Kualo / docs
On this page

Securing your WordPress installation

Keeping WordPress secure is an ongoing task. This guide explains what we already do at the server level and what practical steps you can take on top of that to reduce your risk further.

5 min read Updated 8 Jun 2026

Keeping WordPress secure is an ongoing task, not a one-off job. The good news is that we already do a great deal to protect your site at the server level - this guide explains what that covers and what you can do on top of it to reduce your risk further.

What we already do to protect your site

Before you change a single setting, it is worth knowing that your Kualo hosting already includes multiple layers of security. We run Imunify360 for real-time threat detection and Patchman to automatically patch known vulnerabilities in WordPress core and certain plugins. Imunify360 also includes a web application firewall (ModSecurity) that blocks common attack patterns at the server level, as well as brute force protection and weak password detection to help keep compromised credentials from being used against your site. Our full overview is in How we protect your website (and what you can do to help).

These server-level protections are a strong foundation, but they work best when combined with good practices on your side.

Why WordPress sites get targeted

WordPress powers a huge proportion of the web, which makes it an attractive target. Automated bots constantly scan for sites running outdated software, weak credentials, or poorly coded plugins. You do not need to be a high-profile target to be attacked - vulnerabilities in unpatched plugins or themes are exploited at scale, often with no human involvement at all.

Keep everything up to date

Outdated plugins, themes, and WordPress core are the most common entry point for attackers. Keeping them current is the single most effective thing you can do.

WP Toolkit in cPanel makes this straightforward. You can enable automatic updates for WordPress core, plugins, and themes, and use Smart Updates to test changes safely before they go live on your site.

Only install plugins that are actively maintained and well reviewed in the WordPress plugin directory. Remove any plugins or themes you are not using.

Use WP Toolkit security measures

WP Toolkit includes a dedicated Security Measures tab that lets you apply a range of hardening options to your WordPress installation in a few clicks. This covers many of the manual steps that older guides (including earlier versions of this article) walked you through by hand - things like protecting sensitive files, restricting directory access, and disabling features that are not needed.

We recommend working through the Security Measures tab before making any manual changes:

WP Toolkit can also change your database table prefix away from the default wp_, which makes SQL injection attacks harder to craft. You will find this option within the security measures.

Essential habits

  • Create a new administrator account with a unique username, then delete the default admin account. Many automated attacks target that username specifically.
  • Use a strong, unique password for your admin account and change it if you suspect it has been exposed.
  • Only install plugins that are actively maintained and well reviewed in the WordPress plugin directory.

Enable two-factor authentication on your WordPress admin

Adding two-factor authentication (2FA) to your WordPress login means that even if your password is compromised, an attacker still cannot get in without the second factor. Several security plugins (see below) include 2FA as part of their feature set, or you can use a dedicated plugin such as WP 2FA.

It is also worth enabling 2FA on your Kualo account itself - see Enabling two-factor authentication (2FA) in MyKualo.

Password-protect the wp-admin directory

Adding HTTP authentication in front of /wp-admin means an attacker must pass two separate login prompts before reaching your WordPress login form. You can set this up using the Directory Privacy tool in cPanel.

Restrict bots via robots.txt

Search engine crawlers and other bots can inadvertently expose internal URLs. Add or update your robots.txt file in the public_html folder with the following:

User-agent: *
Crawl-delay: 5
Disallow: /feed/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /xmlrpc.php
Disallow: /wp-*

For more detail on robots.txt, see our guide to robots.txt: optimising web crawling.

Recommended security plugins

Security plugins add an extra layer of protection on top of what we provide at the server level and what WP Toolkit handles. You do not need to install all of them - pick the one that best fits your needs and avoid running overlapping plugins at the same time.

Some security plugins - particularly those with continuous scanning or firewall features - can consume significant CPU and memory on shared hosting. Check each plugin's settings and disable any scanning or monitoring features you do not need, or reduce their frequency. If you notice your site becoming slow after installing a security plugin, the plugin's resource usage is often the cause.

Plugin What it does
Wordfence Security Firewall, malware scanning, and live traffic monitoring. On shared hosting, consider disabling the live traffic view and scheduling scans during off-peak hours rather than running them continuously. See our guide to configuring Wordfence.
Solid Security Combines a wide range of hardening techniques in a single plugin, including 2FA, brute force protection, and file change detection. Disable the scheduled malware scanning if you find it causes resource spikes.
All-In-One Security (AIOS) A comprehensive, beginner-friendly plugin covering login protection, firewall rules, file integrity monitoring, and spam prevention. Most features are free and it is well suited to shared hosting. Avoid enabling the advanced firewall rules until you have tested them on a staging copy of your site, as overly aggressive rules can lock you out.
Sucuri Security Provides security activity auditing, file integrity monitoring, remote malware scanning, and post-hack hardening tools. The free plugin does not include a firewall - that is a paid add-on - but the auditing and hardening features alone are useful.
Limit Login Attempts Reloaded Blocks IP addresses after a set number of failed login attempts. Lightweight and well suited to shared hosting.
WPS Hide Login Moves your login page to a custom URL that only you know. Simple and low-overhead. Note that this is security through obscurity and should be used alongside, not instead of, stronger measures such as 2FA.

If your site is compromised

If you suspect your WordPress site has already been hacked, do not just clean up the visible symptoms - follow our full recovery guide:

If you have any questions about any of these steps, our support team is available 24/7 and happy to help.

Was this helpful?
Your feedback helps us find gaps in the docs.
Related articles
Security & maintenance
Protecting WordPress from distributed brute force attacks
Brute force attacks are one of the most common threats to WordPress sites - here is how to...
Security & maintenance
WordPress brute force attack protection
Protect your WordPress login page from brute force attacks using LiteSpeed's built-in Word...
Security & maintenance
WordPress auto updates – how they work and best practice
Keeping WordPress up to date is essential for security, but applying updates without testi...
Security & maintenance
How to disable wp-cron.php and set a real cron job in cPanel
WordPress runs scheduled tasks using wp-cron.php, which fires on every page load by defaul...
Still need a hand?
Real people, around the clock - start a chat or open a ticket and we'll help you put it right.
Contact us Start a chat