How to secure WordPress on a Linux VPS


wordpress-logoWordPress is by far the most popular tool for creating original websites and blogs. In fact, more than 60 million people use WordPress to run their websites or blogs. Having in mind its popularity, WordPress is a common target of different types of attacks. Hackers will try to exploit any WordPress weakness in order to steal important user information, install malicious software etc. and that is why it is important to secure the WordPress installation on your Linux VPS.

First of all, it is very important to keep your WordPress core, themes and plugins up to date. Updating WordPress takes only few moments but it is essential for the security of your website or blog. Many hackers exploit outdated versions of WordPress, outdated versions of themes or plugins, so make sure that you keep them up to date. Updating WordPress is really easy. All you need to do is to log in to your WordPress back-end, navigate to Dashboard > Updates and click on the ‘Update now’ button. More WordPress updating options you can find at:

https://codex.wordpress.org/Updating_WordPress

Next, make sure that you are using a different username than ‘admin’. Millions of people use ‘admin’ as username and that is why this username is the most common in brute-force attacks. When it comes to logging into WordPress, your username isn’t the only thing you need to take care of. You need to make sure that you are using a strong password. Strong passwords includes numbers, capital letters, lower-case letters and symbols. To generate a strong password you can use the Norton password generator available at

https://identitysafe.norton.com/password-generator/

Keeping complete backups of your WordPress installation is another thing you need to take care of. All our Linux VPS hosting plans include free weekly backup, but if you like to get more frequent backups you can contact our support for more information. Also, you can use some of the WordPress plugins to schedule automatic WordPress backups. The plugins you can try are BackUpWordPress or BackWPup.

To improve the security of your WordPress you need to keep your WordPress admin area protected. You can do that by simply putting the following code in your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Please do not forget to replace 111\.111\.111\.111 with your own IP address. Otherwise, you will get locked out by yourself and you will not be able to access your WordPress admin panel.

When it comes to .htaccess you can prevent the directory browsing by putting the following piece of code:

Options All -Indexes

To add another layer of protection to your WordPress files make sure that your wp-includes directory is secure. Therefore, add the following lines in your .htaccess file somewhere outside the ‘# BEGIN WordPress’ and ‘# END WordPress’ tags:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

You can consider securing your wp-config.php file too. Put the following code in your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

The WordPress security can be hardened by using some security plugin such as WordFence. It is one of the best currently  and it will be a great addition to your WordPress if you install it.

Additionally, do not forget to check your log files regularly for other possible suspicious activities.

These are just few security hardening tips for WordPress. Other tips for hardening your WordPress installation you can find at:

http://codex.wordpress.org/Hardening_WordPress

Of course you don’t have to do any of this if you use one of our Linux VPS hosting services, in which case you can simply ask our expert Linux admins to secure your WordPress for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

Tutorials
Password protect a directory using .htaccess
Tutorials
Install Fail2ban on CentOS
Tutorials
How to Install Plone 4 CMS on Debian Wheezy with Nginx
  • eunicemadeline

    Thanks for sharing this post!!! WordPress Securing is made at the simplest!!


  • Bilqees Kenchi

    Hello, friend my question is that, please tell how to secure wordpress blog /site from hackers? Is this responsibility of hosting providers or my-self. Kindly tell some plugins for wordpress.


    • admin

      adminadmin

      Author Reply

      The security of your WordPress installation can be hardened by using some security plugin like WordFence security.
      Thanks