Add Website Hosts UK to your device
Install for quick access to hosting, tools, billing and support.
Practical steps to secure your hosting account, including passwords, two-factor authentication, file permissions, backups and access control.
Your hosting account is the control centre for your website, files, databases, email, DNS and backups. Keeping it secure helps protect your website, visitors and business.
A secure hosting account starts with strong logins, limited access, regular updates, backups and careful account management.
To secure a hosting account, use strong unique passwords, enable two-factor authentication, limit user access, remove unused accounts, use SFTP instead of plain FTP where possible, keep website software updated, protect databases, monitor files, maintain backups and review DNS, email and SSL settings regularly.
Good hosting security is not one single setting. It is a collection of habits that reduce the chance of compromise and make recovery easier if something goes wrong.
Protect control panel, admin and email logins.
Give people only the access they actually need.
Keep recoverable copies of files and databases.
Watch for suspicious activity and unusual changes.
A hosting account can contain everything needed to run your website. If someone gets access, they may be able to change files, create email accounts, access databases, redirect domains, delete backups or add malicious code.
For a small business, a compromised hosting account can lead to downtime, lost enquiries, spam emails, malware warnings, damaged reputation and customer trust problems.
The goal of hosting security is to reduce risk and make sure you can recover quickly if something unexpected happens.
Treat your hosting account like business-critical access. If someone can access hosting, they may be able to affect your website, email, files, DNS and customer enquiries.
Password security is one of the most important parts of securing a hosting account. Every important login should use a strong password that is not reused anywhere else.
This includes your hosting control panel, billing account, website admin area, FTP or SFTP accounts, database users, email accounts and domain registrar login.
Reused passwords are risky because if one service is breached, attackers may try the same password elsewhere. Use a password manager if needed so each account can have a strong unique password.
Two-factor authentication, often called 2FA, adds an extra step when logging in. Instead of relying only on a password, you also need a code or approval from another device or app.
2FA is especially useful for hosting accounts, domain registrar accounts, website admin areas and email accounts because these systems can be very damaging if compromised.
If your hosting control panel, billing account or website admin system supports 2FA, enable it for all important users.
Store recovery codes safely. If you lose access to your 2FA device and have no recovery method, you may lock yourself out of important business systems.
Not everyone needs full access to your hosting account. Developers, staff, designers and support users should only have the level of access needed for their task.
If someone only needs to edit website content, they should not usually need full hosting, database, DNS or billing access. If someone only needs email access, they should not need control panel administrator permissions.
Review user accounts regularly and remove access for people who no longer need it.
FTP, SFTP and SSH accounts can provide direct access to website files. If old accounts are left active, they can become a security risk.
Review file access accounts and remove anything you no longer use. If a developer, designer or agency previously had access, confirm whether that access is still required.
Where possible, use SFTP or SSH instead of plain FTP because they provide encrypted connections. Avoid sending login details through insecure channels.
| Access type | What it does | Security note |
|---|---|---|
| FTP | Transfers files to and from hosting. | Plain FTP is less secure than encrypted alternatives. |
| SFTP | Transfers files over an encrypted connection. | Prefer this where available. |
| SSH | Provides command-line server access. | Powerful access that should be limited to trusted users. |
| File manager | Allows file editing inside the hosting control panel. | Protect the control panel login carefully. |
Many hosting account compromises start through outdated website software. WordPress, plugins, themes, ecommerce extensions and custom scripts can all become vulnerable if they are not maintained.
Updates should be handled carefully. Take a backup first, update one step at a time where possible, and test the website afterwards.
If you run WordPress, remove unused plugins and themes. Even inactive or abandoned software can create risk if it remains installed.
Outdated website software is one of the easiest security risks to reduce.
The website admin area is often separate from the hosting control panel, but it is still part of your overall hosting security. If attackers access the website admin, they may be able to upload files, install plugins, change content or create new users.
Use strong passwords, limit admin users, remove unused accounts and enable two-factor authentication if available.
For WordPress websites, also review plugin access, user roles and login security. If your website is built on WordPress, consider WordPress Hosting that supports your site properly.
File permissions control who can read, write or execute files on your hosting account. Incorrect permissions can create security risks, especially if files or folders are writable when they should not be.
Most website owners do not need to adjust file permissions often, but they should avoid making broad unsafe changes just to fix an upload or plugin issue.
If a tutorial tells you to set permissions very openly, be careful. It may solve one problem but create a bigger security risk.
Avoid setting files or folders to overly open permissions unless you fully understand the risk. If a plugin or script needs unsafe permissions to work, investigate the cause instead of leaving the site exposed.
Databases often store important website content, settings, users, orders, form entries and customer data. Protecting database access is essential.
Use strong database passwords, avoid sharing database credentials unnecessarily, and remove old database users that are no longer needed.
If you run WordPress, the database contains posts, pages, users, settings and plugin data. A database backup is just as important as a file backup.
Remove unused database users and protect credentials.
Use strong passwords for database access.
Make sure backups include both files and databases.
Backups are one of the most important parts of hosting security. If your website is hacked, deleted, broken by an update or affected by human error, backups can help you recover.
A good backup should include website files and databases. For ecommerce or membership sites, backup timing matters because orders, accounts and form submissions can change frequently.
Do not only assume backups exist. Check where they are stored, how often they run and how you would restore them.
Monitoring helps you catch problems early. Watch for unexpected file changes, unknown users, unusual login attempts, sudden traffic spikes, email sending problems, malware warnings and website downtime.
If your website suddenly slows down, sends spam, redirects visitors or shows strange pages in search results, investigate quickly.
