Cybersecurity Checklist for Pakistani SMEs Running on Shared Hosting

The two most dangerous words in Pakistani small business security are: "nothing happened." Nothing happened last year, or the year before, so security is not a priority. Until it is. Until your website is serving pharmaceutical spam to your customers. Until your business email is used in a phishing campaign that targets your clients. Until your WooCommerce database with 8,000 customer records is sold on a Telegram channel.

Pakistani SMEs running on shared hosting have a specific and well-defined attack surface. This checklist addresses it completely. No jargon, no unnecessary complexity — just the specific actions that prevent the vast majority of real attacks on Pakistani small business websites.

---

Why Shared Hosting SMEs Are Targets

Shared hosting users are targeted because they are:

1. Predictably under-protected — automated bots scan the internet for known WordPress/cPanel vulnerabilities and find thousands of unpatched Pakistani sites in hours
2. Sharing IP addresses — a breach on any site on the shared server can be leveraged to access adjacent sites if isolation is poor
3. Running outdated software — Pakistani SMEs frequently install WordPress and stop updating it, creating perpetually vulnerable installations
4. High-value targets for brand abuse — a Pakistani accounting firm's or lawyer's website with an established domain is extremely valuable for sending credible phishing emails

---

Part 1: Your Hosting Account (The Foundation)

✔ Enable Two-Factor Authentication on cPanel/DirectAdmin

Your hosting control panel password is often the only thing standing between an attacker and your entire web presence. A strong password alone is insufficient — credential stuffing attacks use databases of billions of leaked passwords to try millions of combinations per hour.

cPanel: Two-Step Authentication cPanel → Security → Two-Factor Authentication → Set Up Use Google Authenticator, Authy, or any TOTP app DirectAdmin: Admin Panel → Account Security → Two-Factor Auth → Enable

✔ Use a Unique, Strong cPanel Password

Every week, Pakistani hosting accounts are compromised because the cPanel password was the same as a password used on a breached service (LinkedIn 2012, DropBox 2016, etc.). Use a password manager (Bitwarden, 1Password) and generate a unique 20+ character password for your hosting account.

✔ Restrict cPanel Access by IP (If You Have a Static IP)

If your office has a static IP from your ISP, ask your hosting provider to whitelist only that IP for cPanel access. This makes your control panel inaccessible from anywhere else in the world, regardless of whether someone has your password.

✔ Review FTP Accounts — Delete Any You Don't Actively Use

Old FTP accounts for contractors, agencies, and employees who no longer work with you are open doors. Review all FTP accounts in your cPanel quarterly and delete any that are not actively needed.

---

Part 2: WordPress Hardening (For WordPress Sites)

✔ Update WordPress, All Plugins, and Theme — Now

The majority of Pakistani WordPress infections come from one source: unpatched plugins. The Elementor, Contact Form 7, and WooCommerce vulnerabilities that were patched in 2023–2024 are still actively being exploited on un-updated Pakistani sites in 2026.

Copy# WordPress admin dashboard path for updates:
WP Admin → Dashboard → Updates → Update All

# Or via WP-CLI (if you have SSH access):
wp core update
wp plugin update --all
wp theme update --all

Schedule it: Block 30 minutes on the first Tuesday of each month for WordPress updates. Do it on a staging copy first if you have one.

✔ Delete Inactive Plugins and Themes

Deactivated plugins still present exploitable code. An attacker who finds a vulnerability in a deactivated plugin can still use it as an entry point. Delete — do not just deactivate — any plugin or theme you are not actively using.

✔ Change the Default Admin Username

If your WordPress admin account username is admin, administrator, or your business name, automated brute-force attacks start with those usernames. Create a new administrative account with a random username and delete the default admin account.

Copy# WP-CLI: Create new admin and delete old one
wp user create secure_admin newadmin@yourdomain.com --role=administrator
# Log in with new user, then:
wp user delete admin --reassign=new_user_id

✔ Limit Login Attempts

WordPress by default allows unlimited login attempts. Install Limit Login Attempts Reloaded (free, 2 million+ installs) to block IP addresses after 3–5 failed attempts. This eliminates brute-force attacks entirely.

✔ Protect wp-config.php

wp-config.php contains your database credentials. A misconfigured server can serve this file directly to a browser. Protect it:

Copy# Add to .htaccess:
<Files wp-config.php>
Require all denied
</Files>

✔ Disable XML-RPC

XML-RPC is a WordPress API endpoint used by the mobile app and Jetpack. If you don't use these, disable it — it is a common attack vector for brute-force and DDoS amplification:

Copy# Add to .htaccess:
<Files xmlrpc.php>
Require all denied
</Files>

✔ Install a WordPress Security Plugin

For Pakistani SMEs without dedicated security staff, a managed security plugin handles scanning, hardening, and alerting:

Wordfence Free (recommended for most Pakistani SMEs):

• Real-time malware and vulnerability scanning
• Login security (2FA, CAPTCHA, rate limiting)
• Firewall rules updated for current attack signatures
• Email alerts for security events

Alternative: iThemes Security (slightly easier UI for non-technical business owners)

---

Part 3: Email Security

✔ Configure SPF, DKIM, and DMARC

These three DNS records prevent email spoofing — attackers sending emails that appear to come from @yourcompany.com to scam your clients:

