How We Protect Your Website (And What You Can Do to Help)

Knowledgebase Article

How We Protect Your Website (And What You Can Do to Help)

Most people think of website security like locking their front door. You’ve got a strong password, maybe even a security plugin, and you figure that’s enough to keep the bad guys out.

But here’s the thing—hackers don’t use the front door.

They don’t politely jiggle the doorknob and sigh in disappointment when it doesn’t open. They scour every inch of your house, looking for an unlocked window, a cracked basement hatch, or a hidden spare key you forgot under the doormat. They don’t care if you have a high-tech alarm system—if there’s an opening, they’ll find it.

Now, imagine the internet isn’t just a row of houses—it’s millions of houses, all lined up in a giant digital neighbourhood. Hackers aren’t picking one house at a time—they’re running massive, automated scans, testing millions of sites every single day for weak passwords, outdated software, or any tiny vulnerability they can use to gain access undetected.

And the second they find one? Boom. They’re in.

That’s why real security is about layered defences that anticipate weak spots before they’re exploited.

At Kualo, we’ve built an insanely strong, multi-layered security system designed to detect, block, and neutralise threats before they reach your site. But security isn’t just about what we do—it’s also about what you do.

We can build the fortress, staff the guard towers, and install the alarms, but if there’s an unguarded back door—an exposed password, an unpatched plugin, or a missing security update—an attacker only needs that one gap to get through.

So, let’s break it down:

Here’s what we do to keep you safe—and what you also need to do to keep your site locked down.

Navigation

🛡️ Firewalls: The (Smart) Bouncers at the Door

Imagine the internet as a massive, lawless nightclub. Some guests are regulars, here to enjoy the music (or, you know, browse your website). Others, though? They’re looking to cause trouble.

Some of these troublemakers charge straight at the door over and over again, hoping to force their way in. Others blend into the crowd, testing locks, seeing what they can get away with before anyone notices.

Your website needs security at the door—a bouncer who can spot fake IDs, throw out the rowdy ones, and challenge anyone being sneaky before they cause chaos.

But here’s the catch: hackers don’t all play by the same rules.

💥 Two Main Hacker Strategies (And Why Regular Firewalls Struggle)

1️⃣ The Sledgehammer Approach (Flood Attacks)
Some hackers try to smash their way in by throwing enormous amounts of traffic at a site, hoping to overload the server and knock it offline (DDoS attacks), or by brute-forcing passwords with thousands of login attempts per second.

📍 This is where traditional firewalls are useful—they can spot a single source flooding traffic and block it.

2️⃣ The Pickpocket Approach (Distributed Attacks)
Other hackers play the long game, using botnets—armies of compromised devices spread across the world.

✔ Instead of hammering the same website repeatedly, they probe thousands—one request at a time, from different IP addresses and locations.
✔ They learn from what gets blocked and tweak their attack patterns in real-time.
✔ They look for unpatched software, vulnerable plugins, or weak passwords—exploiting the smallest openings.

📍 This is where traditional firewalls start to fail—because if an attack is coming from thousands of different locations, how do you spot the pattern?

🤖 A Firewall That Thinks Like a Hacker (And Then Outsmarts Them)

Instead of just standing at the door reacting to trouble, our firewall is part of a global intelligence network—watching threats unfold across thousands of servers at the same time.

✔ It learns from attack patterns happening elsewhere, meaning that if a hacker tries a trick on another website, your site is already protected before they even get to you.
✔ It spots botnet behaviour, and can be successful at blocking networks even if each bot is making just one request per site before moving on.
✔ It adapts in real time, so even if an attack evolves, our defences shift to counter it.

What This Means for Your Website:

✔ Network firewalls block known malicious sources before they even reach your site.
✔ Machine-learning WAFs detect and adapt to new threats, even if they change tactics.
✔ Rate-limiting and brute-force protection stops a wide range of automated login attempts before they become a problem.
✔ Real-time attack intelligence from thousands of servers means the majority of threats are neutralised before they reach you.

