Maxinames
Back to Security
SecurityUpdated

Account Security Best Practices

Strong passwords, 2FA, software updates, limited access, regular backups, and a workable incident plan — the security checklist.

The vast majority of compromised hosting accounts come from a small number of preventable mistakes. Spend an hour going through this list once and you will be ahead of 95% of users.

1. Use strong, unique passwords everywhere

  • 16+ characters, generated by a password manager.
  • One password per account — never reuse.
  • Change any password that has been reused or leaked (check at haveibeenpwned.com).

2. Enable two-factor authentication

On the Maxinames client area, on cPanel, on your email account, and on your domain registrar if it is not Maxinames. See our Two-Factor Authentication article.

3. Keep software up to date

  • CMS, themes, plugins — set to auto-update where possible.
  • PHP version — use a currently supported version (8.2 or newer); switch via cPanel → Select PHP Version.
  • Server-side software — we handle the OS and web server updates on shared hosting; on a VPS it is your responsibility.

4. Limit access

  • Give each developer their own FTP user with restricted directory access.
  • Remove FTP/cPanel users when contractors finish their work.
  • Use sub-accounts (with limited roles) for accountants and team members rather than sharing the master login.

5. Back up regularly

  • Schedule at least one weekly backup (daily for active sites).
  • Store at least one copy off-site (S3, Backblaze, your own machine).
  • Test the restore process at least once — a backup you have never restored is not a backup.

6. Monitor for changes

  • Install a security plugin that alerts on file changes (Wordfence, iThemes Security).
  • Subscribe to your CMS security mailing list so you hear about critical updates fast.
  • Check Google Search Console weekly for security notices.

7. Reduce attack surface

  • Delete plugins and themes you no longer use — even inactive ones can be exploited.
  • Hide your CMS version number and admin URL where possible.
  • Restrict admin areas by IP if you always work from the same network.
  • Disable features you do not use (XML-RPC in WordPress, file editing from the dashboard).

8. Have an incident plan

Know what you would do if your site was compromised tomorrow:

  • Where is your most recent clean backup?
  • Who do you contact at your hosting provider?
  • How will you communicate with customers if email is affected?

Writing this down before an incident saves hours when an incident happens.

Still need help?

Our support team replies to tickets around the clock.

Contact supportBrowse all articles

Related articles

Domain Names

WHOIS Lookups and Domain Privacy

What WHOIS exposes, why it matters, and how to enable free domain privacy in your Maxinames dashboard to hide your contact details.

Web Hosting

Uploading Files via FTP and SFTP

How to connect with SFTP, where to put files, common pitfalls, and when the cPanel File Manager beats launching an FTP client.

Billing & Account

Managing Your Maxinames Account

Update contact details, add sub-accounts for team members, set notification preferences, and secure your account with 2FA.