Copy# SPF (add as DNS TXT record at your domain registrar or cPanel Zone Editor):
v=spf1 include:yourhostingserver.com ~all
# If using Google Workspace:
v=spf1 include:_spf.google.com ~all

# DKIM (generate in cPanel → Email → Email Deliverability → Repair)
# Copy generated DNS record to your zone editor

# DMARC (add as DNS TXT record for _dmarc.yourdomain.com):
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

✔ Use a Separate Sending Domain for Marketing Emails

Never send bulk marketing emails from @yourdomain.com. Use a subdomain (mail.yourdomain.com) or a dedicated sending service (Mailchimp, SendGrid, Brevo). If your marketing email ends up on spam databases — which happens to all bulk senders eventually — it damages the reputation of your entire domain, including transactional emails like order confirmations and invoices.

✔ Enable Email Filtering

cPanel's SpamAssassin is enabled by default on most Pakistani shared hosting plans but configured very conservatively. Log into your cPanel, navigate to Email → Spam Filters, and set AutoDelete Spam (Score) to 5.0. This prevents obvious spam from cluttering your inbox while reducing phishing risks.

---

Part 4: SSL and Data in Transit

✔ Force HTTPS Across the Entire Website

SSL certificates are meaningless if visitors can still reach your site via HTTP. Force HTTPS:

Copy# In .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Or in WordPress via Settings → General: set both "WordPress Address" and "Site Address" to https://.

✔ Enable HTTP Strict Transport Security (HSTS)

HSTS tells browsers to always use HTTPS for your domain, preventing SSL-stripping attacks:

Copy# Add to .htaccess (after the HTTPS redirect rules):
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

---

Part 5: Backups and Recovery

✔ Verify Your Backup Is Running and Test It

The most common Pakistani SME security outcome is: site gets infected, data gets deleted or ransomed, business discovers their "automated backup" was actually never running or was incomplete.

This week's action:

1. Log into cPanel → Backup → Download a full account backup
2. Verify the file is non-zero and not corrupted (open it with 7-Zip or similar)
3. Open phpMyAdmin, export your WordPress database manually
4. Confirm the .sql file contains recent data (check post dates)

✔ Store Backups Off-Server

A backup stored on the same server is nearly worthless in a breach or server failure scenario. Configure UpdraftPlus to send backups to:

• Google Drive (easiest, generous free storage)
• Dropbox
• Amazon S3 (cheapest at scale)
• A second hosting account

---

Part 6: Monitoring

✔ Set Up Google Search Console and Watch for Hacking Alerts

Google Search Console sends manual action and security notifications when your site has been identified as hacked or serving malware. Pakistani SME websites frequently run compromised for months because no one is monitoring this.

Setup: search.google.com/search-console — verify ownership via DNS TXT record (2 minutes) and enable email notifications.

✔ Enable UptimeRobot (Free)

Downtime is sometimes the first visible symptom of a compromise. UptimeRobot pings your site every 5 minutes and sends a text and email if it goes down. Free for up to 50 monitors.

✔ Review cPanel Error Logs Monthly

Copy# cPanel error log location:
/home/youraccount/logs/yourdomain.com-ssl_log
/home/youraccount/logs/yourdomain.com-ssl_error_log

# What to look for:
grep -i "POST.*wp-login.php" error_log           # Login attacks
grep -i "eval.*base64" error_log                 # PHP injection attempts
grep -i "404" error_log | sort | uniq -c | sort -rn  # Scanning for vulnerable paths

---

Complete Checklist Summary

FOUNDATION ✔ 2FA on cPanel/DirectAdmin ✔ Unique password for hosting account ✔ Delete unused FTP accounts WORDPRESS ✔ All updates applied ✔ Inactive plugins/themes deleted ✔ Admin username changed from 'admin' ✔ Login attempts limited ✔ wp-config.php protected in .htaccess ✔ XML-RPC disabled ✔ Security plugin installed (Wordfence) EMAIL ✔ SPF configured ✔ DKIM configured and enabled ✔ DMARC policy set ✔ Marketing sent from subdomain or third-party SSL & TRANSIT ✔ HTTPS forced via .htaccess ✔ HSTS header enabled BACKUPS ✔ Recent backup downloaded and verified ✔ Off-server backup destination configured MONITORING ✔ Google Search Console active ✔ UptimeRobot configured ✔ Error log review scheduled monthly

---

Conclusion

Implementing this checklist takes 4–6 hours for a Pakistani SME with zero security background. It prevents well over 90% of the actual attacks targeting Pakistani shared hosting users: automated credential stuffing, plugin vulnerabilities, email spoofing, and malware injections.

Security is not a one-time event — it is a quarterly discipline. The Pakistan Telecommunication Authority (PTA) and Federal Investigation Agency (FIA) cybercrime unit both report dramatic increases in Pakistani SME targeting. The assumption that small businesses are not worth targeting is dangerously wrong: they are specifically targeted because their defences are weaker.

Upgrade to hosting with security baked in. (/shared-hosting) includes Imunify360 malware scanning, HackScan, and daily backups — dramatically reducing the manual security overhead for Pakistani SMEs.