Namecheap WordPress Security — Plans and Built-In Protections
| Plan | Price (ex-VAT) | Imunify360 | AutoSSL | JetBackup |
|---|---|---|---|---|
| Stellar (Basic) | £1.83/mo (renews £7.88/mo) | ✅ Included | ✅ Free | ❌ Not included |
| Stellar Plus | £2.90/mo (renews £10.74/mo) | ✅ Included | ✅ Free | ✅ Included |
| Stellar Business | £4.48/mo (renews £19.16/mo) | ✅ Included | ✅ Free | ✅ Included |
All prices ex-VAT. UK customers add 20% at checkout. CodeGuard backups available as add-on: £1.66/mo ex-VAT.
Verdict: Namecheap includes Imunify360 malware scanning and free AutoSSL on all plans. The 8 fixes below run on top of these built-in protections. Complete all 8 in under an hour — no plugins required for most steps.
Why WordPress Sites Get Hacked
In 2025, WPScan’s vulnerability database logged over 5,400 new WordPress vulnerabilities — the vast majority in plugins, not WordPress core. The most common attack vectors on shared hosting:
- Outdated plugins — exploited within 48 hours of vulnerability disclosure
- Weak admin passwords — brute-forced using credential lists
- Default file permissions — writable files allow code injection
- XML-RPC exposed — used for brute force amplification attacks
- wp-admin accessible to all IPs — no login throttle by default
Each fix below closes one or more of these vectors.
Fix 1: Change the Default wp_ Table Prefix
Where: WordPress install screen (Softaculous) or wp-config.php
cPanel path: cPanel → Softaculous Apps Installer → WordPress → Advanced Options → Table Prefix
The default WordPress table prefix is wp_. SQL injection attacks targeting WordPress hard-code this prefix — changing it defeats these automated attacks.
During a new install: In Softaculous → WordPress → Advanced Options, change the Table Prefix field from wp_ to a random string like nc7k2_. Use 4–6 characters followed by an underscore.
On an existing site: Use the Brozzme DB Prefix & Tools Changer plugin — it renames all tables in one click. Always take a full database backup first (cPanel → Backup Wizard → Databases).
Impact: SQL injection attempts targeting wp_users will fail because the table is named nc7k2_users. This fix takes 30 seconds during installation and 5 minutes on an existing site.
Fix 2: Enable SSL and Force HTTPS
Where: cPanel → SSL/TLS → AutoSSL
cPanel path: cPanel → Security → SSL/TLS → Manage AutoSSL
AutoSSL is free and automatic on all Namecheap shared hosting plans. It installs and renews Let’s Encrypt SSL certificates automatically. But enabling the certificate is not the same as forcing HTTPS — you must do both.
Step 1 — Verify AutoSSL is active:
- Log in to cPanel
- Go to Security → SSL/TLS → Manage AutoSSL
- Confirm your domain shows a green padlock and a valid certificate with future expiry date
Step 2 — Force HTTPS in WordPress:
- In WordPress admin, go to Settings → General
- Change WordPress Address (URL) and Site Address (URL) from
http://tohttps:// - Click Save Changes
Step 3 — Add HTTPS redirect in .htaccess:
- In cPanel, go to Files → File Manager
- Navigate to your WordPress root folder (usually
public_html) - Click Settings (top right) and tick Show Hidden Files (.dotfiles)
- Right-click
.htaccess→ Edit - Add these lines at the very top, above the WordPress comment block:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]Save. Your site now forces all HTTP traffic to HTTPS — including old cached links.
Impact: Prevents cookie theft via man-in-the-middle attacks. Required for Google ranking signals since 2014. HTTPS sites see ~5% lower bounce rate on average (Google, 2023 study).
Fix 3: Set Correct File Permissions
Where: cPanel → File Manager
cPanel path: cPanel → Files → File Manager → [your WordPress folder]
WordPress files should be readable but not writable by the web server. The correct permissions:
| File type | Correct permission | What this means |
|---|---|---|
| All WordPress files | 644 | Owner can read/write. Server can read only. |
| All WordPress directories | 755 | Owner can read/write/execute. Server can read and enter. |
| wp-config.php | 600 or 640 | Owner can read/write only. Server cannot read at all. |
| .htaccess | 644 | Normal file permissions |
How to set permissions in bulk via cPanel:
- In File Manager, click your WordPress root folder (e.g.
public_html) to select it but do not open it - Click Permissions in the top menu
- Tick Recurse into subdirectories
- Select Only apply to files, set to 644, click Change Permissions
- Repeat — this time select Only apply to directories, set to 755, click Change Permissions
- Manually set wp-config.php to 600: right-click it → Permissions → set to 600
Impact: Writable files (777 permissions) let malicious scripts write new files to your server. 644/755 is the most common fix after a WordPress hack — and prevents re-infection after clean-up.
