Key takeaways
- Table of Contents
- Introduction
- Why hosting is crucial for security
Table of Contents
- Introduction
- Why hosting is crucial for security
- Security criteria to check
- Hosting types and security
- Questions to ask your host
- Technical checks
- Warning signs
- Recommended hosts
Introduction
Your WordPress hosting is the foundation of your online security. A poorly secured host is like building a house without a lock: no matter how good your alarms are, intruders will enter easily.
According to a WP Engine study, 41% of WordPress hacks exploit hosting-level vulnerabilities. Choosing your host isn't just about performance or price — it's a critical security decision.
In this article, we'll cover which security criteria to verify before choosing a host, and how to evaluate your current hosting's security.
Why hosting is crucial for security
The first line of defense
Your host is the first layer of protection for your site. It controls:
- Network access to your site
- Server configuration (PHP, Apache/Nginx)
- Automatic backups
- DDoS attack protection
- Isolation between shared sites
A weak hosting compromises everything
Even with a powerful security plugin, a complex password, and regular updates, a poorly configured host can compromise your entire site. Attackers can:
- Exploit server-level vulnerabilities
- Access other sites on the same server (lateral attack)
- Install backdoors at the system level
- Intercept data in transit
Security criteria to check
1. Account isolation
On shared hosting, each account must be isolated from others. Without isolation, compromising one site can affect all others. Check that the host uses:
- cageFS or equivalent for file isolation
- CloudLinux for resource limiting
- Separate PHP accounts (not shared)
2. Web Application Firewall (WAF)
A WAF filters malicious traffic before it reaches your site. It blocks SQL injection, XSS attacks, and other intrusion attempts. Check if the host offers:
- Built-in WAF (ModSecurity, NAXSI)
- DDoS protection
- Intrusion detection (IDS/IPS)
3. SSL/TLS and HTTPS
The SSL certificate is essential for securing data in transit. Check:
- Free Let's Encrypt certificate included
- TLS 1.2+ support
- Correct HTTPS configuration (HSTS)
4. Automatic backups
A good host performs daily automatic backups and allows one-click restoration. Check:
- Backup frequency (daily minimum)
- Retention period (30 days recommended)
- Ease of restoration
- Backup location (off-site)
5. Server updates
The host must keep up to date:
- PHP version (8.1+ recommended)
- Web server (Apache or Nginx)
- MySQL/MariaDB
- Security patches
Hosting types and security
| Type | Security | Isolation | Ideal for |
|---|---|---|---|
| Shared | Basic | Low | Personal sites |
| VPS | Good | High | Business sites |
| Dedicated | Very good | Total | Critical sites |
| Cloud/Managed WP | Excellent | Total | E-commerce, enterprise |
Questions to ask your host
- What is your backup policy? Frequency, retention, restoration
- Do you have a built-in WAF? ModSecurity, Cloudflare, etc.
- How do you handle security breaches? Response time, communication
- What PHP version is installed? Must be 8.1 or higher
- Do you offer account isolation? CageFS, CloudLinux
- Do you have DDoS protection? What level?
- How can I access logs? Error logs, access logs
Technical checks
Check PHP version
Create an info.php file with <?php phpinfo(); ?> or use a plugin like WP Server Health. The version must be 8.1 or higher.
Check permissions
Files should be 644 and folders 755. The wp-config.php file should be 600.
Check SSH access
If you have SSH access, verify that:
- Connections are encrypted (SSH key)
- Root login is disabled
- A firewall is active
Warning signs
- Outdated PHP (7.x or lower) — known vulnerabilities
- No automatic backups — risk of total loss
- No WAF — insufficient protection
- Slow server — possible overload or malware
- No log access — inability to diagnose
- SLOW SUPPORT — in emergencies, every minute counts
Recommended hosts for WordPress
- WP Engine — Managed WordPress, built-in security, automatic backups
- SiteGround — Good value, built-in WAF
- Kinsta — Google Cloud infrastructure, performance and security
- OVH — French host, good for FR sites
- o2switch — French host, responsive support, good for WordPress
Shared vs VPS vs Dedicated Hosting Security Comparison
The type of hosting you choose has a direct impact on your WordPress site's security. Each solution has advantages and disadvantages that are essential to understand before making your choice.
