it_IT Italian
it_IT Italian en_GB English

it_IT Italian

it_IT Italian

en_GB English

var trp_shortcode_language_item = trp_el.querySelector( ‘.trp-ls-shortcode-language’ ) // set width var trp_ls_shortcode_width = trp_shortcode_language_item.offsetWidth + 16; trp_shortcode_language_item.style.width = trp_ls_shortcode_width + ‘px’; trp_el.querySelector( ‘.trp-ls-shortcode-current-language’ ).style.width = trp_ls_shortcode_width + ‘px’;

// We’re putting this on display: none after we have its width. trp_shortcode_language_item.style.display = ‘none’; }

Security

The following was Moved from “Hosting” section – Can probably be consolidated into the overall Security bit here – I just ran the first general part through ChatGPT, not the bits under the different hosting types!

Security

Website security is paramount for protecting integrity, safeguarding user data, and preserving a sit’s online reputation. In today’s landscape of ever-evolving cyber threats, even minor vulnerabilities can be exploited, leading to severe consequences — ranging from website defacement to the theft of sensitive information such as passwords and credit card details.

The fallout from a security breach can be devastating. Search engines like Google may blacklist compromised sites, causing traffic to plummet overnight. Visitors who encounter malware warnings or phishing attempts are unlikely to return, and for sites handling sensitive user data — particularly in sectors like e-commerce, finance, or healthcare—legal repercussions and hefty fines under regulations such as GDPR or CCPA are real risks.

Beyond the immediate technical and financial impacts, security breaches erode trust. A security lapse suggests negligence and can irreparably damage your credibility. Implementing robust defences such as firewalls, SSL encryption, malware scanning, and secure coding practices not only helps prevent attacks but also demonstrates your commitment to protecting your users.

Ultimately, website security is not optional — it is a fundamental pillar of maintaining a professional, trustworthy, and resilient online presence. Whether you manage a personal blog, a business site, or a complex web application, prioritizing security is essential for long-term success and sustainability.

Shared Hosting

With Shared Hosting, server-level security like firewalls and brute-force protection is entirely handled by the host which is convenient, but not very flexible or robust. However security for the site itself will be very limited. User isolation will be very weak; firewall customization very limited; brute-force protection basic; and malware scanning dependent on the provider.

As a very minimum, if you are choose to use a Shared hosting plan, we strongly advise that you use a WAF on your site. The WAF will protect your site by monitoring the traffic and scanning & removing malware. It makes little sense to pay for a WAF with Shared Hosting as such plans can be quite expensive, but there are some very good free ones available which can easily be set up to protect your site.

VPS Hosting

With Unmanaged VPS Hosting, users are responsible for much of the security setup themselves. This should not be a problem as only people with excellent technical skills should consider such a plan. With a Managed VPS Hosting plans, the provider will generally look after the server-side security and work with users to set up security for the website itself. Security with VPS Hosting plans can be much better than with Shared Hosting plans, primarily because of greater control, isolation, and customization. User isolation is very strong; firewall setup customizable; brute-force protection advanced; and malware scanning is fully available.

With Shared Hosting, a compromised neighbour can pose a security risk to your site, With VPS Hosting, your environment is isolated using virtualization, so your resources and files are completely separate from others.

On Shared Hosting, firewall settings are controlled by the host, and apply to everyone on the server. Tools may be limited or unavailable, and you’re dependent on whatever the host enforces globally. With VPS Hosting there is much more flexibility.

If you are not very technically aware, make sure you choose a Managed plan, and then the provider will advise you what may be needed and will usually set it up for you.

Whatever security you decide to implement, we strongly advise users who chooses VPS Hosting to also make sure their site is protected by a WAF. Although some VPS Hosting providers do offer WAFs as a standard feature in their VPS plans, while others offer them as an add-on or a premium service, it’s not a standard feature. It’s crucial to check the VPS plan you are considering to determine if WAF protection is included. The WAF will protect your site by monitoring the traffic and scanning & removing malware. Although there are some very good free WAFs, it might be worthwhile to consider a premium one as the extra features will improve the security.

Cloud Hosting

Cloud Hosting security is generally stronger and more flexible than traditional hosting environments like Shared or VPS hosting. The major advantage of is that it’s built on modern infrastructure with advanced security features available at both the infrastructure and application levels.

