{"id":39031,"date":"2025-09-15T12:27:45","date_gmt":"2025-09-15T10:27:45","guid":{"rendered":"https:\/\/tremhost.com\/blog\/?p=39031"},"modified":"2025-09-15T12:34:36","modified_gmt":"2025-09-15T10:34:36","slug":"security-stack-for-reseller-hosting-backups-waf-malware-protection","status":"publish","type":"post","link":"https:\/\/tremhost.com\/blog\/security-stack-for-reseller-hosting-backups-waf-malware-protection\/","title":{"rendered":"Security Stack for Reseller Hosting: Backups, WAF, Malware Protection"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div><h1>Security Stack for Reseller Hosting: Backups, WAF, Malware Protection<\/h1>\n<p>A resilient reseller hosting stack starts with <strong>daily + on-demand backups<\/strong>, a <strong>WAF with current rules<\/strong>, and <strong>automated malware detection\/removal<\/strong>\u2014all enforced per-account with <strong>CloudLinux\/CageFS<\/strong> isolation, <strong>2FA<\/strong>, and <strong>email authentication (SPF\/DKIM\/DMARC)<\/strong>. Test restores monthly, keep PHP patched, rate-limit mail, and monitor logs so you catch issues before clients do.<\/p>\n<blockquote><p>Helpful plug: <strong>Tremhost<\/strong> ships the basics by default\u2014CloudLinux, LiteSpeed, AutoSSL, daily backups, and white-label DNS\u2014so you can focus on clients, not firefighting. Explore <strong><a href=\"https:\/\/tremhost.com\/reseller.html\">Reseller Hosting<\/a><\/strong> and stack details on <strong><a href=\"https:\/\/tremhost.com\/cloudlinux.html\">CloudLinux<\/a><\/strong> and <strong><a href=\"https:\/\/tremhost.com\/litespeed.html\">LiteSpeed<\/a><\/strong>.<\/p><\/blockquote>\n<h2>Why security is different for resellers (multi-tenant reality)<\/h2>\n<p>Reseller environments are <strong>multi-tenant<\/strong>. One weak site can endanger neighbors, email reputation, or the node\u2019s performance. Your goal isn\u2019t \u201cperfect security,\u201d it\u2019s <strong>blast-radius reduction<\/strong> and <strong>fast recovery<\/strong>.<\/p>\n<p><strong>Principles to run by:<\/strong><\/p>\n<ul>\n<li><strong>Isolate<\/strong> each cPanel account (CageFS, per-account limits).<\/li>\n<li><strong>Prevent<\/strong> the common stuff (WAF, AutoSSL, least privilege).<\/li>\n<li><strong>Detect<\/strong> continuously (malware scans, integrity checks, login anomaly alerts).<\/li>\n<li><strong>Recover<\/strong> quickly (tested backups, clear RTO\/RPO targets).<\/li>\n<\/ul>\n<h2>Non-negotiable baseline (what every reseller stack should include)<\/h2>\n<ul>\n<li><strong>CloudLinux + CageFS<\/strong> for per-account isolation and fair use.<\/li>\n<li><strong>LiteSpeed + LSCache<\/strong> (or equivalent) for performance + request throttling.<\/li>\n<li><strong>AutoSSL<\/strong> for all domains (no mixed-content foot-guns).<\/li>\n<li><strong>WAF with current rules<\/strong> (mod_security rules kept fresh).<\/li>\n<li><strong>Daily backups + on-demand restore points<\/strong> with separate retention.<\/li>\n<li><strong>Automated malware scanner<\/strong> (e.g., Imunify), quarantine + 1-click cleanups.<\/li>\n<li><strong>2FA<\/strong> for WHM\/cPanel\/WHMCS logins.<\/li>\n<li><strong>Email authentication<\/strong> (SPF\/DKIM\/DMARC) and <strong>rDNS<\/strong> on outbound IPs.<\/li>\n<li><strong>Uptime + log monitoring<\/strong> with notifications to your ops chat.<\/li>\n<\/ul>\n<blockquote><p>With Tremhost, most of the above is pre-wired so you\u2019re not assembling it from scratch.<\/p><\/blockquote>\n<h2>Backups that actually save you (RPO\/RTO done right)<\/h2>\n<p>Backups are not a checkbox. They\u2019re a <strong>contract<\/strong> with your future self.<\/p>\n<p><strong>Design targets:<\/strong><\/p>\n<ul>\n<li><strong>RPO (max data loss):<\/strong> 24h or better (daily + on-demand points).