Hardening WordPress Security -

WordPress hosting done right. done fast. done secure


Hardening WordPress Security

OK – so you’ve read lame posts about file permissions, and keeping your plugins up to date. But you want more, more security and a bullet proof wordpress site.

The internet is full of nasties, and gangs of cyber theives and bot networks. Most people ask me, why do I need security – there is nothing on my site worth anything.

Here are my tips on wordpress security


Hardware Firewall

Hardware firewall’s are a bit old school these days, but they are still the first and best defense against an individual cyber hacker.

Leaving services open on your site, that you don’t need, is the easiest way to hack your site. If you don’t use ssh, just block the port on the firewall.

Mod_security – or Web Application Firewall

A firewall lets ALL traffic destined to your web server in. Good requests from real users, and all the hacking requests.

A web application firewall scrutinizes each web request, and works out if its a good guy or not.

Mod security a software solution, that is an apache module that checks each web request, and throws out the nasties before they hit wordpress.

It looks for things like sql injection , directory traversal, code upload, code execution.

You could spend a lifetime tuning mod_security, its a bit of a PITA, but its fantastic security. Since we’ve turned it on for our clients, CPU resources dropped by over 90%, and spam disappeared as well.

  • if you have cpanel, go and turn on mod_security – its great, and deals with loads of incidents

Check your web server permissions

The main command you need is something like this :

chown -R www-data:www-data /var/www

This makes your files owned by the www-data user, which is the user that runs your webserver on modern linux.

This allows you to set your permissions

Here is the uber complicated wordpress guide to permissions  – https://codex.wordpress.org/Changing_File_Permissions

find /var/www -type f -exec chmod 644 {} \;
find /var/www -type d -exec chmod 755 {} \;

MYSQL permissions

Use a different, non root, user for wordpress access.

Your root user should have a password, and accessible only from localhost.

Read Only filesystem for WordPress

This is our uber security fail safe.

Almost all hacks are based on changing files, or uploading code.

The biggest problem with wordpress security is for the need for the web server to be able to change files for updates. So its a balancing act between allowing for updates, and try to blocks the hacks.

If you run your wordpress on a read-only filesystem, even escalation to root privileges, the hacker won’t be able perpetrate the hack.

For more details, and the answer to ‘how to install/update plugins’, read here about wordpress read only filesystem.


cloudflare is a great resource for protecting websites.

Cloudflare is about to protect your server a few ways, including DDoS, and they also have a WAF (web application firewall).

Dynamic Security

We also use information from various logs for dynamic security.

We read log information from mod_security, and our firewall. Any repeated breaches, we upload as a block to both cloudflare and our local firewall.

This way, instead of trying to fend off thousands of password guesses, we fend off half a dozen – then we block them.

We also use counters in mod_security for wordpress login failures. If you hit a preset limit, you get permanently banned also.

Admin User

create a new admin user, and delete the original admin user. The admin user is the one that gets all the hacks.

Don’t just rename it, as it has id=1, which is used in some hacks.


This file does ping backs, and other such tricks, that no-one really uses or cares about any more.

I generally just delete the file.

I also add it to my ‘2 factor authentication’ settings, see more below.

2 factor authentication

The idea of 2 factor authentication, is to have 2 sets of credentials, that are distinct from one another. It’s like the 2 keys used in a nuclear missile silo, they are opposite sides of the room, and have to be turned at the same time. So it has to be 2 people, and 2 sets of credentials.

wpDone uses credentials on our load balancer, but you can use Auth settings in httpd.conf or .htaccess

The idea is that you set a simple challenge password, as well as your normal web page based wordpress username and password.

So if they hacker does crack your site, and get your passwords, they still don’t have the more custom passwords from .htaccess (or in our case on the load balancer).

You just setup the security on /wp-admin and /wp-login. So if you type in those URLs, you have 2 sets of passwords to enter.


By on December 19th, 2015 ,

Email or call, and we can arrange a time to chat call 0412927156 or CONTACT US TODAY!