WordPress on Shared Hosting: Security Risks UK Businesses Need to Understand

What "shared hosting" actually means technically

On a shared hosting server, dozens to hundreds of customer accounts run on the same physical machine. The operating system, web server (Apache or Nginx), and PHP runtime are shared infrastructure. Your hosting provider manages all of it — you manage your files and databases through a control panel, typically cPanel.

Within a well-configured shared hosting environment, customer accounts should be isolated from one another using process isolation techniques: suEXEC or PHP-FPM per user ensures that PHP runs as your account's user rather than a shared server user. This matters because it limits the ability of a compromised neighbouring account to read or write your files.

The isolation is real but not absolute. Its quality varies significantly between hosting providers and between hosting tiers. Budget shared hosting — plans under £5–10 per month — often uses older, less isolated configurations. Mid-tier and business shared hosting from established UK providers typically has better account isolation. Asking your provider directly whether they use PHP-FPM with per-user pools is a reasonable technical question with a clear answer.

The intra-account risk: your own sites infecting each other

The more common and more immediate shared hosting risk is not between neighbouring customer accounts — it is within your own account. Many UK small businesses and agencies run multiple WordPress installations under a single hosting account: a main site, a staging environment, a client site, an old project that was never decommissioned.

Within a single cPanel account, all sites typically run under the same system user. A PHP file with write access to one site's directory can often write to adjacent directories in the same account. Malware that enters through a vulnerable plugin on one site will frequently propagate automatically to every other WordPress installation it can reach — which on a single-account setup means all of them.

This is not a theoretical risk. It is the standard pattern in shared hosting compromises. A site that was deactivated two years ago and forgotten about runs an outdated, unpatched WordPress installation. Automated scanners find the vulnerability, plant malware, and within hours the infection has spread to the active business site in the same account. The active site shows symptoms; the forgotten site was the entry point.

How the hosting provider's security actually works

UK shared hosting providers typically market several security features. Understanding what each one does — and does not — prevents the common mistake of assuming the hosting provider's security covers the WordPress application.

Server-level malware scanning

Tools like Imunify360 and ClamAV scan files in your hosting account for known malware signatures. They identify files that match patterns in their database and flag or quarantine them. What they miss: obfuscated or custom-encoded malware that does not match known signatures, malware injected into your WordPress database rather than into files, and backdoors hidden in non-standard locations. Server-level scanning is useful reactive tooling, not a comprehensive protection layer.

ModSecurity WAF

ModSecurity is a web application firewall module that runs at the web server level. It applies rules to incoming HTTP requests and can block common attack patterns before they reach PHP. Most UK shared hosts include it. Its limitations: it operates on request patterns, not on your specific WordPress configuration. Rules are generic rather than tuned to your plugin stack. It does not monitor files already on your server or catch attacks that arrive through legitimate-seeming requests — such as a compromised form handler or an authenticated request from a compromised admin account.

Daily backups

Most shared hosting plans include automated daily backups stored on the same infrastructure. Backups stored on the same server as your site are not recovery-grade backups — a hosting account suspension, a ransomware event affecting the hosting infrastructure, or a billing dispute can make both your site and your backup inaccessible simultaneously. Offsite backups to independent storage (a separate cloud account you control) are a separate requirement from whatever your hosting provider offers.

The FTP credential problem

FTP credential theft is the most common entry point for shared hosting compromises of UK small business sites. FTP credentials — the username and password used to upload files to your hosting account — are frequently stored in FTP client software on developer or agency machines. When those machines are compromised through unrelated attacks (phishing, malware), stored FTP credentials are among the first things extracted.

The attacker does not need to find a WordPress vulnerability. They log into your hosting account with valid FTP credentials and upload or modify files directly. There is no brute force, no plugin exploit, no failed login attempt — just a successful FTP connection that looks identical to a legitimate one.

Mitigation: use SFTP rather than FTP (encrypted connection), do not store credentials in FTP clients, use SSH keys rather than passwords where your hosting supports it, and restrict SFTP access by IP address if your hosting panel allows it. These are hosting-level controls that WordPress plugins cannot address.

What shared hosting does not protect against

To be specific about the gap your hosting provider's security does not fill:

• Plugin and theme vulnerabilities — the application running in your account is your responsibility, not your hosting provider's. Outdated plugins with known CVEs are the most common WordPress attack vector and are entirely outside hosting-level security.
• Compromised admin credentials — if an attacker gains WordPress admin access through brute force, credential stuffing, or phishing, that is an application-layer event. Your hosting provider's server security does not see or prevent it.
• Database-level malware — JavaScript injected into your WordPress database (post content, widget settings, the options table) is not in a file and is not visible to server-level file scanning. It renders in visitors' browsers as though it were legitimate page content.
• Google Safe Browsing blacklisting — if your site serves malware to visitors, Google blacklists it. That is your domain's problem, not your hosting provider's server. The hosting provider did not fail; your application security did.

GDPR and shared hosting: the compliance dimension

UK businesses processing personal data have the same GDPR obligations regardless of their hosting arrangement. A WooCommerce store on shared hosting holds the same customer names, addresses, and payment records as one on a dedicated server. A breach that exposes that data carries the same 72-hour ICO notification obligation and the same potential for enforcement action.

Shared hosting is not a compliance exemption. "We were on shared hosting" is not a defence to the ICO. The legal obligation to implement appropriate technical measures applies to the data controller — the business — regardless of the infrastructure it runs on. What "appropriate" means in practice depends on the nature and volume of data processed, but for any site handling customer personal data beyond basic contact forms, the hosting security model is part of the technical measures assessment.

When to move beyond shared hosting

Shared hosting is appropriate when the consequence of a breach is limited and manageable. For most UK small business brochure sites and content blogs, that assessment is reasonable. The calculus changes when:

• The site processes payments or holds payment card data
• The site holds significant volumes of customer personal data (member databases, patient records, client files)
• The site directly generates revenue and downtime has immediate financial impact
• A security incident would carry regulatory notification obligations under UK GDPR or sector-specific rules
• Multiple WordPress sites are consolidated under one hosting account, increasing lateral spread risk

Entry-level VPS hosting — where each account runs in an isolated virtual machine with dedicated resources — starts from £10–20 per month from UK providers. The isolation benefit is material. Managed WordPress cloud hosting from providers like Kinsta, WP Engine, or Cloudways adds application-layer security controls on top of infrastructure isolation. The question for a UK business is whether the additional cost of better-isolated hosting is proportionate to the risk and the potential consequence of a breach on shared infrastructure.

If you are assessing your current setup or have concerns about a shared hosting compromise, our WordPress security audit covers hosting configuration, account structure, credential hygiene, and application-layer controls as part of a complete risk review.