<\/li>\n<li><strong>RTO (time to restore):<\/strong> &lt;60 minutes for a single site, &lt;6 hours for a multi-site incident.<\/li>\n<\/ul>\n<p><strong>Implementation checklist<\/strong><\/p>\n<ul class=\"contains-task-list\">\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> <strong>Schedule<\/strong>: daily full + hourly\/user-initiated snapshots for high-change sites.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> <strong>Retention<\/strong>: 7\u201314 daily + 2\u20134 weekly + 1\u20133 monthly (depends on storage).<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> <strong>Scope<\/strong>: files + DBs + email + DNS zones.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> <strong>Isolation<\/strong>: backups stored on separate storage; restore doesn\u2019t overwrite originals by default.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> <strong>Testing<\/strong>: monthly <strong>restore test<\/strong>\u2014a random file and a DB table.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> <strong>Self-service<\/strong>: clients can restore without a ticket (cuts MTTR and support load).<\/li>\n<\/ul>\n<p><strong>Pro tip:<\/strong> Document a one-page \u201crestore runbook\u201d for you\/your team with exact steps and screenshots.<\/p>\n<h2>WAF &amp; request filtering (block bad traffic, not users)<\/h2>\n<p>A WAF reduces noise before PHP ever runs.<\/p>\n<ul>\n<li><strong>Rulesets<\/strong>: keep mod_security rules current; enable CMS-specific rules (WordPress, WooCommerce).<\/li>\n<li><strong>Bot control<\/strong>: throttle known bad bots, rate-limit login endpoints (<code>\/wp-login.php<\/code>, <code>\/xmlrpc.php<\/code>).<\/li>\n<li><strong>Virtual patching<\/strong>: deploy rules that mitigate new CVEs while clients update plugins.<\/li>\n<li><strong>False positives<\/strong>: create a painless process to exempt a path in minutes (ticket \u2192 rule tweak \u2192 retest).<\/li>\n<\/ul>\n<p><strong>Quick wins (WordPress):<\/strong><\/p>\n<ul>\n<li>Limit or disable XML-RPC unless needed.<\/li>\n<li>Use LSCache\u2019s built-in protections and login rate limits.<\/li>\n<li>Deny PHP execution in <code>\/uploads<\/code> except where explicitly required.<\/li>\n<\/ul>\n<h2>Malware protection (detect, clean, prevent reinfection)<\/h2>\n<p><strong>Automated scanning &amp; cleanup<\/strong> is table stakes. Your playbook:<\/p>\n<ol>\n<li><strong>Detect<\/strong>: daily scans + on-access scanning; hash comparisons for core files.<\/li>\n<li><strong>Quarantine<\/strong>: isolate malware; notify the account owner automatically.<\/li>\n<li><strong>Clean<\/strong>: one-click cleanup or guided manual fix; replace tampered core files.<\/li>\n<li><strong>Harden<\/strong>: lock file permissions, remove unused plugins\/themes, enforce strong passwords, and turn on 2FA.<\/li>\n<\/ol>\n<p><strong>Reinfection prevention:<\/strong><\/p>\n<ul>\n<li>Force updates of CMS core\/plugins\/themes.<\/li>\n<li>Block dangerous functions or webshell signatures at the WAF level.<\/li>\n<li>Educate clients: no nulled themes, ever.<\/li>\n<\/ul>\n<h2>Email security (where most client pain starts)<\/h2>\n<ul>\n<li><strong>SPF\/DKIM\/DMARC<\/strong> by default in your zone templates.<\/li>\n<li><strong>rDNS<\/strong> must match the outbound hostname; check it after every IP change.<\/li>\n<li><strong>Rate limits<\/strong> per account; alert on spikes.<\/li>\n<li><strong>Outbound malware\/attachment scanning<\/strong> to protect IP reputation.<\/li>\n<li><strong>Transactional email path<\/strong> for stores\/newsletters (don\u2019t bulk mail from cPanel).<\/li>\n<li><strong>Monitoring<\/strong>: aggregate DMARC reports to catch spoofing attempts.