CPANEL_SECURITY APRIL 28, 2026

Shared Hosting Security Checks for Small Business Websites

13 min read 2,449 words
Shared Hosting Security Checks for Small Business Websites featured image

If your small business website is running on shared hosting, the security of that server is shared between you and every other website on that machine. That is not a reason to panic, but it is a reason to check your settings. Most security problems on shared hosting are preventable with a few deliberate checks, and knowing what to look for is often the difference between a site that stays up and one that becomes a liability.

What shared hosting actually means for your security

Shared hosting puts your website on a server alongside dozens or hundreds of other sites. You all share the same operating system, web server software, and in many cases the same PHP environment. The hosting provider manages the server infrastructure, but you are responsible for how your website and its files are configured.

This matters because vulnerabilities on one site can sometimes affect others on the same server, and poor configuration on your end can open doors that should stay closed. A basic set of shared hosting security checks takes most business owners an afternoon, and it catches the issues that are most commonly exploited.

Start with PHP version awareness

PHP is the language most shared hosting accounts run on, and outdated PHP versions are one of the most common security gaps on small business websites. When PHP versions reach end-of-life, they stop receiving security patches. Running an unsupported version means any vulnerability discovered in that version is unpatched on your server.

You can check which PHP version your hosting account uses through cPanel. Look for the MultiPHP Manager or PHP Version icon. If you are managing this yourself, the official supported PHP versions page shows which releases currently receive security updates.

For most small business sites running WordPress or a custom PHP application, PHP 8.2 or 8.3 is the practical minimum in 2026. Older branches such as PHP 7.4 and 8.0 are end-of-life. If your host is still defaulting to PHP 7.x, that is a direct security risk and a reason to ask your provider to upgrade or to consider moving to a host that keeps pace.

Before upgrading PHP, check that your plugins, theme, or custom code is compatible. A PHP version upgrade breaks sites that have not been maintained, so test in a staging environment first if your host provides one.

File manager and filesystem risks inside cPanel

The cPanel file manager gives you a browser-based way to browse, edit, and upload files on your hosting account. It is convenient, but it also creates risk if permissions are set loosely or if you access it over an insecure connection.

The most common file manager security problems include setting file permissions to 777, which makes files readable and writable by anyone on the server, and leaving the file manager accessible without understanding who else might have account credentials. Exposed configuration files such as wp-config.php for WordPress or a custom config.php are high-value targets because they often contain database credentials.

A practical check: log into cPanel and navigate to the file manager. Right-click on your website root directory and select Permissions. Directories should typically be 755 and files should be 644. If you see 777 on anything in your public HTML folder, fix it immediately. Settings that open write access to the world are one of the first things automated attackers look for.

FTP, SFTP, and why the protocol choice matters

Many small business owners connect to their hosting via FTP to upload files, manage backups, or make quick edits. Standard FTP sends your username and password in plain text across the network. If you are on an untrusted network, such as a public WiFi hotspot, those credentials can be intercepted.

SFTP, which stands for SSH File Transfer Protocol, encrypts the entire connection. Your credentials and files are not visible to anyone watching the network traffic. Most modern hosting accounts support SFTP, and enabling it usually means just changing the port in your FTP client from 21 to 22 and selecting the SFTP protocol.

If your hosting provider only offers FTP with no SFTP option, that is worth noting as a security concern and a reason to ask why. In practice, most UK shared hosting providers do support SFTP, and enabling it takes minutes.

Another practical step is to avoid sharing FTP credentials across multiple people or services. If a contractor needs temporary access, create a separate account with limited permissions and remove it when the work is done.

Backups: what most people get wrong

Most shared hosting accounts come with some form of backup, but relying solely on the host's automated backup is a risk many small businesses do not realise they are taking. Host backups are typically retained for a limited window, often seven to thirty days, and they are designed for the host's recovery needs, not necessarily yours.

