OVH Community, your new community space.

Security Tips for securing your Wordpress Website Site

23-05-2016, 09:15
Developing a wordpress site is very popular these days and there is no doubt wordpress is by far the most prominent CMS out in the market, It’s the most popular with business websites like Web Hosting, Design company, Development company or even other small or mid-sized companies of various sectors. Its very easy to install and customize more ever its free of cost with tons of plugins available for tweaking and optimization. Wordpress sites have the look and feel of a perfect website which every one wants today for social networking and SEO friendly.
There are lot of ready made wordpress based themes available along with images which you can customize according to your needs. So you don’t have to ask the designer or developer to purchase images.

However with wordpress websites ever after using security plugins there comes a risk of hacking and you get worried when you start receiving LFD alerts about wp-login.php, xmlrpc.php files under attack. These attacks are nothing but automated brute force attacks which the hackers use to break in or infect your site with malware contents.

Here are some of the tips I would like to share to keep your websites secure and safe from brute force attacks.

First step to start doing the right things is choosing the right Admin username.

During installation process avoid using admin or root for admin user. You can easily put your email address or some complex username with strong password.

The default plugin which is installed with wordpress is Akismet to prevent your blog from spam comments, it basically filters out spam comments from the articles. The basic plan is free with limited checks so you can use it by activating the account. but if you don’t want any comments on your article or post the best thing to do is disable comments from Settings>>> Discussions .

We will divide the security levels between two stages. First stage will be at server level and second will be at website level.

Core Server Security Implementation

The webserver running on the server whether its Apache, Nginx or Litespeed should be running at its latest version, Make sure you install and integrate Mod-security with webserver. Common exploits like SQL injection, XSS, file uploads and code execution. All of these can have consequences to WordPress site and can be blocked using mod-security rules if properly implemented on the server.

Since wordpress is based on PHP language, servers should have updated php versions and hardened properly. Use of Cloudlinux based kernel is recommended.

1.) Install of CSF firewall and LFD ( Login Failure Detection ) to prevent server from brute force attacks.

2.) Stop unused services and lock down ports with firewall.

3.) Install maldet scanner to scan the files on regular interval. Maldet will help to find malwares and spywares on the server.

4.) Monitoring the access and error log files for brute force attacks. If you notice such entries in domain access log its clear the site is under attack.

xx.xx.xx.xx - - [22/May/2016:23:09:50 -0500] "GET /wp-admin/ HTTP/1.1" 302 - "" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"

5.) Secure Mysql server

Website Level security

1.) Use strong passwords for all of your logins, whether is FTP , Cpanel or Database logins etc, Always use strong passwords to protect agains brute force attacks.

2.) Install SSL certificate on your site.

3.) Remove unwanted plugins which are of no use as it could still pose a security risk. And if you are using customized themes make sure the themes which are not used remove them except for the default one.

4.) Automatic Core Updates (Wordpress Automatic updates available in admin panel). Set Plugins and Themes to Update automatic.

5) Disable PHP Error Reporting (Hackers usually get the server full path when php error reporting is enabled.)

6) Protect wordpress Files like wp-login.php, xmlrpc.php, wp-config.php Using .htaccess , A lot of information is given on net for this. Here is one example of setting up HTTP authentication for wp-login.php to restrict brute force attacks on wp-login.php, first setup htpasswd file with htpasswd command and put the following code in .htaccess file

# Protect wp-login

AuthUserFile ~/.htpasswd
AuthName “Restricted access”
AuthType Basic
require user mysecretuser
OR you can simply setup IP based restriction for wp-login.php file.


order deny,allow
Deny from all
allow from 115.xx.xx.xx
Access restriction for wp-config.php file with .htaccess , Add the following code.


order allow,deny
deny from all
7) Change admin username and login URL to something different and give admin privileges to that user.

8) Track of Dashboard Activity (WP Security Audit Log)

9) Database Security (If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases.

10) Finally the golden rule of book is to make sure you have the backup of your database, Store Backups locally and remotely.

11) Use of Security plugins like WP DB backup which lets you backup your core wordpress database tables by just few clicks, The other plugin like WP Security Scan which finds vulnerabilities in your site.

I hope the above tips helps.