Hostinger WordPress Security: 10 Steps to Lock Down Your Site

Hostinger includes several server-level security features by default:

• Web Application Firewall (WAF): Blocks SQL injection, XSS, and other common WordPress attack patterns at the network level before they reach your site
• Malware Scanner: hPanel → Security → Malware Scanner — scans files and database for known malware signatures
• DDoS Protection: Network-level DDoS mitigation on all hosting plans
• SSL Certificates: Free Let's Encrypt SSL on all plans, auto-renewed every 90 days
• Two-Factor Authentication: For hPanel login (protecting your hosting account, not just WordPress)

These server-level protections are active by default. You don't need to configure them, but you should supplement them with WordPress-level security measures.

Your WordPress admin login is the primary attack surface. Enable 2FA:

1. Install WP 2FA plugin (free, 80K+ installs)
2. Go to Users → Your Profile → Two Factor Authentication
3. Set up TOTP (Google Authenticator or Authy)
4. Optional: Require 2FA for all admin-role users

Also enable 2FA for your hPanel account: hPanel → Account → Security → Two-Step Authentication. This protects your hosting control panel from account takeover.

WordPress's /wp-login.php is brute-forced millions of times daily. Defense layers:

• Limit login attempts: Install Limit Login Attempts Reloaded — blocks IPs after 3-5 failed logins
• Change login URL: Use WPS Hide Login to change /wp-login.php to a custom URL. Bots targeting the default URL find nothing.
• Strong password: WordPress admin password should be 16+ characters. Use a password manager.
• Block XML-RPC: If you don't use XML-RPC, disable it via .htaccess or a security plugin to eliminate a common attack vector.

74% of WordPress hacks exploit known vulnerabilities in outdated plugins and themes (Wordfence 2025 data). Enable Hostinger's auto-updates for WordPress core, plugins, and themes in hPanel → WordPress → Auto Updates.

For plugins you can't auto-update (paid plugins requiring manual license activation), create a maintenance schedule to manually update them weekly. Check the plugin's changelog before updating to spot breaking changes.

Hostinger's built-in tools cover server-level security. Add a WordPress-level security plugin for application-layer protection:

• Wordfence Security (free): Firewall, malware scanner, live traffic monitoring. Most popular security plugin with 5M+ installs. The free version is sufficient for most sites.
• Solid Security (formerly iThemes Security): Excellent hardening features — file change detection, database backups, security grades. Better suited for non-technical users.
• Sucuri Security (free): Activity auditing, file integrity monitoring, and blacklist monitoring. Pairs well with Sucuri's WAF (paid) for maximum protection.

File Permissions: Correct permissions prevent attackers from modifying files even if they gain limited access:

• Folders: 755
• Files: 644
• wp-config.php: 600 (most sensitive file)
• Set via hPanel File Manager or FTP client

Backups: Enable daily backups in hPanel. Also install UpdraftPlus to send backups to Google Drive or Dropbox independently. Two backup destinations = no data loss.

SSL: Verify SSL is active (padlock in browser) and force HTTPS in WordPress Settings → General by setting both URLs to https://.