Use our Website Status Checker, Website Page Speed and SSL Checker tools to help check website health.
| What to monitor | Warning sign | Possible issue |
|---|---|---|
| Website availability | Website is offline or intermittent. | Server issue, DNS issue, broken update or attack traffic. |
| Website speed | Sudden performance drop. | Resource usage, plugin issue, malware or traffic spike. |
| File changes | Unknown files or modified scripts. | Possible compromise or unsafe update. |
| Email sending | Unexpected high email volume. | Compromised form, mailbox or script. |
| Admin users | Unknown new user appears. | Unauthorised access. |
Email accounts are often connected to hosting accounts and domains. A compromised mailbox can be used to send spam, reset passwords, impersonate your business or access other services.
Use strong mailbox passwords, avoid sharing email logins, enable two-factor authentication where available, and remove old mailboxes that are no longer needed.
If you use domain-based email, make sure DNS records such as MX, SPF, DKIM and DMARC are correctly configured. See our Business Email Hosting page if you need professional mailboxes.
Your domain and DNS settings control where your website and email go. If someone gains access to your domain registrar or DNS provider, they may be able to redirect your website, intercept email or disrupt services.
Protect domain registrar accounts with strong passwords and two-factor authentication. Keep contact details up to date so you can recover the domain if needed.
Before changing nameservers or DNS records, copy existing records and check website, email, SSL and verification records afterwards.
Domain and DNS access should be protected as carefully as hosting access. DNS changes can affect your website, email, SSL, forms and connected services.
SSL helps protect data between visitors and your website by enabling HTTPS. It is essential for modern websites, especially if you use forms, logins, checkout or customer accounts.
SSL does not replace hosting security, but it is an important part of the overall setup. A website can have SSL and still be infected with malware, so SSL should be used alongside scanning, updates and backups.
Use our SSL Checker to check your certificate and confirm your website loads securely.
Malware scanning helps detect suspicious files, injected code, spam pages, malicious redirects, backdoors and other signs of compromise.
Scanning is especially important for WordPress websites, ecommerce sites and websites with frequent updates or third-party plugins.
If malware is found, cleanup should include removing the infection, checking for backdoors, updating software, changing passwords and fixing the weakness that allowed the infection.
A Web Application Firewall, or WAF, helps filter suspicious traffic before it reaches your website. It can help block common attacks, bad bots, malicious requests and repeated exploit attempts.
A WAF is useful for WordPress sites, WooCommerce shops, contact forms, login areas, customer portals and custom web applications.
A WAF should be used alongside secure hosting, software updates, strong passwords, backups and malware scanning. It is a security layer, not a complete replacement for maintenance.
Some hosting accounts use scheduled tasks or cron jobs to run scripts automatically. These can be useful for backups, maintenance, imports, emails and application tasks.
However, unknown or outdated scheduled tasks can become a security concern. Review them occasionally and remove anything that is no longer needed.
If you find a suspicious scheduled task, investigate before deleting it, especially on complex websites or ecommerce stores.
If you host multiple websites in one account, one compromised site may affect others depending on the hosting setup. Keeping important websites separate can reduce risk.
For business-critical websites, ecommerce stores or client projects, consider whether separate hosting accounts, stronger plans or VPS/VDS hosting would be more suitable.
Compare UK Web Hosting, Business Hosting, VPS Hosting UK and VDS Hosting UK depending on the workload.
Security is not only about prevention. It is also about knowing what to do if something goes wrong.
A recovery plan should include hosting login access, domain registrar access, backup locations, support contacts, recent clean backups, DNS records and a process for changing passwords quickly.
If your website is important to your business, do not wait until an emergency to find out where backups are stored or who has access.
Securing a hosting account is easier when you work through it step by step. Start with login protection, then review users, file access, software, backups, email and monitoring.
The checklist below is a practical starting point for small business websites, WordPress websites and ecommerce stores.
One common mistake is sharing one login between multiple people. This makes it harder to know who made changes and increases the chance of password leaks.
Another mistake is leaving old access active. Developers, staff members, old FTP accounts and unused website admin accounts should be removed when no longer needed.
It is also common to forget backups until something goes wrong. Backups should be checked before emergencies, not after them.
Use strong unique passwords, enable two-factor authentication, limit access, remove unused accounts, keep software updated, use backups, monitor activity, secure email and protect DNS access.
No. Your hosting account manages server-side services such as files, databases, email and DNS. Website admin access manages the website software, such as WordPress pages, plugins and users.
Yes, where available. Two-factor authentication adds an extra layer of protection for hosting, domain, email and website admin accounts.
Old FTP, SFTP or SSH accounts can provide direct access to website files. If they are no longer needed, removing them reduces risk.
Backups do not prevent attacks, but they help recovery if files are deleted, malware is added, updates break the site or mistakes are made.
No. SSL protects the connection between visitors and the website. Hosting security also needs strong logins, updates, backups, monitoring and access control.
A secure website starts with good hosting, strong account security and regular maintenance. Compare our UK Web Hosting, WordPress Hosting, Small Business Hosting and Business Hosting options.
Running an online shop or heavier website? See WooCommerce Hosting, VPS Hosting UK or VDS Hosting UK.
Need a domain or professional email too? Visit Domain Services, Business Email Hosting or Start Here.
Secure logins, users, files and databases.
Update software, monitor activity and scan for malware.
Keep backups and a recovery plan ready.
Securing a hosting account is about protecting the systems that keep your website, email, databases and domain services running. Strong passwords, two-factor authentication, limited access, updates and backups are the foundation.
From there, review FTP/SFTP accounts, website admin users, file permissions, databases, email accounts, DNS access, SSL, malware scanning and monitoring.
For small businesses, good hosting security helps protect enquiries, customer trust, website uptime and your online reputation.
Add Website Hosts UK to your device
Install for quick access to hosting, tools, billing and support.