How We Keep Your Website Safe at HostVogo

Web security is invisible until something goes wrong. Then it becomes the only thing that matters. Here is a transparent look at the security layers protecting every site hosted with HostVogo — and what you can do on your end to make them stronger.

The six-layer security stack

HostVogo's shared hosting plans run six independent security layers, each catching threats the others might miss. Defense in depth is the principle — no single layer is asked to do everything.

Layer 1: Network-level DDoS protection

Before traffic reaches any server, it passes through our edge network. The edge filters out volumetric attacks (UDP floods, SYN floods, amplification attacks) automatically. Most attacks never even reach our infrastructure.

This protection is always on and included on every plan — no configuration required.

Layer 2: Imunify360 web application firewall

Imunify360 is the industry-leading web application firewall for cPanel-based hosting. It runs on every Pro and Turbo plan server and provides:

• Real-time malware scanning of file uploads and existing files
• Active protection against SQL injection, XSS, and other common web attacks
• Brute-force protection on login pages
• Reputation-based IP blocking using a network of contributing servers worldwide
• Proactive defense — blocks zero-day exploits using behavioral analysis, not just signatures

If Imunify360 detects malware on your site, it quarantines the files automatically and notifies you. You can review and restore from your cPanel.

Layer 3: Free SSL on every site

SSL encrypts the connection between your visitors and your site. Every HostVogo account gets free SSL via Let's Encrypt, with automatic renewal every 90 days. No configuration required — your sites get HTTPS the moment DNS resolves.

Without SSL, browsers display "Not Secure" warnings, customers leave, and Google ranks you lower. With it, your site is encrypted, trusted, and ranked higher.

Layer 4: Daily automated backups

Every account is backed up daily. We keep 30 days of restore points, stored offsite from the production server. You can restore an entire account, a single database, or even individual files from cPanel with one click.

Backups are how you recover from the things security cannot prevent — a developer accidentally deleting files, a compromised plugin destroying data, or a hardware failure that no software can stop.

Layer 5: Two-factor authentication

Account compromises usually start with stolen credentials. Two-factor authentication (2FA) blocks them. Enable 2FA on:

• Your HostVogo client area
• cPanel
• WordPress admin (with a plugin like WordFence or Two Factor)
• Your email provider

Use an authenticator app (Authy, Google Authenticator, 1Password) rather than SMS — SMS-based 2FA is vulnerable to SIM-swap attacks.

Layer 6: 24/7 monitoring and incident response

Our infrastructure team monitors every server 24/7 — load, network anomalies, suspicious processes, failed login spikes. When something looks wrong, an engineer investigates immediately.

If we detect that your site is under attack or compromised, we will notify you. If the attack is large enough to risk other accounts on the server, we may temporarily isolate your account while we work with you to clean it up.

What you can do on your side

Hosting security covers the infrastructure. Application security is on you. The basics:

Keep everything updated. Plugins and themes are the #1 source of WordPress compromises. Set up automatic updates for minor versions, and check weekly for major updates that require manual review.

Use strong unique passwords. A password manager (1Password, Bitwarden) lets you use a 30-character random password for every account without remembering any of them.

Limit admin access. Only people who need admin access should have it. Give content editors editor-level access, not admin.

Install a security plugin. For WordPress: Wordfence, Sucuri, or Solid Security. They add another layer that monitors your application specifically.

Remove unused plugins and themes. Even deactivated plugins are still files on your server that can be exploited. If you are not using it, delete it.

Restrict file permissions. Most files should be 644, directories 755. wp-config.php should be 600 or 640. Your hosting provider sets sensible defaults, but check after any major change.

What happens if your site gets hacked

Despite every precaution, breaches happen. Here is our process:

1. Detection. Imunify360 detects malicious files or we get a report.
2. Notification. You receive an email and a notice in your client area.
3. Isolation (if severe). If the breach poses risk to other accounts, we may temporarily restrict outbound mail or specific functions.
4. Cleanup. Imunify360 attempts automatic cleanup. Our support team helps with anything it cannot handle.
5. Restoration. If needed, we restore from a clean backup, then walk through what to update to prevent recurrence.
6. Post-incident review. We help you understand how the breach happened — usually outdated plugin, weak password, or compromised admin account — and how to prevent it.

We do not charge for malware cleanup on Pro and Turbo plans. Backups, restoration, and our support team are included.

The honest reality

No host can promise 100% security. Anyone who does is lying. What we can promise is multiple independent layers of protection, fast detection when something does go wrong, and a support team that helps you recover.

Combined with reasonable security hygiene on your end, this puts you in a much better position than the majority of websites on the internet.