Where the hacks actually come from
We handle a fair number of site recovery requests through Hostao support. When we look at what caused the compromise, it's almost never sophisticated. It's the same four or five entry points, over and over.
Outdated plugins with known vulnerabilities. Weak admin passwords. Login pages with no brute-force protection. PHP file permissions that allow execution where they shouldn't. Old WordPress installations abandoned by their owners but still live on the server.
The attacks aren't targeted. They're automated scans running against thousands of sites at once, looking for the easy entries. If your site doesn't have the basics in place, it will eventually get hit โ not because anyone specifically wants your site, but because it was the path of least resistance.
The good news: fixing the basics is not complicated. It takes an afternoon and some ongoing hygiene. Here's what we recommend to every Hostao customer.
Update everything. Seriously, everything.
This sounds obvious. It's also the most commonly skipped step.
WordPress core, themes, and plugins all receive security patches on a rolling basis. When a vulnerability is discovered and patched, the vulnerability is disclosed publicly โ which means attackers know exactly what to look for in unpatched sites. The window between "patch released" and "active exploitation" has been getting shorter. In some cases it's hours.
On Softaculous โ which is included on all Hostao plans โ you can enable auto-updates for WordPress core. For plugins, the WordPress dashboard has an auto-update toggle per plugin. Themes rarely need auto-updates unless they're actively developed; check them monthly.
The one caveat: before enabling auto-updates, make sure you have a backup strategy in place. An update that breaks something on a backed-up site is recoverable. On an unbacked site, it can be a significant problem.
The admin account that shouldn't exist
The default WordPress admin username is "admin." This is public knowledge. Every brute-force attack starts by trying "admin" as the username, then cycling through password lists.
If your admin account is still named "admin," you've given attackers half the credentials they need. Create a new administrator account with a different username, then delete the "admin" account.
While you're there: make sure the admin password is actually strong. Not "Password123!" strong โ 20+ characters, randomly generated. A password manager handles this. There's no reason to know your WordPress admin password from memory; the browser can store it.
Also worth reviewing: what accounts exist on the site at all. Over time, sites accumulate user accounts โ former contributors, test accounts, one-off logins for developers. Any account with admin access that isn't actively in use is an unnecessary exposure. Remove them.
Brute-force protection on the login page
The WordPress login page at /wp-login.php is publicly accessible by default and accepts unlimited login attempts. Automated bots will hammer it with thousands of username/password combinations until something works or they move on.
Two things help here.
First, a plugin that limits login attempts and blocks IPs after a set number of failures. Limit Login Attempts Reloaded is free and does this well. After three or five failed attempts, the IP is blocked for a configurable period.
Second, if you want stronger protection, change the login URL from /wp-login.php to something non-standard. WPS Hide Login does this without any code changes. It won't stop a targeted attack, but it eliminates automated scans looking for the default URL.
Two-factor authentication is worth adding for any account with admin access. Google Authenticator or similar apps take five minutes to set up and make credential-based attacks essentially impossible, even if a password is compromised.
The backup question
We tell every customer the same thing: your hosting provider's backup is not your backup.
Hostao takes backups, and those backups have recovered customer sites. But they're not a substitute for a dedicated backup plugin that puts copies somewhere the hosting provider doesn't control.
UpdraftPlus is the standard recommendation. Free tier connects to Google Drive, Dropbox, or Amazon S3. Set it to back up weekly at minimum, daily if your site changes frequently. Test the restoration process at least once โ a backup you've never tested is a backup you don't actually have.
The combination of on-hosting backups and off-site plugin backups means that a server-level problem doesn't also mean a data-loss problem.
File permissions that prevent PHP execution
This one is more technical but worth knowing. WordPress needs to write to certain directories โ wp-content/uploads, for example, for media uploads. But those upload directories should never be able to execute PHP files.
If a vulnerable plugin allows a malicious PHP file to be uploaded to /uploads, and that directory can execute PHP, the attacker has remote code execution on the server. This is how many site compromises go from "uploaded one file" to "full site control."
The fix is to add a simple .htaccess rule in the uploads directory that prevents PHP execution:
`` ``
Softaculous installations on Hostao can apply this automatically during setup. If your site predates this, it's worth adding manually or through a security plugin like Wordfence, which handles this as part of its basic configuration.
SSL is required, not optional
All Hostao plans include free SSL. If your site is still serving over HTTP, fix that today. Not because of SEO (though yes, HTTPS is a ranking factor), but because HTTP transmits login credentials in plain text. Anyone on the same network as a visitor logging into your site can see the username and password.
In cPanel, the free SSL is one-click through Let's Encrypt. Once installed, add a redirect from HTTP to HTTPS in your WordPress settings โ Settings > General, change both URL fields to https://. Also add the redirect at the server level via .htaccess to prevent any HTTP traffic from reaching the site at all.
A realistic security posture for most WordPress sites
The goal isn't to make your site impossible to attack. That's not achievable. The goal is to make your site harder to attack than the 10 million other WordPress sites out there, so that automated scans move on to easier targets.
- The steps above accomplish that:
- Updated core, plugins, and themes
- No default "admin" username, strong passwords
- Login attempt limits and optional 2FA
- Regular off-site backups with tested restoration
- PHP execution blocked in upload directories
- HTTPS enforced across the entire site
This configuration, consistently maintained, will handle the overwhelming majority of WordPress threats. It's not glamorous work. It also works.
For businesses managing customer communications alongside the website, there's an interesting compounding effect: reputation damage from a compromised site is hard to recover from. The review management approach at RatingE makes this clear โ negative mentions from a security incident or spam sent from a hacked site can affect local search rankings and review sentiment for months. The security investment protects more than just the site.
Image suggestion: a simple checklist visual showing the 6 security steps with checkboxes โ styled like a task list, not a wall of text.