How To Secure Wordpress

Using this article you can launch absolutely secure WordPress website. and implement best hardening wordpress practise. Security is a prerequisite for a commercial website, 90% of hacking attempts could be prevented during equipment setup. But in fact – very often, developers neglect these settings, or they are not executed because there is no System Administrator at all, or someone does not have time. etc.

Standard SysAdmin activities to implement wordpress security – to close all open “doors” for intruder:

1. Exclude the ability to connect via SSH

2. Transfer from the WordPress folder all files which are not used

3. Deny access to the system files from the outside, using web server

This article could be continued by protecting forms from exploits and SQL-injections and backups, but be sure if you complete the first 3 hardening wordpress steps – this is enough for your website to be practically invulnerable for intruders, because in common cases hackers are use fairly standard software that “works” by weak WordPress website sides, due to these settings – these sides will be just inaccessible for the intruder.

Why does an attacker hunt to your website?

Because you are really do commercial activity and store customers data, or another commercial information. Also, your website could be used by intruder for Black SEO, to put links from your website or display advertising for some customers and etc. This kind of activities will damage your website positions in Search Engines. So, if you have decide to use WordPress for the commercial website, these wordpress hardening steps are must have.

The given example is made for a standard corporative website. For the online store, other types of websites, some settings may differ, if you understand the topic, you can use the main hardening wordpress principles that are outlined here.

Controversial question

VPS / VDS / Droplet
Shared Hosting

On Shared hosting, you can reproduce the set of commands at the .htaccess file, however shared hosting is less secure just because you don’t manage the server itself, but use the provided settings. The website physically located inside one of the virtual machines, there are located websites of other shared hosting users.

Case when you have access to all your websites folders from ftp or list via browser is not good security practise for production website too.

Secure WordPress hosting should be implemented on Virtual Private Server.

Provided “How to Secure WordPress” use
Droplet Digital Ocean
Centos 7
1Gb Memory
25Gb Disk
work is done using MacOs computer.

The first thing to do after buying a virtual server:

– Change root password (You will be asked for password change while first login to the server via SSH)

– Create New User (* do not use admin)

adduser johny
passwd johny

– Add sudo

usermod -aG wheel johny
su johny
sudo ls /root 
How to Generate SSH key
How to setup SSH Keys on centOs

– Generate a SSH key for a new user


* Do not use “admin” user name

* Create paraphrase password

* Use long passwords, 16 symbols minimum

– Now connect to the server from a new user using SSH key

Here is macOs example, on Windows use putty or another soft

Run in Terminal:

vi /Users/johny/.ssh/config

Add the following:

Host myhost - Connection name ( set yours ) 
User johny 
Port 22
Hostname 11.222.333.44 - Your server IP
IdentityFile ~/.ssh/id_rsa - location of generated key

Save file and close by typing Escape then :wq + Enter

Now type in Terminal:

ssh myhost

– After successful connection, delete the private key file in the folder /home/johny/.ssh/id_rsa ( on the Server)

Restrict access to the server via ssh
Detailed information
Securing OpenSSH


* Restart the sshd service after changing each parameter in the configuration file.

* Reconnect after each sshd restart.

service sshd restart

SSH Configuration File



— Change standard SSH port from 22 to another


Port 23451 // Set yours

Then allow new port in firewall


iptables -I INPUT -p tcp --dport 23451 -j ACCEPT
semanage port -a -t ssh_port_t -p tcp 23451

— Disable ssh root login


PermitRootLogin no

— Allow ssh only for your user


AllowUsers johny

— Ensure you are use only 2 Protocol


# Protocol 2,1
Protocol 2

— Disable authentication by password


PasswordAuthentication no

— Allow ssh only from your IP ( if it is static )


iptables -A INPUT -p tcp -s yourIP --dport 23451 -j ACCEPT

Done, now ssh is available only from your IP address, with your login (which known only to you) and only with private key with a paraphrase password.

It is not paranoid settings, but necessary to prevent someone connect to your server and make changes in the server settings, programs and files.

VESTA Control Panel Installation

To manage your virtual web server lets install VESTA CP. The panel is comfortable and free for use.

# Connect to your server via SSH
# Change user to root: su root
# Download installation script

curl -O

# Run it


Installation will take about 15-20 minutes

Close Vesta CP from unwanted connections.

– Vesta CP Firewall


VESTA -> set your IP 
FTP -> set your IP ( this setting could be reproduced with iptables same as ssh port) 
DB ->

If you need to access VESTA CP from few IP’s, you are available to add additional IP via modifying VESTA CP firewall settings file


Add new line to the End of file, set RULE number according to your numeration. Change “New IP” to yours.

