Hosting Security Checklist: 12 Things to Verify Before Going Live

Launching a website without verifying your security configuration is like moving into a new house and leaving all the doors unlocked. Many website owners focus entirely on design, content, and functionality during development, treating security as something to deal with "later." Later rarely comes — until a breach forces the issue.

This checklist covers 12 essential security measures to verify before your website goes live. Each item is actionable, specific, and applies whether you are launching a simple blog or a complex web application. Complete these checks and you will have a significantly harder target for attackers than the vast majority of websites on the internet.

1. SSL/TLS Certificate Is Installed and Forced

Every website needs HTTPS encryption. Before going live, verify:

• Your SSL/TLS certificate is installed and valid (check in cPanel > SSL/TLS Status)
• HTTPS is forced for all pages (enable "Force HTTPS Redirect" in cPanel > Domains)
• No mixed content warnings (all resources load over HTTPS)
• HSTS (HTTP Strict Transport Security) header is set
• The certificate covers all your domains and subdomains (including www and non-www)

Test with: https://www.ssllabs.com/ssltest/ — aim for an A or A+ rating.

2. All Software Is Updated to Latest Versions

Outdated software is the number one cause of website compromises. Before launch, update:

• CMS core — WordPress, Joomla, Drupal, or whatever platform you use
• All plugins and extensions — every single one, no exceptions
• Themes and templates — including inactive themes (or better yet, delete them)
• PHP version — use the latest supported version (PHP 8.2+ as of 2026). Check in cPanel > MultiPHP Manager.
• Any custom scripts or libraries — jQuery, Bootstrap, or other included libraries

Set up auto-updates where available. For WordPress, enable auto-updates for minor releases (security patches) by adding define('WP_AUTO_UPDATE_CORE', 'minor'); to wp-config.php.

3. Strong Passwords and Two-Factor Authentication

Weak passwords remain a leading attack vector. Verify:

• cPanel password — at least 16 characters, randomly generated. Use a password manager.
• CMS admin password — unique and strong, not reused from any other service
• Database passwords — randomly generated, at least 20 characters
• FTP/SFTP passwords — if you use FTP, ensure strong passwords. Better yet, use SFTP with key-based authentication.
• Email passwords — every email account should have a unique, strong password

Enable two-factor authentication on cPanel and your CMS admin. This single step prevents the majority of credential-based attacks.

4. File and Directory Permissions Are Correct

Incorrect permissions are a common vulnerability on shared hosting. Check:

• Directories: 755 (owner: rwx, group/others: rx)
• Files: 644 (owner: rw, group/others: r)
• wp-config.php (or equivalent): 400 or 440
• .htaccess: 444
• No files or directories set to 777

Run a quick check via SSH:

# Find any files with dangerous permissions
find ~/public_html -perm 777 -type f
find ~/public_html -perm 777 -type d

If anything returns results, fix the permissions immediately. For WordPress-specific guidance, see our WordPress hardening guide.

5. Web Application Firewall Is Active

A web application firewall (WAF) blocks the most common attacks — SQL injection, cross-site scripting, file inclusion, and more. Verify:

• ModSecurity is enabled on your hosting account (check in cPanel > ModSecurity or ask your host)
• The WAF is using an up-to-date rule set (OWASP CRS or Imunify360 rules)
• The WAF is in prevention mode, not just detection/logging mode

Test the WAF is active by sending a test request with a SQL injection pattern and confirming it is blocked (see our WAF guide for safe testing instructions).

6. Malware Scanning Is Configured

Ensure your hosting account has active malware protection:

• Imunify360 — if your host provides it, verify it is active and real-time scanning is enabled
• Application-level scanner — install a security plugin (Wordfence for WordPress) with scheduled scanning
• Run an initial scan — scan your entire site before launch to establish a clean baseline

For step-by-step scanning instructions, see our malware scanning and removal guide for cPanel.

7. Backups Are Automated and Tested

Backups are your last line of defense. Before going live:

• Configure automated backups with at least daily database and weekly full-site schedules
• Store backups offsite (cloud storage, not just the hosting server)
• Test a restore from backup to confirm backups are complete and functional
• Document your restore procedure so you can execute it quickly during an emergency
• Verify your hosting provider's backup policy and retention period

A backup you have never tested is a backup you cannot rely on. Test restoration at least once before launch and periodically thereafter.

8. Security Headers Are Set

HTTP security headers instruct browsers to enforce additional security policies. Add these to your .htaccess file:

# Prevent page from being framed (clickjacking protection)
Header always set X-Frame-Options "SAMEORIGIN"

# Prevent MIME type sniffing
Header always set X-Content-Type-Options "nosniff"

# Force HTTPS for one year
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# Control referrer information
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Restrict browser features
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"

Test your security headers with: https://securityheaders.com — aim for at least a B rating, ideally A.

9. Account Isolation Is Active

On shared hosting, verify that your hosting provider implements account isolation to prevent noisy neighbor problems and cross-account attacks:

• CloudLinux CageFS — file system isolation between accounts
• LVE resource limits — CPU, RAM, and I/O boundaries per account
• PHP selector — ability to choose your PHP version independently of other accounts

If your hosting provider does not use CloudLinux with CageFS, consider migrating to one that does. MassiveGRID's high-availability cPanel hosting includes all of these isolation technologies on every server.