Fix 4: Password-Protect the wp-admin Directory
Where: cPanel → Directory Privacy
cPanel path: cPanel → Files → Directory Privacy
This adds HTTP Basic Authentication in front of /wp-admin/ — anyone trying to access your login page is prompted for a second username and password before WordPress even loads. This stops brute-force bots before they can attempt a single login.
- In cPanel, go to Files → Directory Privacy
- Navigate to your domain →
public_html→wp-admin - Click the pencil/edit icon next to
wp-admin - Tick Password protect this directory
- Enter a name (shown to visitors, e.g. “Admin Area”)
- Click Save
- Scroll down to Create User — add a username and strong password
- Click Save
Important exception: AJAX calls from the WordPress frontend use /wp-admin/admin-ajax.php. Password-protecting the entire wp-admin directory will break AJAX on your site. Add this exception to the .htaccess file inside wp-admin/:
ErrorDocument 401 default
<Files "admin-ajax.php">
Order allow,deny
Allow from all
Satisfy any
</Files>Impact: Eliminates brute-force attacks on the login page. A locked wp-admin means bots get a 401 response before WordPress runs — no database queries, no lockout plugin needed.
Fix 5: Disable XML-RPC
Where: cPanel → File Manager → .htaccess
cPanel path: cPanel → Files → File Manager → public_html → .htaccess (Edit)
XML-RPC (xmlrpc.php) is a legacy WordPress API used by the old Jetpack app, the old mobile WordPress app, and almost nothing modern. Attackers use it to amplify brute-force attacks — a single XML-RPC call can test hundreds of passwords at once.
Add this block to your root .htaccess file (inside public_html), before the WordPress comment block:
# Disable XML-RPC
<Files xmlrpc.php>
Order allow,deny
Deny from all
</Files>Save the file. Test: visit https://yourdomain.com/xmlrpc.php in a browser. You should see a 403 Forbidden error, not the XML-RPC description page.
Impact: XML-RPC brute-force attacks can make 500+ login attempts per minute — more than most rate-limiters catch. Blocking the file at server level eliminates this entirely. Modern Jetpack uses the WordPress REST API, not XML-RPC — this fix is safe for all modern plugins.
Fix 6: Enable Two-Factor Authentication on Admin Accounts
Where: WordPress Admin → Users → Profile → Two-Factor Options
Plugin required: Two Factor (wordpress.org/plugins/two-factor) — free, maintained by core WordPress contributors
- In WordPress admin, go to Plugins → Add New
- Search for “Two Factor” (by WordPress Contributors)
- Install and activate
- Go to Users → Profile
- Scroll to Two-Factor Options
- Enable Time Based One-Time Password (TOTP) — works with Google Authenticator, Authy, 1Password
- Scan the QR code with your authenticator app
- Enter a code to confirm, click Submit
- Repeat for every Administrator-level user
Impact: Even if a password is compromised, an attacker cannot log in without the TOTP code. 2FA on admin accounts eliminates credential-stuffing attacks — the most common account takeover method in 2025/2026.
Fix 7: Keep WordPress, Themes, and Plugins Updated
Where: WordPress Admin → Dashboard → Updates
cPanel path for auto-updates: cPanel → Softaculous → WordPress → Edit Installation → Auto Upgrade
The WPScan database shows that 97% of WordPress vulnerabilities have a patch available within 24 hours of disclosure. The attack window is the time between disclosure and your update.
Enable automatic minor updates in WordPress:
- In WordPress admin, go to Dashboard → Updates
- Under WordPress Updates, click Enable automatic updates for all new versions of WordPress
Enable automatic updates via Softaculous (covers WordPress core):
- In cPanel, open Softaculous
- Click WordPress → Edit Installation (pencil icon next to your install)
- Set Auto Upgrade to Minor version upgrades only
- Save changes
For plugins and themes: In WordPress admin, go to Dashboard → Updates — enable auto-updates per plugin by clicking “Enable auto-updates” next to each listed plugin.