In short? Hackers evolve. So do we.

🔒Caged File System: Your Own Private Security Bubble

At many hosts, hosting your website is like renting an apartment in a large building. Your website is one apartment within a bigger structure (the server), and other tenants (other websites) live in the same space.

Now, imagine if your neighbour accidentally sets fire to their kitchen. In a typical apartment block, that fire could spread to your home. That’s what happens on a traditional shared hosting server—if one website gets hacked, others could be at risk too.

But our hosting doesn’t work like that.

We use CageFS, which acts as a fireproof wall around your hosting account, isolating your files, data, and resources from everyone else on the server.

✔ Each account runs in its own secure “cage”—other users can’t see or access your files.
✔ Processes and resources are locked down, so if another site on the server is compromised, it can’t affect you.
✔ Stops attackers from jumping between accounts, eliminating one of the biggest risks of traditional shared hosting.

It’s like living in a detached house instead of an apartment block—your space is completely your own.

⚠️What About Multiple Websites in One Account?

If you host multiple websites or applications in a single hosting account, whilst they’re isolated from other customers, they aren’t isolated from each other—they share the same space. So, if one site gets compromised, it could affect the others.

👉 If you’re hosting multiple websites, this may be okay, but it’s crucial to keep every single one updated and secure. Otherwise, a vulnerable site could become a gateway for attackers to access everything else in the account.

If you want absolute separation between your websites, the best approach is to host them in separate cPanel accounts. Want more info? Read our article on when Addon Domains Are a Good Idea (And When You Should Re-Think Them).

💾 Backups & Self-Restoration via JetBackup: Your Safety Net

Even with all the security in the world, sometimes things still go wrong—which is why backups are critical.

✔ We take regular backups using JetBackup, so you can restore your files or database at any time.
✔ Backups are taken daily, with higher-frequency backups available on our premium plans.
✔ You can restore files directly from cPanel, without needing to contact support (though we’re happy to help if you need us).

It’s like having a reset button—if something goes wrong, you can roll back to a clean version of your site in minutes.

🦠 Real-Time Malware Protection & Proactive Defence

Hackers don’t always barge through the front door—sometimes, they’re sneaking in through a tiny, overlooked window. And once inside, they don’t just sit around—they plant backdoors, hide malicious scripts, and wait for the perfect moment to strike.

That’s where our security systems do more than just react—they prevent.

Step One: Stopping Known Threats in Their Tracks

Our real-time malware scanner works like a 24/7 security guard, scanning every file the moment it’s uploaded:

✔ It automatically detects and cleans a wide range of malware before it has a chance to cause harm.
✔ For WordPress and Magento, it even scans the database, because malware isn’t just about files—it can hide in your content, too.
✔ It continuously updates with new threat signatures, ensuring that even the latest known malware doesn’t stand a chance.

It’s like having a bouncer who instantly kicks out anyone on a watchlist—the moment they step inside, they’re gone.

Step Two: Catching Sneaky Attacks in Real Time

But what about threats that haven’t been discovered yet?

Most security software works by matching threats to a known list of malware signatures. That’s useful—but it doesn’t stop brand-new attacks that haven’t been identified yet.

That’s where Proactive Defence steps in.

✔ It watches scripts in real time, blocking anything suspicious before it can execute.
✔ It doesn’t rely on known signatures—it can stop malware even if it’s brand new.
✔ It’s especially useful against stealthy, memory-based malware that doesn’t leave files behind but instead runs in memory to avoid detection.

Imagine a bouncer who doesn’t just check IDs at the door—they watch for suspicious behaviour inside the club. If someone is acting sketchy, they’re stopped before they cause trouble.

🛠️ Automated Patching & Security Updates

Firewalls, malware scanners, and real-time exploit protection do an incredible job—they block millions of attacks every single day. But here’s the truth: no security system is 100% infallible.