<\/li>\n<\/ul>\n<h2>Access hardening (close the front door properly)<\/h2>\n<ul>\n<li><strong>2FA<\/strong> on WHM\/cPanel\/WHMCS and your registrar.<\/li>\n<li><strong>SSH<\/strong>: key-only, non-standard port, IP allowlisting for admin access.<\/li>\n<li><strong>Principle of least privilege<\/strong>: no root unless necessary; use WHM reseller scopes for staff.<\/li>\n<li><strong>Password policy<\/strong>: enforced strength + rotation for privileged users.<\/li>\n<li><strong>Session timeouts<\/strong> and <strong>login anomaly alerts<\/strong> (geo\/time heuristics).<\/li>\n<li><strong>Audit trails<\/strong>: enable cPanel\/WHM action logs; archive for 90\u2013180 days.<\/li>\n<\/ul>\n<h2>Patch &amp; version strategy (safely modern)<\/h2>\n<ul>\n<li>Track <strong>LTS PHP<\/strong> versions; phase out EOL versions with clear deadlines.<\/li>\n<li>Automate <strong>kernel and package updates<\/strong>; apply emergency patches quickly.<\/li>\n<li>Maintain a <strong>compatibility matrix<\/strong> (PHP \u00d7 popular plugins) so upgrades don\u2019t break client sites.<\/li>\n<li>Staging option in the Business\/Pro plans for <strong>safe updates<\/strong>.<\/li>\n<\/ul>\n<h2>DDoS &amp; abuse (protect the neighborhood)<\/h2>\n<ul>\n<li><strong>Edge protection<\/strong>: CDN\/WAF (e.g., Cloudflare) for targeted sites; keep origin IPs private.<\/li>\n<li><strong>Rate-limit<\/strong> abusive clients; isolate spikes via per-account CPU\/IO limits (CloudLinux).<\/li>\n<li><strong>Outbound abuse<\/strong>: alert on mass mailing, spam traps, or compromised forms; auto-disable offenders with a human review.<\/li>\n<\/ul>\n<h2>Incident response (what to do on a bad day)<\/h2>\n<ol>\n<li><strong>Detect<\/strong>: an alert fires (uptime, log anomaly, DMARC fail, CPU spike).<\/li>\n<li><strong>Triage<\/strong>: identify affected accounts; pause AutoSSL if cert loops.<\/li>\n<li><strong>Contain<\/strong>: suspend compromised accounts or block specific endpoints.<\/li>\n<li><strong>Communicate<\/strong>: status page update + targeted client emails (plain, factual).<\/li>\n<li><strong>Eradicate<\/strong>: malware cleanup, patching, password rotation, rule updates.<\/li>\n<li><strong>Recover<\/strong>: restore from the freshest clean backup; validate.<\/li>\n<li><strong>Post-mortem<\/strong>: 5-why, add WAF rules or policy changes, update KB.<\/li>\n<\/ol>\n<p>Keep templated emails for <strong>\u201cHeads-up,\u201d \u201cIn progress,\u201d and \u201cResolved\u201d<\/strong> with timestamps.<\/p>\n<h2>What to put in each plan (security edition)<\/h2>\n<p><strong>Starter (baseline security)<\/strong><\/p>\n<ul>\n<li>AutoSSL, daily backups (7-day retention), WAF rules, malware scanning, email auth configured.<\/li>\n<\/ul>\n<p><strong>Business (safety &amp; speed)<\/strong><\/p>\n<ul>\n<li>All Starter + on-demand restore points, staging, priority WAF rules, monthly update report.<\/li>\n<\/ul>\n<p><strong>Pro\/Commerce (high-risk workloads)<\/strong><\/p>\n<ul>\n<li>All Business + extended backup retention, dedicated IP (optional), advanced bot mitigation, transactional email route, monthly security report and deliverability audit.<\/li>\n<\/ul>\n<p>Make these inclusions explicit on your pricing page to justify the ladder.<\/p>\n<h2>Monthly security ops checklist (copy\/paste)<\/h2>\n<ul class=\"contains-task-list\">\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Review backup <strong>restore tests<\/strong> (file + DB table).<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Rotate <strong>WHM\/cPanel API tokens<\/strong> for automation\/billing.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Patch <strong>PHP<\/strong> &amp; system packages; remove EOL versions.