| Criteria | Shared | VPS | Dedicated | Managed Cloud |
|---|---|---|---|---|
| Security Level | Basic | High | Very High | Excellent |
| Isolation | Low (other sites) | Good | Total | Total |
| Lateral Attack Risk | High | Low | None | None |
| Secure Configuration | By host | By you | By you | By host |
| Maintenance | Included | Partial | You manage all | Included |
| Monthly Price | $2-10 | $10-50 | $50-200+ | $20-100+ |
Shared Hosting: The Economical But Risky Choice
Shared hosting is the cheapest but least secure option. Several hundred sites can coexist on the same server. If one gets hacked, others can be compromised through lateral attacks. Reputable shared hosts use isolation technologies like CageFS or CloudLinux, but this doesn't guarantee absolute protection. This type of hosting is acceptable for a personal blog without sensitive data, but not for a professional or e-commerce site.
VPS: The Best Security-to-Price Ratio
A VPS (Virtual Private Server) gives you an isolated environment with dedicated resources. You're responsible for security configuration, which requires technical skills. The advantage is complete control over security settings: firewall, PHP versions, SSH access, etc. For professional sites, a VPS is often the best compromise between cost and security. Choose an unmanaged VPS if you have the skills, or a managed VPS if you prefer to delegate maintenance.
Dedicated and Managed Cloud: Top-Tier Security
Dedicated servers and managed cloud solutions (WP Engine, Kinsta) offer the highest level of security. No other site shares your server, and managed hosts apply strict security policies: enterprise WAF, automatic malware scanning, off-site backups, automatic updates, and 24/7 expert support. These solutions are recommended for e-commerce sites, high-traffic sites, and businesses that cannot afford any service interruption.
Red Flags to Avoid When Choosing a Host
Certain signs should immediately alert you when choosing a host. Here are the red flags not to ignore.
1. "Unlimited Hosting" Promises
"Unlimited" disk space and bandwidth is technically impossible. These offers often mean overcrowded servers, extremely shared resources, and poor performance. Reputable hosts set clear limits and guaranteed resources. Be wary of offers that seem too good to be true — because they probably are.
2. No Free SSL Certificate
In 2026, any self-respecting host must offer a free Let's Encrypt SSL certificate with one-click installation. If your host charges for SSL or doesn't offer it, it's a sign their security standards are outdated. HTTPS is no longer optional — it's a requirement for SEO, visitor trust, and data security.
3. Outdated PHP Version
If your host still offers PHP 7.4 or lower by default, run away. These versions no longer receive security updates and are easy targets for attackers. A good host must offer PHP 8.1, 8.2, or 8.3 with the ability to easily switch versions. Also check that the host applies major security patches quickly.
4. Slow or Non-Existent Customer Support
In a security emergency, every minute counts. If your host takes hours or days to respond to a support ticket, that's a major risk. Test support before subscribing: ask a technical question via chat or ticket and measure the response time. A good host responds within 30 minutes for urgent requests.
5. No Automatic Backups
A host that doesn't offer daily automatic backups with one-click restoration should be avoided. In case of hacking or failure, you'll lose all your data. Check backup frequency, retention period (30 days minimum), and whether backups are stored on a different server (off-site).
Questions to Ask Your Hosting Provider
Before choosing a host, ask these essential questions to evaluate their security level. The answers will let you objectively compare different offers.
Server Security
Ask: "What is your server hardening policy?" A serious host should be able to describe the measures taken: disabling unnecessary services, secure PHP configuration (disable_functions), protection against remote file inclusions, application firewall (ModSecurity), and intrusion detection. Also check whether they use a 24/7 monitoring solution to detect abnormal activity on their servers.
Incident Management
Ask: "How do you respond to a security incident on a shared server?" A good host should have a documented incident response plan: immediate isolation of the compromised site, forensic analysis, notification to affected clients, and server cleanup. Transparency is essential — if the host refuses to discuss their procedure, consider it a red flag.
Compliance and Certifications
Ask: "What security certifications do you hold?" Reputable hosts display their certifications: ISO 27001 (information security), SOC 2 (internal controls), PCI-DSS (payment data). These certifications are an independent guarantee of the host's security level. For an e-commerce site, a PCI-DSS certified host is essential.
Contract Terms
Ask: "What happens in case of failure or data loss?" Check SLA (Service Level Agreements): guaranteed uptime (99.9% minimum), penalties for non-compliance, refund procedure. Ensure the contract clearly defines the host's responsibilities regarding security and backups, as well as your own.
Need a hosting security audit?
We analyze your host's configuration and recommend necessary improvements.
Request an audit →