Best security practices for wordpress


I am not very savvy in regards to wordpress security. I managed to get hestiaCP deployed with a wordpress site. I was wondering if anyone could direct me on how to secure it best. For example, does Fail2ban on HestiaCP work on the wp-admin or login, if not, how can I make it work for those pages too. Which plugins should I use? e.g. one that hides the wp-admin and login pages. Any other things to secure a fresh install of wordpress from HestiaCP?

Thank you in advance for the help :slight_smile:

Hi there and welcome.
You could try a WordPress security plugin like Wordfence. You could also enable 2FA login for the admin users in WordPress. Last but not least, don’t forget to enable SSL/TLS for the WordPress domain in Hestia Web, so that the WordPress login page will be encrypted.


install wordfence is also a good idea.

Don’t install poor written plugins… Biggest security risk are the plugins…


Some other thoughts.

  • Always make sure you have SSL turned on, and redirect non SSL to SSL. (hestia can help!)
  • I like to remove or disable xmlrpc.php. There’s a plugin for this. It will reduce the hacking traffic and therefore load on your server.
  • Update regularly!
  • I like to put an apache auth on wp-login.php I do this by dropping a file called apache2.ssl.conf_security in /home/user/conf/web/domain/ with the following content.
<Files wp-login.php>
AuthUserFile /etc/apache2/admin.pass
AuthName "Protected Area"
AuthType Basic
require valid-user

You could also just include it in the .htaccess file.