices: how we protect your account

Keeping your website safe is not just about stopping hackers - it is about making sure only you have access to your account. Here is how we protect your data at every level:

• Strong password enforcement for MyKualo and cPanel - no weak, short, or common passwords allowed.
• Compromised password detection - MyKualo automatically checks against known breaches and blocks leaked passwords.
• Email verification for unusual logins - if we detect an unusual login to MyKualo and 2FA is not enabled, you will need to verify via email.
• CMS weak password protection - our firewalls block WordPress and other supported CMS platforms from accepting login attempts with known weak credentials.
• Caller and support verification - when you call in, we will verify your identity before discussing or making any account changes.
• Physical security - our data centres are restricted-access facilities with 24/7 monitoring, physical security, and redundant power and networking.

From login security to physical access, every layer of protection is covered.

But security works best when we work together - so let us look at what you can do.

---

Your role in security: what you need to do

We have covered everything we do to keep your site safe - firewalls, malware scanning, automated patching, strong password enforcement, and more.

But security is not just about what happens on our end - it is also about what happens on yours.

A well-secured hosting environment can stop attacks, detect threats, and protect against known vulnerabilities - but if your own software is outdated, passwords are weak, or 2FA is not enabled, the risk increases dramatically.

1. Keep your software updated (and regularly audit for vulnerabilities)

• Update your CMS (WordPress, Joomla, Magento, etc.) regularly.
• Update plugins and themes - especially those flagged as vulnerable.
• Remove unused or abandoned plugins and themes.

Most website hacks happen because of outdated software. While Patchman automatically patches many vulnerabilities, it cannot patch everything. That is why manual updates are still critical. You should build in a regular process to verify your software is up to date, and that you are only using plugins or extensions that are actively developed and maintained.

How to stay updated (without the hassle)

We know updates can feel like a chore, but we have built-in tools that make it easier:

• WP Toolkit's Vulnerability Scanner - flags plugins and themes with known security risks.
• Smart Updates - allows safe testing of WordPress updates before applying them live, and can even be set to run automatically.
• Softaculous Updates - helps you update other software, in some cases automatically.

If you are running outdated or unsupported software, it is not a question of if an exploit will happen - it is a question of when.

2. Use strong, unique passwords everywhere

A password is like the lock on your front door. A good one keeps intruders out. A bad one - like "password123" - is the equivalent of leaving your key under the doormat with a note that says "Please do not break in."

If your password is weak, reused, or already leaked in a data breach, attackers do not even have to try. They just walk right in.

• Never reuse the same password across multiple sites.
• Use a password manager to store and generate secure passwords.
• Make sure passwords are at least 12 characters long, using a mix of letters, numbers, and symbols.

All of this makes hacking much harder - but not impossible. Because if an attacker does get your password, the best protection comes when it is combined with the next step.

3. Enable two-factor authentication (2FA) everywhere you can

If your password is the key to your house, 2FA is the deadbolt. Even if someone steals your key, they still cannot get in without you.

• 2FA adds an extra verification step, so even if a hacker has your password, they are still locked out.
• You can enable it for cPanel and MyKualo, adding an extra layer of security to your hosting account.
• Many web applications, including WordPress, support 2FA via plugins, giving you additional protection at the application level for your critical admin users.

It is like having a keycard and a retina scanner - just because someone stole your key does not mean they get to walk straight in.

Between strong passwords, automatic breach detection, and 2FA, we make sure your accounts are locked down - but it is up to you to enable 2FA for the best protection. If you have not done so yet, do it now.

4. Audit and clean up unused software

• Remove any old or unused CMS installations (WordPress, Joomla, Magento, etc.).
• Delete staging sites or test installations if they are no longer needed.
• Uninstall plugins and themes that are not actively used.

One of the biggest security risks is not just outdated software - it is forgotten software.

• You install a CMS to test it, then never use it.
• You create a staging site but forget to update it.
• You install a plugin "just to try it" and leave it there indefinitely.

Even if your main site is up to date, an abandoned CMS or plugin sitting in your account can still be exploited and impact your live website.

