How to secure WordPress on a Linux VPS

wordpress-logoWordPress is by far the most popular tool for creating original websites and blogs. In fact, more than 60 million people use WordPress to run their websites or blogs. Having in mind its popularity, WordPress is a common target of different types of attacks. Hackers will try to exploit any WordPress weakness in order to steal important user information, install malicious software etc. and that is why it is important to secure the WordPress installation on your Linux VPS.

First of all, it is very important to keep your WordPress core, themes, and plugins up to date. Updating WordPress takes only a few moments but it is essential for the security of your website or blog. Many hackers exploit outdated versions of WordPress, and outdated versions of themes or plugins, so make sure that you keep them up to date. Updating WordPress is really easy. All you need to do is to log in to your WordPress backend, navigate to Dashboard > Updates and click on the ‘Update now’ button. More WordPress updating options you can find at WordPress Codex Update Section.

Next, make sure that you are using a different username than ‘admin’. Millions of people use ‘admin’ as username and that is why this username is the most common in brute-force attacks. When it comes to logging into WordPress, your username isn’t the only thing you need to take care of. You need to make sure that you are using a strong password. Strong passwords includes numbers, capital letters, lower-case letters and symbols. To generate a strong password you can use the Norton Identity Safe Password Generator.

Keeping complete backups of your WordPress installation is another thing you need to take care of. All our Linux VPS hosting plans include free weekly backup, but if you like to get more frequent backups you can contact our support for more information. Also, you can use some of the WordPress plugins to schedule automatic WordPress backups. The plugins you can try are BackUpWordPress or BackWPup.

To improve the security of your WordPress you need to keep your WordPress admin area protected. You can do that by simply putting the following code in your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^111\.111\.111\.111$
RewriteRule ^(.*)$ - [R=403,L]

Please do not forget to replace 111\.111\.111\.111 with your own IP address. Otherwise, you will get locked out by yourself and you will not be able to access your WordPress admin panel.

When it comes to .htaccess you can prevent the directory browsing by putting the following piece of code:

Need a fast and easy fix?
✔ Unlimited Managed Support
✔ Supports Your Software
✔ 2 CPU Cores
✔ 2 GB RAM
✔ 50 GB PCIe4 NVMe Disk
✔ 1854 GeekBench Score
✔ Unmetered Data Transfer

Now just $43 .99

Options All -Indexes

To add another layer of protection to your WordPress files make sure that your wp-includes directory is secure. Therefore, add the following lines in your .htaccess file somewhere outside the ‘# BEGIN WordPress’ and ‘# END WordPress’ tags:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

You can consider securing your wp-config.php file too. Put the following code in your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

The WordPress security can be hardened by using some security plugin such as WordFence. It is one of the best currently and it will be a great addition to your WordPress if you install it.

Additionally, do not forget to check your log files regularly for other possible suspicious activities.

These are just a few security hardening tips for WordPress. Other tips for hardening your WordPress installation are available in WordPress Codex Hardening Section.

Of course, you don’t have to do any of this if you use one of our Linux VPS hosting services, in which case you can simply ask our expert Linux admins to secure your WordPress for you. They are available 24×7 and will take care of your request immediately. For new updates, you may also want to consider reading: How to Secure a WordPress Site.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

3 thoughts on “How to secure WordPress on a Linux VPS”

  1. Hello, friend my question is that, please tell how to secure wordpress blog /site from hackers? Is this responsibility of hosting providers or my-self. Kindly tell some plugins for wordpress.

    • The security of your WordPress installation can be hardened by using some security plugin like WordFence security.


Leave a Comment