Typical security features of Cloud Hosting are:

  • Data is stored across multiple servers or locations, reducing the risk of loss
  • Atomated backups, snapshots, and point-in-time restores are standard
  • Configurable firewalls (e.g., AWS Security Groups, Cloudflare integration) are included
  • Built-in DDoS mitigation is often included, especially with enterprise-level services.
  • Virtual Private Clouds (VPCs) create isolated environments, minimizing attack surfaces
  • You can segment services by region, access level, or internal network
  • Data encryption at rest and in transit is standard with most cloud providers (e.g., SSL/TLS, AES-256)
  • Many offer key management systems (KMS) for encrypted storage and services
  • Role-based access controls allow precise control over who can access what
  • Data is stored across multiple servers or locations, reducing the risk of loss
  • Atomated backups, snapshots, and point-in-time restores are standard
  • Configurable firewalls (e.g., AWS Security Groups, Cloudflare integration) are included
  • Built-in DDoS mitigation is often included, especially with enterprise-level services.
  • Virtual Private Clouds (VPCs) create isolated environments, minimizing attack surfaces
  • You can segment services by region, access level, or internal network
  • Data encryption at rest and in transit is standard with most cloud providers (e.g., SSL/TLS, AES-256)
  • Many offer key management systems (KMS) for encrypted storage and services
  • Role-based access controls allow precise control over who can access what

Cloud Hosting introduces shared responsibility concept between the cloud provider and the customer. The provider is fully responsible for the physical data centre and security, and, hardware & hypervisor. Responsibilities for the OS and application security are with both the provider and the user. Whilst the website itself is the responsibility of the user, but he can expect a lot of support from the provider with a Managed plan. So while cloud infrastructure is highly secure, user still need to configure your instances, databases, applications, and access controls responsibly, especially if using they are on an Unmanaged plan.

A WAF is also essential for Cloud Hosting. However it is usually included in most Managed Hosting plans and handled by the provider. So there really is nothing for users to do, and this is one of the many advantages of Managed Cloud Hosting plans.

Dedicated Hosting

Dedicated Hosting security is considered highly robust, but how secure depends on how well it’s configured and managed. Because a dedicated server is exclusively the property of the user, it avoids many risks inherent in shared environments, such as cross-site contamination. However, it also demands greater responsibility for setup and maintenance. Users are responsible for most, if not all, of the software security configuration.

For Unmanaged Dedicated Hosting which is the norm, users must monitor and apply updates to OS, CMS, and software. Automatic backups are not provided, so they must be configured manually or with paid add-ons. There is no built-in DDoS protection, 3rd party services (e.g., Cloudflare, Sucuri) are required. IP restrictions, fail2ban, or other hardening tools need to be installed to deal with brute-force and bot attacks.

This is a short list of what a user with a Dedicated Hosting plan should consider adding to protect the site:

  • Imunify360 or Maldet for malware scanning
  • ModSecurity WAF or Cloudflare WAF
  • Fail2Ban for brute-force login protection
  • Two-factor authentication (2FA) for control panel and SSH
  • Encrypted backups (offsite or cloud-based)
  • Security patches and OS updates — regularly scheduled or automated
  • Imunify360 or Maldet for malware scanning
  • ModSecurity WAF or Cloudflare WAF
  • Fail2Ban for brute-force login protection
  • Two-factor authentication (2FA) for control panel and SSH
  • Encrypted backups (offsite or cloud-based)
  • Security patches and OS updates — regularly scheduled or automated

We would expect that anyone who has chosen Dedicated Hosting can handle such requirements, otherwise they don’t really have the technical skills for such a plan.

When you build your website you will need to implement numerous security measures to block malicious bots, hackers, malware, and spam attacks. Amongst many others you should:

  • Keep WordPress core updated
  • Have strong passwords
  • Regularly back up your site
  • Use two-factor authentication (2FA)
  • Only install from trusted sources (i.e. WordPress or reputable Developers)
  • Use only the best Plugins or Themes and keep them up to date
  • Use SSL to encrypt data between your site and your visitors
  • Hide your WordPress login page
  • Disable file editing in the WordPress dashboard
  • Use the “Principle of Least Privilege”
  • Choose an email protected by 2FA
  • Keep WordPress core updated
  • Have strong passwords
  • Regularly back up your site
  • Use two-factor authentication (2FA)
  • Only install from trusted sources (i.e. WordPress or reputable Developers)
  • Use only the best Plugins and Themes and keep them up to date
  • Use SSL to encrypt data between your site and your visitors
  • Hide your WordPress login page
  • Disable file editing in the WordPress dashboard
  • Use the “Principle of Least Privilege”
  • Choose an email protected by 2FA

Along with all those precautions, we strongly advise that you implement additional security measures to safeguard, monitor, and audit your website.

