Security should be a top priority from the very first moment your hosting account is activated. Cyber threats target websites of all sizes, and businesses in Tanzania are not exempt. A compromised website can lead to data theft, loss of customer trust, search engine penalties, and significant business disruption. This guide outlines the essential security measures every SakuraHost customer should implement immediately after setting up their hosting account.
1. Secure Your SakuraHost Client Area Account
Enable Two-Factor Authentication (2FA)
Two-factor authentication adds a second layer of security beyond your password. Even if someone obtains your password, they cannot access your account without the second factor.
- Log in to your SakuraHost client area.
- Click your name in the top-right corner and select Security Settings.
- Click Enable Two-Factor Authentication.
- Scan the QR code with an authenticator app such as Google Authenticator, Authy, or Microsoft Authenticator on your smartphone.
- Enter the 6-digit code from your app to verify and activate 2FA.
Use a Strong, Unique Password
Your client area password should be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters. Do not reuse passwords from other websites. Use a password manager like Bitwarden to generate and store strong passwords securely.
2. Secure Your cPanel Account
Change the Default cPanel Password
If you received your cPanel password via email, change it immediately. Email is not a secure channel for storing sensitive credentials.
- Log in to cPanel (see How to Access cPanel for the First Time).
- Navigate to Preferences > Password & Security (or search for "password" in the cPanel search bar).
- Enter your current password and set a new, strong password.
- Click Change your password now.
Enable cPanel Two-Factor Authentication
cPanel also supports 2FA independently of your client area. Navigate to Security > Two-Factor Authentication in cPanel and follow the setup process. This protects direct cPanel logins (via port 2083).
3. Install and Verify SSL Certificates
SSL certificates encrypt data transmitted between your visitors' browsers and your server, protecting sensitive information like login credentials, personal data, and payment details. Google also uses HTTPS as a ranking signal, so SSL directly impacts your search visibility.
- In cPanel, navigate to Security > SSL/TLS Status.
- You should see green padlock icons next to your domain and subdomains.
- If any domain shows a red icon, click "Run AutoSSL" to trigger certificate provisioning.
- AutoSSL uses Let's Encrypt to provide free, automatically renewable SSL certificates.
https:// in both the WordPress Address and Site Address fields.
4. WordPress-Specific Security Measures
If you installed WordPress (as recommended in Setting Up Your First Website on SakuraHost), these additional steps are critical:
Keep WordPress Core, Themes, and Plugins Updated
Outdated software is the number one cause of website hacking. In your WordPress admin dashboard:
- Go to Dashboard > Updates regularly.
- Enable automatic updates for minor WordPress releases.
- Update all plugins and themes promptly when updates are available.
- Remove any inactive themes and plugins — they can still be exploited even when deactivated.
Install a Security Plugin
Install one of these recommended security plugins:
- Wordfence Security — Comprehensive firewall, malware scanner, and login security.
- Sucuri Security — Website integrity monitoring, malware scanning, and hardening.
- iThemes Security — Brute force protection, file change detection, and 2FA for WordPress.
Secure the WordPress Login Page
- Change the admin username — If you used "admin" during installation, create a new administrator account with a unique username and delete the "admin" account.
- Limit login attempts — Use your security plugin to limit failed login attempts and block brute force attacks.
- Add 2FA to WordPress — Plugins like Wordfence include two-factor authentication for WordPress logins.
Disable XML-RPC (If Not Needed)
XML-RPC is a WordPress feature that can be exploited for brute force and DDoS attacks. If you do not use the WordPress mobile app or Jetpack, disable it by adding this to your .htaccess file:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
5. Set Up Regular Backups
Backups are your insurance policy against data loss, hacking, and accidental errors. SakuraHost provides backup tools in cPanel, but we recommend a multi-layered approach:
cPanel Backups
In cPanel, go to Files > Backup Wizard to create full or partial backups of your account. Download these to your local computer periodically.
WordPress Backup Plugins
Install UpdraftPlus to schedule automatic backups. Configure it to back up daily (files) and weekly (database), storing backups on a remote service like Google Drive or Dropbox. This ensures your backups are safe even if the server is compromised.
6. Secure Email Configuration
Email security protects your business communications and prevents your domain from being used for spam:
SPF Record
An SPF (Sender Policy Framework) record tells email servers which IPs are authorized to send email for your domain. In cPanel's Zone Editor, add a TXT record:
DKIM Signing
DomainKeys Identified Mail (DKIM) adds a digital signature to your outgoing emails. In cPanel, go to Email > Authentication and enable DKIM. The key will be generated automatically.
DMARC Policy
DMARC combines SPF and DKIM to prevent email spoofing. Add a TXT record for _dmarc.yourdomain.co.tz:
For deeper understanding of email authentication, the Google Workspace email authentication guide explains SPF, DKIM, and DMARC in detail.
7. Additional Security Best Practices
- Use strong passwords everywhere — cPanel, FTP accounts, database users, email accounts, and CMS admin accounts should all have unique, strong passwords.
- Disable directory browsing — Add
Options -Indexesto your.htaccessfile to prevent visitors from listing directory contents. - Set correct file permissions — Directories should be 755, files should be 644. Configuration files (like wp-config.php) should be 600 or 640.
- Monitor access logs — Check cPanel's Metrics > Visitors and Errors logs regularly for suspicious activity.
- Remove unused accounts — Delete FTP accounts, email accounts, and database users that are no longer in use.
- Keep PHP updated — Use the latest stable PHP version supported by your applications. In cPanel, go to MultiPHP Manager to change your PHP version.
Security Monitoring and Response
Even with all precautions, no system is 100% immune to attack. If you notice any of the following signs, take immediate action:
- Unexpected changes to your website content or appearance
- Unknown files or directories in your public_html folder
- Unusual spikes in bandwidth or resource usage
- Google Search Console warnings about malware or hacking
- Customer complaints about spam emails from your domain
- Inability to log in to your accounts
If you suspect a security breach, immediately submit a high-priority support ticket to our technical team. Change all passwords, and restore from a known clean backup if available. Read SakuraHost Support: How to Get Help and Submit Tickets for guidance on reaching our team quickly.