A practical backup strategy for a small business site on shared hosting includes at least one off-server copy. This means downloading a copy of your website files and database to a local machine, a cloud storage service, or a different hosting account. If your hosting account is compromised, a backup on the same server may not help you.

Within cPanel, look for the Backup Wizard or Backup icon to initiate manual backups of your home directory and databases. If you are running WordPress, plugins such as UpdraftPlus or ManageWP can automate this process and store copies in Google Drive, Dropbox, or an S3 bucket.

Testing a restore from backup is the step most people skip. Backups are only useful if they actually work when you need them. Every few months, try restoring a backup to a staging location to confirm the process is solid and the files are complete.

Email accounts, DNS records, and the accounts that tie everything together

Shared hosting accounts typically include email hosting, and email accounts tied to your domain are often less protected than the main website. Weak email passwords, unencrypted IMAP or POP connections, and phishing targeting the hosting account login are all common attack vectors that lead to website compromise.

Check that your email accounts use strong, unique passwords and that your email client connects via IMAPS (port 993) or SMTPS (port 465) rather than plain IMAP or SMTP. If your hosting provider offers two-factor authentication for cPanel, enable it. The cPanel account is the master key to your hosting, and protecting it protects everything below it.

DNS records are easy to overlook. If someone can access your DNS settings, they can redirect your domain to a different server, intercept your email, or issue SSL certificates in your name. Check that your hosting account uses a strong password and that any third-party DNS management tools are also secured. If your domain registrar and your hosting account use the same password or the same recovery email, a single breach can compromise both.

Malware scanning tools available on shared hosting

cPanel includes security tools that many small business owners never open. The Security Advisor in cPanel reviews your account settings against common misconfigurations and flags issues. According to the cPanel security advisor documentation, this tool checks for open ports, out-of-date software, weak passwords, and other configuration problems. Running a Security Advisor check and reviewing the results is one of the fastest ways to get an overview of your account's current security posture.

Beyond the built-in tools, consider running a malware scan on your website files. Many hosts provide ImunifyAV or ClamAV integrations within cPanel. These scan your files for known malicious patterns. If you manage a WordPress site, Wordfence or Sucuri offer file scanning plugins that compare your core files, plugins, and themes against known malware signatures.

Scanning is not the same as preventing. A malware scanner finds problems after they exist. The goal is to find them quickly and clean them before they cause lasting damage. Regular scans, combined with prompt updates, catch most compromises before they spread.

File permissions and directory browsing

File permissions control who can read, write, and execute files on your hosting account. The numeric system (such as 644 or 755) maps directly to permission sets for the file owner, the owner's group, and everyone else.

On shared hosting, loose permissions are a common entry point. A file set to 777 can be written to by any script running on the server, including malicious scripts planted by an attacker who found a different vulnerability. Fixing this means reviewing permissions on your web root, subdirectories, and individual files.

Directory browsing is another setting that is easy to overlook. When directory browsing is enabled, anyone can navigate to a folder on your server and see a list of files if there is no index file present. This does not give them the file contents directly, but it reveals your server's structure and can expose files you did not intend to make visible. In cPanel, look under Index Manager in the Advanced section to control this per-directory.

Understanding what your hosting provider does and does not cover

Shared hosting support boundaries are not always clearly explained, and that confusion causes real problems. Most shared hosting providers will reset your account password, restart a service, or restore a backup they hold. They typically will not audit your code for vulnerabilities, clean malware off your site, or fix a compromised theme you installed.

When a shared hosting account is flagged for distributing malware, providers often suspend the site without detailed explanation. Understanding what your host covers and what falls on you means reading the acceptable use policy, knowing what their support team will actually do, and having a plan for the gaps.

For a small UK business, this means knowing whether your website maintenance is handled internally or by a contractor. If something goes wrong and the hosting provider suspends the account, can you respond quickly enough to minimise business disruption? This is where having a maintenance contact, whether that is N. Cristea or another technical resource, makes a practical difference.

Common mistakes that create avoidable risk

Some security issues appear repeatedly across shared hosting accounts. These are worth checking even if nothing appears to be wrong.