Why? Because security is an arms race.

Hackers don’t need to break down the front door if they can find a window left unlocked.

✔ A botnet with brand-new, unseen IPs can slip past firewalls before they’re flagged as malicious.
✔ A never-before-seen attack technique can bypass traditional malware detection.
✔ A new vulnerability in a popular plugin can open the door for attackers before anyone knows it exists.

We defend against the vast majority of attacks—but in security, it only takes one success. That’s why patching vulnerabilities before hackers can exploit them is absolutely critical.

Most hosting providers leave security updates in your hands—if you don’t update your software, you’re vulnerable.

We take a different approach.

We use Patchman, a system that automatically detects and patches vulnerabilities in:

✔ WordPress
✔ Joomla
✔ Drupal
✔ Other common CMS platforms

The best part? Patchman applies security fixes without forcing you to update everything immediately.

With most software, you either:

1️⃣ Update and risk breaking things, or
2️⃣ Hold off and stay vulnerable.

Patchman removes that dilemma by backporting security patches, meaning your site stays protected without the risk of compatibility issues.

Think of it like a vaccine—it protects you before you get infected.

But Not Everything Can Be Patched Automatically:

Patchman is one of the strongest proactive security measures available, but like any tool, it has limits.

✔ It focuses mainly on core CMS vulnerabilities—it can’t patch every app, every plugin, or every theme.
✔ It covers some widely-used plugins like WooCommerce, but not all third-party plugins themes, and it can’t patch your custom code.

That’s why some vulnerabilities still require you to keep your code up-to-date.

🔑 General Security Practices: How We Protect Your Account

Keeping your website safe isn’t just about stopping hackers—it’s about making sure only you have access to your account. Here’s how we protect your data at every level:

✔ Strong password enforcement for MyKualo and cPanel—no weak, short, or common passwords allowed.
✔ Compromised password detection—MyKualo automatically checks against known breaches and blocks leaked passwords.
✔ Email verification for unusual logins—if we detect an unusual login to MyKualo and 2FA isn’t enabled, you’ll need to verify via email.
✔ CMS weak password protection—Our firewalls block WordPress and other supported CMS platforms block login attempts with known weak credentials.
✔ Caller & Support Verification – When you call in we’ll verify your identity before discussing or making any account changes.
✔ Physical Security – Our data centres are restricted-access facilities with 24/7 monitoring, physical security, and redundant power and networking.

From login security to physical access, every layer of protection is covered.

But security works best when we work together—so let’s look at what you can do.

📝 Your Role in Security: What You Need to Do

We’ve covered everything we do to keep your site safe—firewalls, malware scanning, automated patching, strong password enforcement, and more.

But security isn’t just about what happens on our end—it’s also about what happens on yours.

A well-secured hosting environment can stop attacks, detect threats, and protect against known vulnerabilities—but if your own software is outdated, passwords are weak, or 2FA isn’t enabled, the risk increases dramatically.

So, let’s talk about your part in keeping your site locked down.

1️⃣ Keep Your Software Updated (And Regularly Audit Vulnerabilities)

✔ Update your CMS (WordPress, Joomla, Magento, etc.) regularly.
✔ Update plugins and themes—especially those flagged as vulnerable.
✔ Remove unused or abandoned plugins and themes.

Most website hacks happen because of outdated software. While Patchman automatically patches many vulnerabilities, it can’t patch everything. That’s why manual updates are still critical. You should build in a regular process to verify your software is up-to-date, and that you’re only using plugins or extensions that are actively developed and maintained

How to Stay Updated (Without the Hassle):

We know updates can feel like a chore, but we have built-in tools that make it easier:

✔ WP Toolkit’s Vulnerability Scanner – Flags plugins and themes with known security risks.
✔ Smart Updates– Allows safe testing of WordPress updates before applying them live, which can even be set to run automatically.
✔ Softaculous Updates – Helps you update other software, in some cases automatically.