5. Control who has access (and lock out old users)

• Remove old user accounts for former employees, developers, or freelancers.
• Limit admin access - only give permissions to those who truly need them.
• Use unique logins rather than sharing credentials.
• Use non-standard usernames instead of defaults such as "admin".

One of the most overlooked security risks is people who no longer work with you still having access. Maybe a developer set up your website three years ago but their admin account is still active. Maybe a former employee's email login still works. Maybe you shared a password with a freelancer once and never changed it afterward.

Every unused account is a potential weak link.

• Regularly review who has access to your hosting, CMS, and other critical tools.
• Limit admin privileges - most users do not need full control.
• Use role-based permissions (for example, Editors instead of Admins in WordPress).
• If someone leaves, remove their access immediately.

How we help with this

• MyKualo allows you to manage sub-accounts with controlled access.
• cPanel lets you create separate FTP, email, and database users - no shared logins needed.
• WordPress and other CMS platforms allow easy user management and role assignments.

Fewer accounts means fewer risks. Tight control over user access is one of the simplest, most effective ways to keep your site secure.

6. Back up your site (even though we do)

Our backup system is incredibly robust, but no backup system is 100% infallible.

• Corrupt files, large database issues, or external failures can sometimes affect backup reliability.
• If a problem (such as a compromise) is not caught quickly, older clean backups may cycle out before the issue is noticed.

That is why we strongly recommend keeping your own backups too.

• For WordPress users, backup plugins like UpdraftPlus can create off-site copies.
• For any site, tools like DropMySite add extra protection.
• If you make site updates, manual snapshots using JetBackup are a useful safeguard before you make changes.

The first rule of backups: you can never have too many. Our automated backups provide an easy recovery option, but having an additional safety net is always a smart move.

7. Scan your computer for malware (because keyloggers are a thing)

Your website security is only as strong as the device you log in from. If your computer is compromised, attackers can steal your credentials the moment you type them - even the strongest password will not protect you from a keylogger.

• Run a full system scan with a reputable antivirus and anti-malware tool.
• Keep your operating system, browsers, and software updated - outdated software is a hacker's playground.
• Avoid downloading "cracked" software - these often come bundled with malware.

8. Check and fix file permissions (do not give hackers free rein)

On a Linux file system, file permissions control who can read, write, or execute files on your account. If permissions are too loose, attackers can modify files, upload malicious scripts, or even delete everything.

By default, file permissions in your hosting account are designed to be secure, but it is possible for you or your developer to set custom permissions that introduce risk.

• Files should be set to 644 (only your user can modify them).
• Directories should be 755 (so scripts can run but not be modified by others).
• Never set permissions to 777 - this is like leaving your front door wide open.

9. Isolate websites (especially if you are not on top of updates)

Running multiple websites or applications from a single hosting account is fine - as long as you are disciplined about keeping them updated.

If you have 20 WordPress installations, each packed with plugins, and even a handful of them are outdated or vulnerable, you are sitting on a ticking time bomb. The risk is not just multiplied - it is exponential.

• Every outdated CMS, plugin, or theme is another unlocked door for hackers.
• If one site gets compromised, all sites within the same account are at risk.
• Hackers do not care which door they get through - once inside, they will explore everything.

If you are super disciplined about updates and these are all your own sites, this might be a manageable risk. But if staying on top of updates is not your strong suit, do not take the risk.

Instead:

• Host each website in its own cPanel account for isolation.
• Never host websites for third parties in your own account - if their site is vulnerable, it could take yours down too.
• If you must keep multiple sites in one account, make sure every single one is updated, secure, and unnecessary apps or test installations are deleted.

---

Final thoughts: security works best when we work together

We have built the firewalls, the malware scanners, the automated patching, and the real-time exploit blocking - but security is not just about having the best defences.

It is about making sure there are no weak points left open.

We stop the vast majority of attacks - but it only takes one weak link to let an attacker in.

Follow the steps above and you will make that one weak link almost impossible to find.