
Cloudways Security Guide For WordPress: 2025 Edition
Cloudways offers managed cloud hosting for WordPress sites, making it easy to get up and running with a WordPress site. However, several vulnerable default configurations and hard-to-spot misconfigurations can open your website to cybersecurity threats and attacks. This blog post will focus on Cloudways Security and protecting WordPress sites on the Cloudways platform. While many of these recommendations will apply to general WordPress sites not hosted on Cloudways – the steps will be specific to the platform.
Configure Multi-Factor Authentication (MFA)
While one of the most accessible and most effective controls, MFA is usually neglected. Platforms prefer to maintain their user onboarding experience, leaving MFA as an optional mechanism for users to set up. If your credentials are ever compromised or guessed, MFA can protect your account by not allowing sign-in without using a code you would possess on your smartphone. When using MFA, it’s always best to opt for an authentication-based (e.g. Google Authenticator) as opposed to an SMS-based, given the threat of SIM swapping and other attacks. From my My Account page, click Security, then click the Activate TFA button and follow the wizard.
Create allow list for inbound SSH connections
For optimal security, it’s best to disable SSH entirely when not in use; however, given this can be a tedious process for smaller teams, the second best option is to configure an allow list for SSH connections. This can be as simple as the home IP address of anyone accessing WordPress servers or allowing the IP address of an IP address shared by multiple (e.g. office network or VPN). This needs to be done at a server level and can be configured in the Security tab once a server is selected for configuration. Select the Block all IP addresses, except those on the Whitelist radio box, enter the list of IPs and click Save Changes.
Disable XDEBUG for production servers
Ensure that XDEBUG is disabled on servers hosting production applications. XDEBUG is a powerful tool for debugging and troubleshooting PHP applications or specific WordPress components. However, if left enabled when not required, attackers can exploit it to access potentially sensitive information about the application. This needs to be performed at a server level and can be done by navigating to Settings & Packages after selecting a server to configure and clicking Advanced. From here, ensure that XDEBUG is not toggled to the On position.
Configure Automatic Safe Updates
Patch management is one of the most essential strategies for keeping your WordPress site safe; this is especially important for companies that rely heavily on multiple themes, plugins or other components, as they must be updated separately. This is not a free feature offered by Cloudways. Still, you can get peace of mind at a minimal cost by allowing them to handle the patching process on your behalf and automatically revert updates if they detect it breaks any component. Most WordPress attacks that don’t involve weak credentials usually rely on outdated themes, plugins or WordPress versions with known vulnerabilities.
Configure Backup Strategy
Patch Management and other measures have been used to limit the risk and chance of your Cloudways or WordPress getting hacked. However, to prepare for the worst case, having a solid backup strategy and a way to recover can be especially important if your site gets hacked or breached. It can allow you to maintain a clean slate to recover from and quickly get up and running if your site is hacked, defaced or otherwise. Similar to safe updates, while not free, at a minimal cost, Cloudways will perform automatic backups weekly of your WordPress server, which is immutable and cannot be modified or deleted. From here, they allow easy recovery and restoration options. This can be configured at the server level by selecting a server and clicking Backups.
Restrict Direct Access to PHP Files
By allowing direct access to PHP files, cybercriminals and malicious hackers can exploit them to upload backdoor files or other types of malware into your website. While disabled by default, it’s essential to revisit this setting for each application hosted within Cloudways (staging or production) and ensure that Direct PHP Files Access is disabled.
Total visibility. Zero blind spots. WatchDog helps you monitor every user, service account, and system across Cloud, SaaS, and devices -flagging misconfigurations and risks the moment they arise.
- ➕ Asset management – Add and track your own assets easily across Cloud, SaaS + On-Prem
- Identity monitoring – Limited to Google Workspace & M365 Non-Human Identities on free plan
- 🔧 SaaS + Cloud hardening checks – Spot misconfigurations before they become risks
Get started free today – no credit card required.