10. DNS Is Properly Configured

DNS misconfigurations can expose your site to attacks or cause availability issues. Check:

• SPF record — prevents email spoofing from your domain. Add a TXT record: v=spf1 +a +mx include:_spf.yourmailprovider.com -all
• DKIM — cryptographic email authentication. Enable in cPanel > Email Deliverability.
• DMARC — policy for handling failed SPF/DKIM checks. Add a TXT record: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
• CAA record — specifies which Certificate Authorities can issue SSL certificates for your domain
• No unnecessary records — remove DNS records for services you no longer use

11. Error Handling Does Not Expose Information

Default error pages and PHP error messages can reveal sensitive information to attackers. Verify:

• PHP display_errors is off — in production, PHP errors should be logged, not displayed. Check in cPanel > MultiPHP INI Editor: set display_errors = Off and log_errors = On.
• Custom error pages — configure custom 404 and 500 error pages that do not reveal server information
• WordPress debug mode is off — ensure wp-config.php has define('WP_DEBUG', false);
• Directory listing is disabled — add Options -Indexes to .htaccess to prevent visitors from browsing your directories
• Server signature is hidden — add ServerSignature Off to .htaccess

12. Contact Forms and User Inputs Are Protected

Every form on your website is a potential attack vector. Before launch:

• CAPTCHA or reCAPTCHA — add to contact forms, registration forms, and login forms to block automated submissions
• Input validation — ensure all form fields validate and sanitize user input (especially if using custom forms)
• Rate limiting — limit form submission frequency to prevent spam and abuse
• CSRF tokens — verify that forms include anti-CSRF tokens (WordPress and most frameworks include these by default)
• File upload restrictions — if your forms accept file uploads, restrict allowed file types and sizes, and scan uploads for malware

The Complete Pre-Launch Security Checklist

Choosing Hosting That Handles Security for You

Many items on this checklist are handled automatically by quality hosting providers. When you choose MassiveGRID's high-availability cPanel hosting, the following are pre-configured and managed for you:

• Free SSL certificates with automatic renewal (item 1)
• Imunify360 malware scanning and WAF protection (items 5 and 6)
• CloudLinux CageFS account isolation and resource limits (item 9)
• Automated server-level backups (item 7)
• High-availability infrastructure that eliminates single points of failure
• Hosting in Tier III+ data centers with enterprise DDoS protection

This means you can focus on application-level security (items 2, 3, 4, 8, 10, 11, 12) while the hosting infrastructure handles the server-level protections.

What to Do After Launch

Security is not a one-time task. After going live, maintain your security posture with these ongoing practices:

• Weekly: Check for and apply software updates. Review security plugin alerts.
• Monthly: Review user accounts and remove unnecessary access. Check backup integrity. Run a full malware scan.
• Quarterly: Test a backup restore. Review and update passwords. Check for unused plugins, themes, and DNS records.
• Annually: Audit your entire security configuration against this checklist. Review your hosting provider's security features and compare with current best practices.

Frequently Asked Questions

How long does it take to complete this security checklist?

For a standard WordPress site on cPanel hosting, most items can be completed in 1-2 hours. Items that your hosting provider handles (SSL, WAF, malware scanning, account isolation) require only verification, not configuration. The most time-consuming items are typically setting up backups with offsite storage and configuring security headers correctly.

Do I need to hire a security professional?

For most small to medium websites, this checklist covers the essential security measures and can be completed by the website owner. If your site handles sensitive data (financial, healthcare, personal information), processes payments, or is subject to regulatory compliance requirements, a professional security audit is a worthwhile investment. Your hosting provider's support team can also help with server-level configurations.

What if I cannot complete all 12 items before launch?

Prioritize by the "Priority" column in the checklist. The five Critical items (SSL, updates, passwords/2FA, permissions, WAF) should be non-negotiable before launch. The High items (malware scanning, backups, security headers, account isolation) should be completed within the first week after launch. The Medium items (DNS security, error handling, form protection) can be addressed within the first month.

Is this checklist enough for e-commerce sites?

This checklist provides a strong foundation, but e-commerce sites that process credit cards have additional requirements under PCI DSS. These include network segmentation, access logging, intrusion detection, regular vulnerability scanning by an Approved Scanning Vendor (ASV), and potentially a formal PCI assessment. If you process payments, consult the PCI DSS requirements or use a PCI-compliant payment processor (like Stripe or PayPal) that handles card data off your server.

How do I monitor my security after going live?

Set up monitoring on multiple levels: use your security plugin's alert system for application-level threats, monitor Google Search Console for security warnings, set up uptime monitoring (UptimeRobot, Pingdom) to detect unexpected downtime, and periodically check Sucuri SiteCheck or VirusTotal for external scanning. Imunify360 on your hosting server provides continuous server-level monitoring, and MassiveGRID's DDoS protection monitors for network-level threats.