Web Application Firewall (WAF)

We highly recommend using a WAF to filter out malicious traffic and automatically block known threats before they ever reach your site. Your website needs to be protected by a WAF because although most hacks happen due to human error or neglect, not flaws in WordPress itself, attacks can still occur even if you’ve taken all the right precautions. A WAF will protect against:

  • Brute force login attempts
  • SQL injection
  • Cross-site scripting (XSS)
  • Plugin/theme vulnerabilities
  • Distributed Denial-of-Service (DDoS) attacks
  • Brute force login attempts
  • SQL injection
  • Cross-site scripting (XSS)
  • Plugin/theme vulnerabilities
  • Distributed Denial-of-Service (DDoS) attacks

These are the two different approaches to implementing a WAF to protect your website and you need to consider which one to take:

  • Host Based WAF – Installed directly on the server hosting your website
  • Cloud Based WAF – Cloud proxy which is part of the infrastructure of a security service provider
  • Host Based WAF – Installed directly on the server hosting your website
  • Cloud Based WAF – Cloud proxy which is part of the infrastructure of a security service provider

Each type of WAFs comes with their own advantages and drawbacks, and, as with many aspects of website management, choosing and implementing the right WAF is a key factor when selecting a hosting provider. While some hosting plans include a built-in WAF, this is often limited to higher-tier offerings – budget-friendly options typically do not. In some cases, particularly with certain Shared Hosting plans, you may be restricted from installing a host-based WAF altogether, making a cloud-based solution your only viable option.

One of the most significant distinctions between the two lies in maintenance, a host-based WAF requires you to manage updates and configurations yourself, whereas a cloud-based WAF is maintained entirely by the provider. Given the potential cost and impact on security, it’s essential to carefully evaluate both the type of WAF and the specific service you intend to use.

Malware Scanner

Keeping your website secure involves more than just blocking threats, it also requires ongoing monitoring and prompt response to any issues that manage to get through. This is where malware scanners and related tools come into play.

A Malware Scanner regularly checks your website’s files, code, and database for any signs of malicious software. These scans can detect known malware signatures, suspicious file changes, or unauthorized code injections. Many security tools offer scheduled automatic scans as well as manual scanning options, allowing you to stay proactive in protecting your site.

Once malware is detected, the system typically logs the detail, including what was found, where it was located, and when the activity occurred. This logging is crucial for tracing the source of an infection, understanding how it spread, and documenting incidents for future protection or compliance requirements.

The final and critical step is malware removal. Good security tools will not only detect threats but also offer options to quarantine or automatically remove malicious code. In some cases, removal may require manual intervention or the assistance of your hosting provider, especially if the infection is deep-rooted or sophisticated.

Ultimately, incorporating malware scanning and removal into your WordPress security strategy ensures your site remains safe, functional, and trustworthy to visitors. For comprehensive protection, it’s recommended to use a reputable security plugin or service that combines scanning, real-time monitoring, threat logging, and automated remediation. These solutions offer peace of mind by helping ensure that even if a vulnerability is exploited, it can be identified and neutralized quickly.

Wordfence is one of the leading Host Based WAF providers s and their free version has a very good reputation. MalCare is another Host Based WAF alternative whose free version is a good option. However, if you feel you need more robust protection and features like advanced scanning, faster cleanups, and more comprehensive protection, then the prices can be quite expensive.

Sucuri is very popular and well-regarded Cloud Based WAF. However it does not have a free version and it costs even more than most Host Based WAFs. Furthermore, the setup is not at all easy for users who have limited technical capabilities. Having said that, Sucuri have excellent support who can guide you through the process. We have often used Sucuri and can recommend their solution as offering very good security protection. One big benefit of Sucuri compared to many of their rivals is that their include unlimited malware clean-ups & blacklist removal in their basic plan.

If you want a free Cloud Based WAF then Cloudflare is your best option as they have a wonderful reputation. They provide a free reverse proxy service which inspects, filters, and block malicious traffic before it hits your site. However, your traffic needs to flow through Cloudflare’s edge network to do this which means you have to use their DNS. This means tou have to point domain Registrar’s NSs towards Cloudflare and setting up the DNS records with them. This is not very difficult, but can be a bit challenging if you have little or no technical skills. If you are using Shared Hosting they might not provide much help as this is not a change that suits them.