And remember:

Just because there’s no update, it doesn’t mean it's safe.

One of the biggest security misconceptions is: “If there’s no update available, my plugin/theme must be secure.”

A plugin could have been banned from the WordPress repository or silently abandoned by its developer, meaning it’s no longer maintained—even if there’s no official update showing as available.

For WordPress, this is where WP Toolkit’s vulnerability scanning comes in. For other applications, you need to keep on top of security updates manually.

If you’re running outdated or unsupported software, it’s not a question of if an exploit will happen—it’s a question of when.

Staying up to date is one of the easiest and most effective ways to secure your site. The tools are there—use them.

2️⃣ Use Strong, Unique Passwords Everywhere

A password is like the lock on your front door. A good one keeps intruders out. A bad one—like "password123" — is the equivalent of leaving your key under the doormat with a note that says "Please don’t break in."

If your password is weak, reused, or (worse) already leaked in a data breach, they don’t even have to try. They just walk right in.

✔ Never reuse the same password across multiple sites.
✔ Use a password manager to store and generate secure passwords.
✔ Make sure passwords are at least 12+ characters long, using a mix of letters, numbers, and symbols.

All of this makes hacking way harder—but not impossible. Because if an attacker does get your password, the best security comes when it’s combined with the next step…

3️⃣ Enable Two-Factor Authentication (2FA) Everywhere You Can

If your password is the key to your house, 2FA is the deadbolt. Even if someone steals your key, they still can’t get in without you. To protect yourself, you should:

✔ 2FA adds an extra verification step, so even if a hacker has your password, they’re still locked out.
✔ You can enable it for cPanel and MyKualo, adding an extra layer of security to your hosting account.
✔ Many web applications, including WordPress, allow 2FA via plugins, giving you additional protection at the application level for your critical admin users.

It’s like having a keycard AND a retina scanner—just because someone stole your key doesn’t mean they get to waltz in.

Between strong passwords, automatic breach detection, and 2FA, we make sure your accounts are locked down—but it’s up to you to enable 2FA for the best security (if you haven’t done so yet, do it now!).

4️⃣ Audit & Clean Up Unused Software

✔ Remove any old or unused CMS installations (WordPress, Joomla, Magento, etc.).
✔ Delete staging sites or test installations if they’re no longer needed.
✔ Uninstall plugins and themes that aren’t actively used.

One of the biggest security risks isn’t just outdated software—it’s forgotten software.

🔹 You install a CMS to test it, then never use it.
🔹 You create a staging site but forget to update it.
🔹 You install a plugin “just to try it” and leave it there indefinitely.

Even if your main site is up to date, an abandoned CMS or plugin sitting in your account can still be exploited and impact your production website.

5️⃣ Control Who Has Access (And Lock Out Old Users)

✔ Remove old user accounts for former employees, developers, or freelancers.
✔ Limit admin access—only give permissions to those who truly need them.
✔ Use unique logins instead of re-using the same passwords.
✔ Use non-standard usernames instead of defaults such as ‘admin’.

One of the most overlooked security risks? People who no longer work with you still having access.

Maybe a developer set up your website three years ago, but their admin account is still active. Maybe a former employee’s email login still works. Maybe you shared a password with a freelancer once and never changed it afterward.

Every unused account is a potential weak link.

✔ Regularly review who has access to your hosting, CMS, and other critical tools.
✔ Limit admin privileges—most users don’t need full control.
✔ Use role-based permissions (e.g., Editors instead of Admins in WordPress).
✔ If someone leaves, remove their access immediately.

And please, for the love of security:

🚫 Don’t share passwords between team members!
🚫 Don’t use one admin account for everyone!
🚫 Don’t keep old, unused accounts active ‘just in case’!

How We Help With This:

✔ MyKualo allows you to manage sub-accounts with controlled access.
✔ cPanel lets you create separate FTP, email, and database users—no shared logins needed.
✔ WordPress and other CMS allows easy user management and role assignments.

