Web HostingCost-effective shared hosting solutions
Reseller HostingStart your own hosting business without tech hustle
Affiliate ProgramEarn commission by referring customers to our platforms
cPanel HostingHosting powered by cPanel (Mostly user friendly)
Windows HostingOptimized for windows based-applications and sites
Domain SearchFind and register available domain names in seconds
Email HostingProfessional email hosting for your domain (Secure, reliable, and easy to manage)
WordPress HostingLightning-Fast, Optimized WordPress Hosting
All DomainsExplore and register domain extensions across the world
PH DomainsBuy trusted .ph domains tailored for Philippines businesses and individuals
Domain Transfermove your domain to us with zero downtime and full control
Whois LookupLook up domain ownership, expiry dates and registrar information
SSL CertificatesSecure your website with trusted SSL Certificates for data protection and customer trust.
.com DomainSecure the most recognized domain for global credibility
VPS HostingScalable virtual servers. Full root access. Faster speed.
Managed VPSNot a tech expert? Choose our fully managed VPS server.
Dedicated ServersGet the full power and complete control of your own physical server.
AI Websites BuilderCreate beautiful websites instantly with AI.
Online Shop BuilderBuild a professional online shop. No coding required.
Web Design ServiceGet a custom-designed website tailored to your brand and goals.
BlogExplore guides on web hosting, online business, digital marketing, and more
Contact UsReach us anytime by chat or email
SupportFind answers and guides for all our services
You don’t want hackers sending spam from your business email to your entire contact list, do you?
Get hacked and lose all customer data while explaining to angry clients why their information is now floating around the dark web.
But if you lock down these 10 security holes, hackers move on to easier targets.
Here at Truehost, we’ve been securing servers and cleaning up after hacks for over 11 years.
If you don’t know much about passwords, updates, and open ports, you could be setting up your server for a hack right from day one.
From sites showing poker ads overnight, to customer databases stolen and sold, to thousands spent on cleanup.
That’s enough mess already flowing from your plate. Let’s fix that before you lose it any further.
In this article we’ll help you:
- Identify 10 most common security mistakes that get servers hacked.
- Show you exactly how to fix each one before hackers find you.
These are the 10 security holes hackers exploit every single day.
- Using admin as Your Username and Password
This is the #1 way servers get hacked. It’s that simple.
Hackers run programs that try admin/admin on thousands of servers every hour. Just sitting there trying the same obvious passwords over and over.
You install WordPress or cPanel and it gives you a default password. You think you will change it later when you have time. But later never comes.
Meanwhile, some hacker’s program finds your server. Tries admin/admin and boom they’re in. Your server is theirs now.
I remember one client who got hacked within 6 hours of setting up their server. They were planning to change the password the next morning. Hackers found it that same night.
It cost them $3,000 to clean up plus a week of downtime. This was all because they delayed changing one password.
How to fix it:
- Change every default password the second you install anything. Don’t wait for tomorrow or next week. Do it now.
- Make passwords at least 16 characters.Try this by Mixing up letters, numbers, and symbols.
- Use different passwords for different things.
Can’t remember all these passwords? Use LastPass or 1Password to store them.
There are actually some providers that force you to change default passwords on first login. You can’t skip it.
2) Clicking Remind Me Later on Updates for Months
Software bugs get found every day and companies fix them. You also need to install the fixes.
But that update notification? Easy to ignore when you’re busy running your business.
I remember when a client kept clicking remind me later on a WordPress update. For 3 weeks straight. Then woke up to find their site hacked.
Turns out the update fixed the exact bug hackers used to break in. If they’d updated that first day, the hack couldn’t happen.
What happens while you’re clicking remind me later:
Hackers find the bug, build tools to exploit it, and scan the internet for sites still running old versions. If your site shows up, they attack.
But you could have been safe if you’d just clicked update instead of remind me later.
How to fix it:
- Turn on automatic updates for security stuff and check for updates every week. When you see an update, do it right then.
- Schedule 10 minutes every Monday morning just for updates. Make it part of your weekly routine like checking email.
Luckily, there are hosting companies that offer updates to your server software automatically within 24 hours of any security release. You handle WordPress and plugins but the server itself is patched before hackers can use the bug.
3) Leaving All Your Doors and Windows Open
Just like your apartment has windows and doors, your server also has doors. But these server doors are called ports. Some need to be open but most should stay locked.
It’s like your house. You open the front door when expecting guests. But why leave the back door, side door, garage, and all windows open too?
Now that’s exactly what happens with servers. Default setup leaves a lot of ports open. Hackers scan for these open ports and try breaking in.
