by: Web3 Comments on WordPress Configuration and Security Tips

I just installed WordPress on your server and what is the first concern? Security!

We will cover the following points:

  • Fail2Ban
  • WP Fail2Ban
  • 2FAS Prime
  • Loginizer
  • Disable XML-RPC-API
  • WP Activity Log
  • Manual Configurations
  • Multi-Site
  • Multi-Domain
  • WP MU Domain Mapping
  • WAF and CDN
  • Duplicator

If you have control of your server (like a VPS, not Godaddy, etc) it is mandatory to have Fail2Ban securing SSH but it also can be used with WordPress. If it is not set up yet, read the following post about Increasing Security with Fail2Ban on Ubuntu 20.4 [Link].

Inside your WordPress Dashboard, search for and install the plugin WP Fail2Ban (by Charles Lecklider) and activate it.

Then go to your Linux terminal and add the Filter and the Jail:

sudo curl https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf > /etc/fail2ban/filter.d/wordpress.conf

If it does not work get the file here [wordpress.conf]. Place it in: /etc/fail2ban/filter.d/

Next, edit the jail file:

sudo nano /etc/fail2ban/jail.d/wordpress.conf

Add the following configuration to the newly created file:

[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/auth.log
port = http,https

Restart the Fail2Ban service:

sudo service fail2ban restart

Test if you can try and fail to authenticate in your WordPress before you consider being protected. In my case did not work right away and I had to troubleshoot it.

Implement 2FA (Two Factor Authentication) with 2FAS Prime (by Two Factor Authentication Service Inc) plug-in.

After go to the option Users on the left menu and enable 2FA to your user. It is serv explanatory and only requires the Google Authenticator to scan the QR Code and type the generated temporary code.

A quick analysis with Loginizer (by Softaculous). After installing and enabling it, find its menu on the left side.

On the first page, a quick analysis of your environment may reveal opportunities such as changing the privileges to file to prevent modification:

sudo chmod 444 /var/www/wordpress/wp-config.php

Now you could disable, delete, or just leave this plug-in there.

If you do not use any API that requires XML-RPC, disable this feature because this could be a vulnerability.

Install and activate the Disable XML-RPC-API (by Neatmarketing) plug-in. No further action needs to be taken.

If the website will have many users it is recommended to install the plug-in WP Activity Log (by WP White Security). It will provide relevant information about user’s activities.

Manually append the following line to the wp-config.php to prevent file editing:

sudo nano /var/www/wordpress/.htaccess

Add the content:

Options -Indexes

Configure Apache:

sudo nano /etc/apache2/apache2.conf

Make sure the .htaccess files will override the configurations:

<Directory /var/www/>
...
     AllowOverride All
     ServerSignature Off
...
</Directory>

As a manual alternative to disable the xmlrpc.php file append the following to the .htaccess:

# BEGIN Disable XML-RPC.PHP

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

# END Disable XML-RPC.PHP

Also, disable the execution of PHP files on the upload directory.

sudo nano /var/www/wordpress/wp-content/uploads/.htaccess

Add the content:

<Files *.php>
deny from all
</Files>

Restart the Apache.

sudo chmod 444 /var/www/wordpress/.htaccess
sudo chmod 444 /var/www/wordpress/wp-content/uploads/.htaccess
sudo chown www-data: -R /var/www/
sudo systemctl restart apache2

If the purpose of this server is to host multiple websites enable the Multi-Site. It will create a network where many websites can be created and managed on a single instance of WordPress.

The multiple sites would have one of the following address schemas:

example.com/site1
example.com/site2

OR

site1.example.com
site2.example.com

It can be better customized using Multi-Domain to be allowed to use multiple domain addresses:

example.com
anotherexample.com

sudo nano /var/www/wordpress/wp-config.php

Append the following lines:

/* Multisite */
define('WP_ALLOW_MULTISITE', true);

Go you the WP-Admin and navigate to Tools > Network Setup and select the option for subdomains.

On the next page, the configuration for the .htaccess will be shown. Just copy and paste.

Refresh the browser and a new option will show up on the top menu.

The multi-domain functional works better with the plug-in WordPress MU Domain Mapping (by Donncha O Caoimh).

It is also a very good practice to implement a Web Application Firewall (WAF) on the server or over a third-party Content Delivery Network (CDN).

A recommended WAF plug-in is Wordfence Security – Firewall & Malware Scan (by Wordfence). And Cloud Flair [Link] is a well know CDN provider that offers free services plus additional high-end paid features.

And for backing up of migrating websites the recommended plug-in is the Duplicator (by Snap Creek).