Best security practices for wordpress

ivan · August 13, 2020, 6:35am

Hello!

I am not very savvy in regards to wordpress security. I managed to get hestiaCP deployed with a wordpress site. I was wondering if anyone could direct me on how to secure it best. For example, does Fail2ban on HestiaCP work on the wp-admin or login, if not, how can I make it work for those pages too. Which plugins should I use? e.g. one that hides the wp-admin and login pages. Any other things to secure a fresh install of wordpress from HestiaCP?

Thank you in advance for the help

Felix · August 13, 2020, 6:54am

Hi there and welcome.
You could try a WordPress security plugin like Wordfence. You could also enable 2FA login for the admin users in WordPress. Last but not least, don’t forget to enable SSL/TLS for the WordPress domain in Hestia Web, so that the WordPress login page will be encrypted.

Raphael · August 13, 2020, 7:20am

install wordfence is also a good idea.

eris · August 13, 2020, 7:22am

Don’t install poor written plugins… Biggest security risk are the plugins…

pluto · August 13, 2020, 10:35am

Some other thoughts.

Always make sure you have SSL turned on, and redirect non SSL to SSL. (hestia can help!)
I like to remove or disable xmlrpc.php. There’s a plugin for this. It will reduce the hacking traffic and therefore load on your server.
Update regularly!
I like to put an apache auth on wp-login.php I do this by dropping a file called apache2.ssl.conf_security in /home/user/conf/web/domain/ with the following content.

<Files wp-login.php>
AuthUserFile /etc/apache2/admin.pass
AuthName "Protected Area"
AuthType Basic
require valid-user
</Files>

You could also just include it in the .htaccess file.