Because WordPress is the most popular CMS in the world, it is a constant target for automated bots and hackers. Use this checklist to ensure your site stays secure and avoids being flagged by malware scanners like ImunifyAV.
1. Keep Everything Updated (The Golden Rule)
The vast majority of WordPress hacks occur through vulnerabilities in outdated software. You must regularly update:
- WordPress Core: Enable automatic minor updates in your dashboard.
- Plugins: Delete any plugins you are not actively using.
- Themes: Even inactive themes can harbor vulnerabilities. Keep only your active theme and one default "fallback" (like Twenty Twenty-Four).
2. Harden your Login Security
Brute-force attacks (bots trying thousands of passwords) are the most common entry method.
- Enable 2FA: Use a plugin like Wordfence or WP 2FA to require a code from your phone to log in.
- Use Strong Passwords: Avoid "admin" as a username and use a password manager to generate unique passwords.
- Limit Login Attempts: Use a security plugin to block IPs after 3-5 failed login attempts.
3. Leverage Hosting Security Tools
MyHost provides built-in tools to help protect your site at the server level:
- ImunifyAV: We scan your files daily. If you receive a report, act on it immediately.
Guide: Understanding Malware Reports - Force HTTPS: Ensure all traffic is encrypted so passwords cannot be intercepted.
Guide: How to fix "Insecure Connection"
4. Use a Professional "From" Address
By default, many WordPress sites send system emails (like password resets or contact form notifications) from an address like username@server.myhost.nz. These are often blocked as spam.
- Ensure your contact form plugins (like Contact Form 7 or WPForms) are set to send From a real email address on your domain (e.g.,
noreply@yourdomain.co.nz). - We highly recommend using an SMTP Plugin (such as WP Mail SMTP) to authenticate your emails. This ensures they are sent via your actual mail account rather than the server's local "mail" function.
5. Protect Crucial Files
You can add an extra layer of protection by editing your .htaccess file via the cPanel File Manager (after logging into cPanel) to prevent access to sensitive areas:
# Block access to wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>
# Disable Directory Browsing
Options -Indexes6. Performance and Best Practices
Security and performance go hand-in-hand. For a comprehensive guide on making your site faster and more efficient, see our blog post: WordPress Speed Optimisation Tips 2025.
7. Regular Backups
If the worst happens, a clean backup is your only guarantee of recovery. Ensure you know how to use JetBackup 5 to roll back your site to a point before the infection occurred.