  • Using the same password across multiple services: If your hosting account password is the same as your email password or your domain registrar password, a breach of one becomes a breach of all.
  • Leaving staging environments accessible: Development or staging subdomains on the same account may not have the same security settings as the production site. Test environments often have weaker passwords and outdated software.
  • Not updating CMS, plugins, and themes: Outdated WordPress, Joomla, or custom PHP applications are a leading cause of website compromises on shared hosting. If your hosting account does not offer automated updates, set a reminder to check manually.
  • Ignoring SSL certificate warnings: An expired or misconfigured SSL certificate on shared hosting can sometimes indicate a deeper configuration problem. If visitors see certificate warnings on your site, investigate rather than dismiss it.
  • Granting unnecessary admin access: Temporary accounts for developers or agencies should be removed when the work is complete. An account that remains active long after the project ended is an unmanaged risk.

When to run these checks yourself and when to ask for help

If you are comfortable navigating cPanel, checking PHP versions, reviewing file permissions, and verifying DNS settings are tasks most technically confident small business owners can handle. There are good references available, and the checks are systematic.

If you find something you are not sure how to interpret, if the Security Advisor flags serious issues, or if your site has already shown signs of compromise such as unexpected redirects, unknown files, or search console warnings, that is when professional help makes sense. Trying to clean a compromised site without understanding the full scope can leave residual access for an attacker.

If your business relies on your website for enquiries, bookings, or sales, a periodic security review is worth building into your maintenance routine. The checks described here take under an hour on a typical shared hosting account and catch the majority of issues that lead to problems.

Frequently Asked Questions

How do I check which PHP version my shared hosting account is using?
Log into cPanel and look for the MultiPHP Manager or PHP Version icon in the Software section. It will show the current PHP version for each domain or subdomain on your account. If you cannot find it, ask your hosting provider, as they can confirm the version from their end.
Is FTP secure enough for a small business website?
Standard FTP is not secure because it transmits your username and password in plain text. If your hosting provider supports SFTP, use that instead by changing your FTP client to connect on port 22 with the SFTP protocol. SFTP encrypts your entire session, including credentials and file transfers.
How often should I back up my shared hosting account?
At minimum, create a full backup before any significant update, plugin installation, or configuration change. If your site changes frequently, weekly automated backups to an off-server location is a practical baseline. Test a restore at least quarterly to confirm the backups are working and complete.
What does the cPanel Security Advisor actually check?
The Security Advisor in cPanel reviews your account settings for common security misconfigurations. This includes password strength, out-of-date software, SSH configuration, and other settings that may expose your account to risk. Running it gives you a checklist of things to review, though it does not replace a full security audit of your website code.
My hosting provider suspended my site for malware. What do I do?
First, check the notification from your provider for details about what was flagged. Then assess whether you have a clean backup from before the issue appeared. Remove the malicious content, update any outdated software, and request a review to restore the account. If you do not have a clean backup, your host may be able to provide one from a recent restore point, though this depends on their retention policy.
Can I rely on my hosting provider to keep my shared hosting secure?
The provider secures the server infrastructure, but you are responsible for your account settings, file permissions, passwords, and the software you run on your site. A secure hosting environment with a poorly maintained website is still a vulnerable site. Both sides of the equation need attention.
cPanel security DNS records email security file permissions FTP security malware scanning PHP versions SFTP shared hosting security small business website website backups

Related Articles

Google Earth flight simulator

What Google's Earth Flight Simulator Means for Small Business SEO

Jul 7, 2026 Backup Strategy

Website Backup Strategy for WordPress and Custom PHP Sites

Jun 15, 2026 ai tools

How Google Keep with Gemini Can Support Your Small Business SEO

Jun 15, 2026
Cookie choices

Your privacy choices matter.

We use an essential cookie to remember your preferences. Optional analytics and diagnostics help us understand visits, identify issues, and improve the site, but they stay off unless you allow them.

Read the privacy notice