Security on managed WordPress shouldn’t be a mystery or an upsell. Here’s the exact baseline we apply to every container before a site ever goes live — steal it for your own setup.
Isolation first
Every site runs in its own Docker container with its own filesystem, process space and resource limits. A compromise in one site can’t read or reach another — the single most important property a shared cPanel box can’t offer.
The firewall and WAF layer
ConfigServer Security & Firewall (CSF) sits at the host edge, and ModSecurity inspects HTTP traffic against a managed ruleset tuned for WordPress.
💡 Note
We keep WAF rules in “detect” mode for the first 48 hours on a new migration, then switch to “block” — so a plugin’s legitimate behaviour never gets caught as a false positive on day one.
Locking down WordPress itself
Disable file editing in the dashboard, enforce strong salts, and block PHP execution in uploads. One line in wp-config.php closes the most common foothold:
define( 'DISALLOW_FILE_EDIT', true );What you should check today
✓ Your 2-minute audit
- Is dashboard file editing disabled?
- Are backups stored off-site, not just on the same server?
- Is every admin account on a unique, strong password with 2FA?