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Audit <strong>WAF exceptions<\/strong>; close temporary allow rules.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Review <strong>DMARC<\/strong> aggregates; fix spoofing sources.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Scan for <strong>large mailboxes<\/strong> and warn before quota pain.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Sample <strong>logins<\/strong> for anomalies; enforce 2FA where missing.<\/li>\n<li class=\"task-list-item\"><input disabled=\"disabled\" type=\"checkbox\" \/> Update your <strong>status page<\/strong> with recent maintenance notes.<\/li>\n<\/ul>\n<h2>How Tremhost fits<\/h2>\n<p>If you want to start with a sane default stack\u2014<strong>CloudLinux isolation, LiteSpeed performance, AutoSSL, daily backups, white-label DNS<\/strong>, and <strong>free cPanel migrations<\/strong>\u2014<strong><a href=\"https:\/\/tremhost.com\/reseller.html\">Tremhost Reseller Hosting<\/a><\/strong> gives you the base so you can add your agency\u2019s processes and SLAs on top.<\/p>\n<h2>FAQs (People Also Ask)<\/h2>\n<p><strong>Do daily backups guarantee recovery?<\/strong><br \/>\nOnly if you <strong>test restores<\/strong>. Schedule monthly restore drills and keep multiple restore points.<\/p>\n<p><strong>Is a WAF enough to stop hacks?<\/strong><br \/>\nNo WAF is perfect, but it blocks the majority of exploit traffic and buys you time to patch. Pair it with malware scanning and fast updates.<\/p>\n<p><strong>Can I promise zero downtime during security incidents?<\/strong><br \/>\nPromise <strong>fast recovery<\/strong>, not zero downtime. Define RTO\/RPO in your SLA and meet them.<\/p>\n<p><strong>Do I need a dedicated IP for email?<\/strong><br \/>\nNot always. Start with solid rDNS and authentication. For stores\/newsletters or strict B2B inboxes, a dedicated IP or transactional service helps.<\/p>\n<p>Want a stack that bakes in isolation, backups, and speed so your team can focus on prevention and recovery\u2014rather than constant cleanup? Start here: <strong><a href=\"https:\/\/tremhost.com\/reseller.html\">tremhost.com\/reseller.html<\/a><\/strong>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security Stack for Reseller Hosting: Backups, WAF, Malware Protection A resilient reseller hosting stack starts with daily + on-demand backups, a WAF with current rules, and automated malware detection\/removal\u2014all enforced per-account with CloudLinux\/CageFS isolation, 2FA, and email authentication (SPF\/DKIM\/DMARC). Test restores monthly, keep PHP patched, rate-limit mail, and monitor logs so you catch issues before [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":39032,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"tdm_status":"","tdm_grid_status":"","footnotes":""},"categories":[163],"tags":[],"class_list":{"0":"post-39031","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-hosting"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts\/39031","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/comments?post=39031"}],"version-history":[{"count":3,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts\/39031\/revisions"}],"predecessor-version":[{"id":39036,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/posts\/39031\/revisions\/39036"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/media\/39032"}],"wp:attachment":[{"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/media?parent=39031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/categories?post=39031"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tremhost.com\/blog\/wp-json\/wp\/v2\/tags?post=39031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}