How to fix it:
- Close every port except what you actually use. If you are just running a website, open ports 80 and 443 only.
- If you need SSH, open port 22 but only let your office connect and not the whole world.
- Lock everything else and check your open ports every month. If you don’t recognize a port, close it.
4) No Firewall Because It Sounds Hard
Firewalls decide who gets to knock on your doors.
This is because a firewall means your server answers every knock from everyone including hackers. Most small website owners think their hosting handles this. Surprisingly, many cheap hosts don’t set up any firewalls.
Your server just sits there and every hacker in the world can try breaking in.
How to fix it:
Set up a firewall right away. Start by blocking everything first then only allow what you need.
Not complicated, right?
It is because most control panels have simple firewall buttons. You click a few times and you are done.
Truehost servers come with firewalls already working. We block known bad guys automatically. You can also add your own rules easily.
5) Letting Hackers Try Passwords All Day Long
Take your house for instance. Someone is at your front door trying different keys. The first key doesn’t work, they try another and another for hours.
Eventually they find one that works and they are all over your business.
It’s like your password-only login. Hackers also run programs trying thousands of combinations. From admin123, admin1234 to admin12345.
Your server logs show 5,000 failed login attempts in one day from the same hacker. They are still trying and hoping to get lucky.
How to fix it:
Turn off password login and use SSH keys instead. SSH keys are like special keys that you are the only one with. Hackers can’t guess them and can’t try thousands of combinations. Either they have your exact key or they’re locked out.
Takes 10 minutes to set up. There are tons of guides online to help you do it once and stay safe forever.
6) Setting Everything to 777 Because It Works
File permissions control who can read and change files on your server. 777 means everyone can do everything like posting your house keys on Facebook.
People use 777 because it’s easy. If something doesn’t work, Google says try 777 and it works.
Now your config files sit where everyone can read them. And if hackers grab your database password, it’s game over.
How to fix it:
Use proper permissions like files: 644, Folders: 755, and secret stuff with passwords: 600.
Still don’t know what that means? Spend 30 minutes reading a guide online from authoritative blogs. This is better than spending $5,000 cleaning up a hack.
7) Making Backups But Never Checking If They Work
Backups are insurance. But insurance that doesn’t pay is worthless.
People set up automatic backups and feel good about it. They forget to test if backups actually work. Then the worst happens. Try to restore and backup is corrupted, empty, or won’t restore..
How to fix it:
The best rule of thumb is to test your backups every few months. If you manage to restore one, make sure everything comes back.
If you can’t restore it, you don’t have a backup. You have a false sense of security.
TGo for web hosting providers who test backups automatically every day. If something’s wrong, they know right away and fix it.
8) Letting the Whole Internet Talk to Your Database
Your database has everything from customer emails, passwords, orders, and payment information.
So why is it accepting connections from the entire internet?
Default setup opens your database to everyone. Your website sure needs it. But that random person in Russia doesn’t need to connect and also hackers scanning for open databases.
How to fix it:
Make your database only accept local connections. But if you have a website on the same server as the database then the database only listens to that server. Hackers scanning from outside will be blocked and can’t even see the database.
9) Thinking Strong Passwords Are Enough
Strong passwords stop brute force attacks but they don’t stop theft.
Hackers steal passwords through fake emails, keyloggers, and hacking other sites where you used the same password.
How to fix it:
Turn on 2FA everywhere for every admin account and important login. 2FA means hackers need your password and your phone. If they steal your password, they still can’t get in without your phone.
Use Google Authenticator or Authy. Don’t use text messages, those can get hacked too.
10) Never Looking at Security Logs
Your server tracks everything. From the login try, file change, and even weird commands.
These logs warn you when something’s wrong. Failed logins from strange countries. Files changing at 3AM. Weird database stuff.
But most people never check logs until after getting hacked. By then, it’s too late.
How to fix it:
Check logs weekly by looking for weird stuff, failed logins, unknown IPs, and files you didn’t touch.
Set up alerts so that if someone tries logging in 50 times in 10 minutes the server should tell you.
Lock It Down Before Hackers Find You
Security isn’t set up once and forget. It needs regular care.
Fix these 10 holes and you stop 99% of hacks. The other 1% needs advanced security stuff.
But honestly? Most hackers aren’t advanced. They scan for easy targets. Default passwords. Old software. Open ports.
Don’t be easy.
Think of security like locking your car. You don’t just lock the driver door. You lock all doors. Roll up windows. Take your valuables.
Same with servers. Don’t just fix one thing. Fix all 10. Make hackers work so hard they give up and move to easier targets.