Impact: The average time between a vulnerability disclosure and mass exploitation is 48–72 hours. Automatic minor updates close this window without manual effort. Only avoid auto-updates for plugins with known compatibility issues — check your plugin’s changelog first.
Fix 8: Set Up Automated Backups
Where: cPanel → JetBackup (Stellar Plus/Business) or cPanel → Backup Wizard (all plans)
cPanel path: cPanel → Files → JetBackup 5 (if available) OR cPanel → Files → Backup Wizard
Security fixes prevent attacks — backups are your recovery plan when something still goes wrong. Namecheap shared hosting includes:
| Plan | Backup included | Retention | Self-restore |
|---|---|---|---|
| Stellar Basic | Weekly server snapshot | 1 week | Via support ticket |
| Stellar Plus | JetBackup daily | 30 days | ✅ Self-service in cPanel |
| Stellar Business | JetBackup daily | 30 days | ✅ Self-service in cPanel |
Manual backup on any plan:
- In cPanel, go to Files → Backup Wizard
- Click Back Up
- Under Partial Backups, click Home Directory — downloads a .tar.gz of all your files
- Then click MySQL Databases and click each database name to download a .sql.gz
Restore via JetBackup (Stellar Plus/Business):
- In cPanel, go to JetBackup 5
- Select Files or Databases
- Choose a restore point from the last 30 days
- Click Restore — typically completes in under 2 minutes
Off-site backup recommendation: For critical sites, add CodeGuard (£1.66/mo ex-VAT) from the Namecheap dashboard — it creates daily off-site copies so you can restore even if the server itself fails.
Impact: Without a working backup, a compromised site can mean hours of data loss or complete rebuilds. JetBackup on Stellar Plus gives you point-in-time restores to any of the last 30 days — standard on paid security tools at other hosts costs £5–£10/mo extra.
Security Checklist Summary
| Fix | Where | Time | Difficulty |
|---|---|---|---|
| 1. Change table prefix | Softaculous or wp-config.php | 2 min | Easy |
| 2. Enable SSL + force HTTPS | cPanel AutoSSL + .htaccess | 5 min | Easy |
| 3. Set file permissions 644/755 | cPanel File Manager | 5 min | Easy |
| 4. Password-protect wp-admin | cPanel Directory Privacy | 5 min | Easy |
| 5. Disable XML-RPC | cPanel .htaccess | 2 min | Easy |
| 6. Enable 2FA on admin accounts | WordPress admin + plugin | 10 min | Easy |
| 7. Enable automatic updates | WordPress admin + Softaculous | 5 min | Easy |
| 8. Set up automated backups | cPanel JetBackup or Backup Wizard | 10 min | Easy |
Frequently Asked Questions
Does Namecheap include a WordPress security scanner?
Yes. All Namecheap shared hosting plans include Imunify360 at the server level. Imunify360 scans files for malware automatically and quarantines infected files. You can view scan results in cPanel → Imunify360. This runs independently of any WordPress security plugin — it operates at the server level, not the application level.
Do I need a WordPress security plugin if I follow these 8 fixes?
The 8 fixes above cover file permissions, authentication, and backup. A security plugin adds: login attempt logging, real-time firewall rules, and file integrity monitoring. Wordfence Free is the most commonly used option and is free. If you apply all 8 fixes and install Wordfence Free, you cover all major attack vectors without any paid tools.
Will password-protecting wp-admin break WooCommerce?
Yes, if you do not add the admin-ajax.php exception. WooCommerce uses AJAX for add-to-cart, checkout validation, and product filtering. Without the exception in the .htaccess file inside wp-admin/, customers will see a blank cart and checkout will fail. The exception is included in Fix 4 above.
How do I check if Namecheap’s server-level firewall is active?
In cPanel, scroll down to the Security section. If you see an Imunify360 icon, the server firewall is active. You can click it to view recent blocked IPs and scan logs. If you do not see Imunify360, contact Namecheap support — it should be active on all shared hosting accounts.
What should I do if my WordPress site is already hacked?
First: take your site offline temporarily to prevent spreading malware (cPanel → File Manager → rename your public_html index.php temporarily). Then: run Imunify360 scan in cPanel, download a clean backup from JetBackup if available, and restore from the backup. If no clean backup exists, use a tool like MalCare or contact Namecheap support — they can point to server-level quarantine logs to identify which files were modified and when.