Fewer accounts = fewer risks. A tight control on user access is one of the simplest, most effective ways to keep your site secure.

6️⃣ Back Up Your Site (Even Though We Do!)

Our backup system is incredibly robust, but no backup system is 100% infallible.

✔ Corrupt files, large database issues, or external failures can sometimes impact backup reliability.
✔ If a problem (like a compromise) isn’t caught quickly, older ‘clean’ backups may cycle out before an issue is noticed.

That’s why we strongly recommend keeping your own backups, too.

👉 For WordPress users, backup plugins like UpdraftPlus can create off-site copies.
👉 For any site, third-party tools like CodeGuard or DropMySite add extra protection.
👉 If you make site updates, manual snapshots using JetBackup are an extra safeguard to provide an immediate backup before you make changes.

The first rule of backups? You can never have too many backups. Our automated backups provide an easy recovery option, but having an additional safety net is always a smart move.

7️⃣ Scan Your Computer for Malware (Because Keyloggers Are a Thing)

Your website security is only as strong as the device you log in from. If your computer is compromised, attackers can steal your credentials the moment you type them in—even the strongest password won’t protect you from a keylogger.

✔ Run a full system scan with a reputable antivirus and anti-malware tool.
✔ Keep your operating system, browsers, and software updated—outdated software is a hacker’s playground.
✔ Avoid downloading "cracked" software—these often come bundled with malware.

💡 Mac users, this applies to you too! There’s a myth that macOS doesn’t get malware, but that’s far from true. Mac-targeted keyloggers and trojans exist, and security threats don’t discriminate based on operating system.

8️⃣ Check & Fix File Permissions (Don't Give Hackers Free Reign)

On a Linux file system, file permissions control who can read, write, or execute files on your account. If permissions are too loose, attackers can modify files, upload malicious scripts, or even delete everything.

By default file permissions in your hosting account are designed to be secure, but its possible for you or your developer to set custom permissions.

✔ Files should be set to 644 (only your user can modify them).
✔ Directories should be 755 (so scripts can run but not be modified by others).
✔ Never set permissions to 777—this is like leaving your front door wide open.

🔹 For WordPress users: WP Toolkit’s Security Measures can help automatically correct file permissions, along with other security hardening steps. If you haven’t enabled security measures in WP Toolkit, head over to our companion article.

9️⃣ Isolate Websites (Especially If You’re Not on Top of Updates)

Running multiple websites or applications from a single hosting account? That’s fine—as long as you’re religious about keeping them updated.

If you have 20 WordPress installations, each packed with plugins, and even a handful of them are outdated or vulnerable, you’re sitting on a ticking time bomb. The risk isn’t just multiplied—it’s exponential.

✔ Every outdated CMS, plugin, or theme is another unlocked door for hackers.
✔ If one site gets compromised, all sites within the same account are at risk.
✔ Hackers don’t care which door they get through—once inside, they’ll explore everything.

If you’re super disciplined about updates, and these are all your own sites, this might be a manageable risk. But let’s be real—if you know deep down that staying on top of updates isn’t your strong suit, don’t take the risk.

Instead:

✔ Host each website in its own cPanel account for isolation.
✔ Never host websites for third parties in your own account—if their site is vulnerable, it could take yours down too.
✔ If you must keep multiple sites in one account, make sure every single one is updated, secure, and unnecessary apps or test installations are deleted.

👉 Not sure when hosting multiple sites in one account is a good or bad idea? Check out our guide: When Are Addon Domains a Good or Bad Idea?

🎯 Final Thoughts: Security Works Best When We Work Together

We’ve built the firewalls, the malware scanners, the automated patching, and the real-time exploit blocking—but security isn’t just about having the best defences.

It’s about making sure there aren’t any weak points left open.

✅ We stop the vast majority of attacks—but it only takes one weak link to let an attacker in.

Follow these steps and you’ll make that one weak link almost impossible to find.