RULE='12' ACTION='ACCEPT' PROTOCOL='TCP' PORT='8083' IP='New IP' COMMENT='Vesta1' SUSPENDED='no' TIME='14:48:38' DATE='2017-02-15'

Restart Vesta to accept changes

service vesta restart

– Disable Softaculous


Server -> Configure ->Vesta Control Panel Plugins->Softaculous->no

– Remove .softaculuos from web folder


cd /home/vestauser/
rm -rf .softaculous/

– Setup your domain

– – https://yourip:8083/list/web/ – Create Domain

– – https://yourip:8083/list/db/ – Create Database

– Setup Wordpess


cd /home/vestauser/web/yourdomain/public_html
tar --strip-components=1 -zxf latest.tar.gz

– Setup SSL for your website if required

– Immediately close WordPress Admin using .htaccess


vi /home/vestauser/web/yourdomain/public_html/wp-admin/.htaccess

order deny,allow
deny from all
allow from YourIP_1
allow from YourIP_2

– Install and Setup your WordPress theme, then remove not used WordPress files from domain folder




* Do not remove files, just transfer to another directory, for example in /home folder of another user. After transfer of each file, check functionality of your website, in case after file transfer something went wrong on the website, recover file back to the domain folder.

– Make changes in main .htaccess file, add following:


<Files "wp-load.php"> 
        Order Deny,Allow
        Deny from all
        Allow from SERVER IP

<Files "wp-login.php">
        Order Deny,Allow
        Deny from all
        Allow from YourIP_1
        Allow from YourIP_2

<Files "wp-config.php">
        Order Deny,Allow
        Deny from all
        Allow from SERVER IP

<Files "wp-cron.php">
        Order Deny,Allow
        Deny from all
        Allow from SERVER IP

<Files "wp-mail.php">
        Order Deny,Allow
        Deny from all
        Allow from SERVER IP

<Files "wp-settings.php">
        Order Deny,Allow
        Deny from all
    Allow from SERVER IP

There should be listed each .php file except for index.php. By this settings you are restrict access to the WordPress system files from any IP, except for your Server IP, and only from your IP’s to wp-login.php

Close the remaining vulnerabilities


Restart Nginx after each change which was made. Check is your website Alive

service nginx restart

– Transfer Nginx website configuration file from VESTA CP folder to common Nginx configuration folder


mv /home/vestauser/conf/web/yourdomain.nginx.conf /etc/nginx/conf.d

– Modify Nginx configuration file of website

In the server section, add new location – change yourdomain and Your IP by yours.


location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
            root           /home/vestauser/web/yourdomain/public_html/wp-admin;
            access_log     /var/log/httpd/domains/yourdomain.log combined;
            access_log     /var/log/httpd/domains/yourdomain.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
            allow Your IP;
            deny all;

– Restrict access to phpmyadmin and webmail (this block is outside of server section)

location /phpMyAdmin/ {
root /home/vestauser/web/yourdomain/public_html/phpMyAdmin;
allow YourIP;
deny all;
                try_files      $uri @fallback;

location /webmail/ {
root /home/vestauser/web/yourdomain/public_html/webmail;
allow Your IP;
deny all;
                try_files      $uri @fallback;

– Comment or remove line in the End of file

include /home/vestauser/conf/web/yourdomain.conf*;

– Restrict access to VESTA CP via IP of virtual server, create configuration file YourIP.conf in folder /etc/nginx/conf.d/


server {
    listen YourIP:80 default;
    server_name  _;
    access_log /dev/null;
    error_log /dev/null;
    return 444;

– Restrict index.php Vesta СP using Nginx configuration file of Vesta Control Panel


In the server section of #Vhost add following

location / {
            expires max;
            index   index.php;
            allow YourIP;
            deny all;

Well Done. If you implement all above – your server, your Vesta CP and your WordPress website are protected for maximum. We emphasize that this example is made for the certain type of website, there is no comments forms and extra plugins. The complex of security settings and wordpress hardening may differ for the another website types.

Also, you may decide that one settings are duplicate another, and may harder of server administration.

The settings of Apache (.htaccess) then Nginx – are prevent the hack after hack. WordPress security is very weak and if some serious guys will working on hacking your wordpress website, one day they will found the door which opens. But they will be unable to change Nginx settings. While this time you could detect strange unusual activity on your website, find some new files or recently changed file by date – in other words, you will be available to find foot prints of penetration into the system and prevent the threat.