WEB WORKBENCH

My Project Workspace

A collection of systems, experiments, and builds

How to Secure Your Website (Hosting Security, WordPress, 2FA & Backups)

How-To Guide

Secure and Back Up Your Website (WordPress & Hosting)

A website is only as secure as the measures in place to protect it. Whether you are using shared hosting, a VPS, a dedicated server, managed WordPress hosting, or a self-hosted environment, the same core security principles still apply.

In this guide, we’ll focus on practical and widely applicable methods to improve WordPress security, while also covering hosting-level protection and backup strategies that work across almost any setup.

In our examples, we will use Virtualmin as the hosting control panel. Virtualmin is a free and open-source alternative to commercial systems like cPanel, making it a strong option for small websites, developers, and self-hosted environments.

The techniques covered here are not limited to Virtualmin — they apply broadly to most hosting platforms — but Virtualmin will be used where hosting-level examples are needed.

This guide also explains how to create reliable backups so your website can be restored quickly if anything goes wrong.

Stage 1 — Understanding Website Security

Website security should be approached in layers. No single plugin or service can provide complete protection.

A typical security setup may include:

• A hosting firewall or server firewall
• SSL certificates
• Strong passwords
• Two-Factor Authentication (2FA)
• Security monitoring
• Regular backups

Each layer helps reduce risk and improve recovery options if something goes wrong.

Stage 2 — Installing Wordfence

Wordfence is one of the most widely used WordPress security plugins. Unlike a traditional firewall that operates at the server or network level (typically filtering traffic before it reaches your website), Wordfence works at the application level inside WordPress itself. This means it provides Layer 7 protection, inspecting requests after they reach WordPress and analysing them for suspicious behaviour,

such as:

• Brute-force login attempts
• Malicious requests targeting plugins or themes
• Known exploit patterns in WordPress core files
• Suspicious file changes or injections

Because it runs inside WordPress, Wordfence has visibility into the structure of the site itself — something a basic server firewall cannot see.

In practice, this creates a second layer of protection:

• Server firewall → blocks general network-level threats
• Wordfence → protects WordPress-specific behaviour and attacks

Using both together provides a more complete security setup than relying on either one alone.

Stage 3 — Enable Two-Factor Authentication (2FA)

2FA is strongly recommended not only for WordPress, but for any important online accounts where it is available — including email, hosting providers, banking, cloud storage, and social media. Enabling it across your key accounts significantly reduces the risk of account compromise from reused or leaked passwords.

Passwords can be guessed, leaked, or reused across multiple websites.

Two-Factor Authentication adds a second layer of protection by requiring a verification code from an authenticator app when logging in.

Even if someone obtains your password, they should not be able to access your account without the second authentication factor.

Setting up 2FA in Wordfence

To enable Two-Factor Authentication in Wordfence:

• Go to Wordfence → Login Security
• Scan the QR code using your authenticator app (such as Google Authenticator, Authy, or similar)
• Enter the generated code to confirm setup

Once activated, make sure you also:

• Download and securely store your recovery codes (for example in a secure folder or encrypted storage such as Dropbox)
• Go to All Options → Login Security Options
• Enable 30-day “Remember Me” for trusted devices
• Enable Force 2FA login to ensure all admin logins require authentication

Setting up 2FA in Webmin / Virtualmin

Webmin also supports Two-Factor Authentication for admin logins.

To enable it:

• Log in to Webmin as an administrator
• Go to Webmin Configuration → Two-Factor Authentication
• Enable Two-Factor Authentication
• Scan the QR code using your authenticator app
• Enter the verification code to confirm setup

Once enabled:

• Store your backup / recovery codes safely
• Test logging out and back in to confirm it works
• Ensure you still have console or physical access in case of lockout

Why should you do this

These settings ensure that even if login credentials are compromised, access to both your WordPress dashboard and your server control panel remains protected by a second authentication factor.

Stage 4 — Remember Trusted Devices

Quicker login access for 2fa

If you are the primary administrator of the website, Wordfence allows trusted devices to be remembered for up to 30 days.
This reduces the number of times you need to enter a verification code while still maintaining strong account security.

Stage 5 — Keep WordPress Updated

The less plugins the better this means less to go wrong.

WordPress core, plugins, and themes should be updated regularly.

Many website compromises occur because outdated software contains known vulnerabilities that have already been fixed in newer versions.

Regular updates remain one of the most effective security measures available.

Stage 6 — Why Backups Matter

Security and backups work hand in hand.

Even a secure website can experience:

• Failed updates
• Human error
• Hosting issues
• Server failures
• Corrupted files
• Malware infections

Having a recent backup can dramatically reduce recovery time.

After Finishing this post i will be launching a new backup!!!

Stage 7 — Backing Up with Your Hosting Platform

Many hosting providers include backup tools.

Virtualmin users can create complete backups of:
• Website files
• Databases
• Email accounts
• Domain settings

Other hosting providers may offer similar backup systems through cPanel, Plesk, DirectAdmin, or their own custom control panels.

