: WordPress security checklists on cPanel I'm installing WordPress on a shared cPanel hosting for blogging. I'm planning to install it in a folder under public_html, that is, public_html/myblog. I

@Kristi941

Your installation is ok as per your given directory path, To secure WordPress site/blog, you should follow these steps :


Make sure you are using latest WordPress version, update it time by time when new version is available.
Check plugin details, no. of downloads, rating etc before you use any plugin. Also always use latest version of all plugins.
If you have not installed WordPress yet, then during installation, change database table prefix from "WP" to any other string.
Do not create user with username "admin", use some other username and secured/strong password.
From cPanel, Set permission 755 for all WordPress folders and 644 for all files.
Take regular back up of your theme files and database.
Disable all files and directory listing for public users, You can achieve this by .htaccess file.
Change you cPanel, FTP and WordPress login passwords on some regular interval.
You can install plugin that restrict fail login attempts, For ex: block user ip if they tried to login in WordPress admin and insert wrong credential 3 times.


I hope above steps will help you to get some more security for your WordPress blog.

Vote Up Vote Down

@Harper822

I run a dedicated server with cpanel and the web server that it integrates with is apache and I assume you're account is in a similar setup.

What you want to do immediately is use whatever patience you have to periodically check the server logs, and look for entries of systems trying to access URL's that return a 404 error code. Then search for the files that return a 404 on google, and you'll learn something new.

Now what I did learn is that potential hackers use computers to try to access wp-admin.php along with a host of other junk that's not found on my server. wp-admin.php seems to be a Wordpress component.

Having said all that, here's what I recommend. Check the Wordpress manual, install Wordpress if you like and backup all your data the moment you publish your website. Then remove all the Wordpress components you don't need (especially the login page to the administration interface) or even rename them since potential hackers search for only standard files.

If you do not remove unnecessary components, then the potential hacker will likely find the login interface and then begin flooding the fields with usernames and passwords in hopes that the correct one is discovered. They could use brute-force attacks and/or dictionary-attacks or even anything to get their way in.

Vote Up Vote Down