I am not very savvy in regards to wordpress security. I managed to get hestiaCP deployed with a wordpress site. I was wondering if anyone could direct me on how to secure it best. For example, does Fail2ban on HestiaCP work on the wp-admin or login, if not, how can I make it work for those pages too. Which plugins should I use? e.g. one that hides the wp-admin and login pages. Any other things to secure a fresh install of wordpress from HestiaCP?
Hi there and welcome.
You could try a WordPress security plugin like Wordfence. You could also enable 2FA login for the admin users in WordPress. Last but not least, don’t forget to enable SSL/TLS for the WordPress domain in Hestia Web, so that the WordPress login page will be encrypted.
Always make sure you have SSL turned on, and redirect non SSL to SSL. (hestia can help!)
I like to remove or disable xmlrpc.php. There’s a plugin for this. It will reduce the hacking traffic and therefore load on your server.
Update regularly!
I like to put an apache auth on wp-login.php I do this by dropping a file called apache2.ssl.conf_security in /home/user/conf/web/domain/ with the following content.