I am not very savvy in regards to wordpress security. I managed to get hestiaCP deployed with a wordpress site. I was wondering if anyone could direct me on how to secure it best. For example, does Fail2ban on HestiaCP work on the wp-admin or login, if not, how can I make it work for those pages too. Which plugins should I use? e.g. one that hides the wp-admin and login pages. Any other things to secure a fresh install of wordpress from HestiaCP?
Thank you in advance for the help
Hi there and welcome.
You could try a WordPress security plugin like Wordfence. You could also enable 2FA login for the admin users in WordPress. Last but not least, don’t forget to enable SSL/TLS for the WordPress domain in Hestia Web, so that the WordPress login page will be encrypted.
install wordfence is also a good idea.
Don’t install poor written plugins… Biggest security risk are the plugins…
Some other thoughts.
- Always make sure you have SSL turned on, and redirect non SSL to SSL. (hestia can help!)
- I like to remove or disable xmlrpc.php. There’s a plugin for this. It will reduce the hacking traffic and therefore load on your server.
- Update regularly!
- I like to put an apache auth on wp-login.php I do this by dropping a file called apache2.ssl.conf_security in /home/user/conf/web/domain/ with the following content.
AuthName "Protected Area"
You could also just include it in the .htaccess file.