In Virtualmin, backups are handled directly through the control panel, making it a simple and reliable way to protect your entire hosting environment.

To create a manual backup, go to **Virtualmin → Backup & Restore → Backup Virtual Servers**.

If you are managing more than one domain, you can select the specific domain you want to back up.

For a full backup, select:
• All features to backup
• All global server settings

For the destination, choose **Download (via browser)** and start the backup process.

Once the file is generated, save it locally on your computer and then upload a copy to cloud storage such as Dropbox.

This creates multiple backup locations:
• Local copy on your PC
• Cloud copy stored off-site

In practice, the process only takes a few minutes, but it provides a complete snapshot of your website, including files, databases, email configuration, and server settings.

Having both local and cloud backups significantly improves recovery options if anything goes wrong.

Stage 8 — Store Backups Off-Site

Backups should not only exist on the server being protected.

Whenever possible, keep a copy somewhere else such as:
• Dropbox
• OneDrive
• Google Drive
• External storage
• NAS devices
If the server fails completely, an off-site backup may be the only available recovery option.
For many users, cloud storage services such as OneDrive, Google Drive, or Dropbox provide a simple and affordable solution. If you already subscribe to Microsoft 365, OneDrive storage is often included as part of your subscription and can be an excellent location for storing website backups.
In a future tutorial, I'll also be exploring how to build a low-cost self-hosted backup solution using Nextcloud. This can provide an alternative to commercial cloud storage services while giving you greater control over where your backup data is stored.

Stage 9 — Scheduled vs Manual Backups

If you manage multiple websites, automated backups are strongly recommended.

If you only manage a small number of websites, manual backups performed before major changes or updates may be sufficient.

The most important thing is ensuring backups are created regularly and can be accessed when needed.

Stage 10 — Test Your Backups

A backup is only useful if it can be restored successfully.

Knowing that a backup exists is reassuring, but knowing that you can reliably restore it under different conditions is far more important. Testing your recovery process regularly can save significant time and stress during a real incident.

A good practice is to periodically restore Virtualmin backups onto a separate test environment, such as a spare or slower server. This allows you to safely simulate a real recovery without affecting your live website.

During these test restores, you may encounter different outcomes. Sometimes the process is smooth and straightforward, while other times you may run into configuration issues, missing dependencies, or small environment differences. These experiences are valuable — they help you understand what can go wrong before it happens in a real emergency.

The goal is not just to restore a backup, but to become familiar with the process so you can act confidently when it matters.

Testing with a Safe “Dummy” Environment

One useful technique is to isolate your test restore so it is not publicly accessible. This allows you to experiment without risk.

You can do this by adjusting the system hosts file so that your domain points to a different IP address (for example, your test server).

On Linux / macOS:
• Edit /etc/hosts

On Windows:
• Edit C:\Windows\System32\drivers\etc\hosts

For example:

192.168.1.50 yourdomain.com

This forces your computer to load the test server instead of the live site, while everyone else continues to see the real website.

This method is extremely useful for:
• Testing restores safely
• Debugging configuration issues
• Verifying DNS or SSL behaviour
• Running controlled recovery drills

In practice, this turns backup testing into a safe rehearsal environment, allowing you to refine your process before you ever need it under pressure.

Final Thoughts

Good website security is built on a combination of:

Strong passwords
Two-Factor Authentication
Regular updates
Security monitoring
Reliable backups

No system can guarantee complete protection, but these simple measures can significantly reduce risk and make recovery much easier if problems occur.

Website Security, 2FA, and Backups FAQ

Find answers to common questions about securing your WordPress website, implementing two-factor authentication, and managing backups using Virtualmin.

How does Wordfence provide security for my WordPress site?

Wordfence operates at the application level within WordPress, inspecting requests for suspicious behavior like brute-force attacks or known exploit patterns. It provides Layer 7 protection, complementing server-level firewalls for a more comprehensive security setup.

What is Two-Factor Authentication (2FA) and why is it important?

2FA adds a second layer of protection to your login by requiring a verification code from an authenticator app. This significantly reduces the risk of account compromise, even if your password is leaked or guessed.

How do I set up 2FA using Wordfence?

To enable 2FA in Wordfence, navigate to 'Wordfence' > 'Login Security'. Scan the provided QR code with your authenticator app and enter the generated code to confirm the setup.

Can I trust my website backups stored only on the server?

No, backups should be stored off-site whenever possible. If the server fails completely, an off-site copy, such as on cloud storage like OneDrive or Google Drive, may be your only recovery option.

How can I create backups using Virtualmin?

In Virtualmin, you can create complete backups of your website files, databases, email accounts, and domain settings. Access this feature through 'Virtualmin' > 'Backup & Restore' > 'Backup Virtual Servers'.

How often should I test my website backups?

Testing your backups regularly is crucial. Periodically restore your Virtualmin backups to a separate test environment to ensure the recovery process is reliable and to identify any potential issues before a real incident occurs.

Found This Useful?

If you found this useful, please consider sharing it.

Published 8th June 2026 By Tudor Gibson

InfoAbout •Cookie info•Contact•FAQs