How to Secure WordPress on a VPS Server
WordPress is the most popular CMS, but this makes it a prime target for hackers. Hosting WordPress on a VPS gives you more control, but also more responsibility for security. Unlike shared hosting, you need to secure the server, database, and WordPress itself.
In this guide, you’ll learn step-by-step how to secure WordPress on a VPS server, protect it from common attacks, and maintain long-term security.
1. Keep VPS and WordPress Updated
Security begins with updates:
- Update server packages:
sudo apt update && sudo apt upgrade -y
- Update WordPress core, themes, and plugins regularly.
- Remove unused plugins and themes.
2. Use a Strong Username & Password
- Avoid
adminas username - Use complex passwords with letters, numbers, symbols
- Consider using a password manager like LastPass or Bitwarden
3. Configure a Firewall
VPS usually allows ufw (Ubuntu Firewall):
sudo ufw allow OpenSSH
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable
sudo ufw status
This blocks all unused ports and reduces attack surface.
4. Enable SSL/HTTPS
Use Let’s Encrypt:
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx
Benefits:
- Encrypts traffic
- Boosts Google SEO
- Prevents data interception
5. Secure SSH Access
- Change default SSH port:
sudo nano /etc/ssh/sshd_config
Port 2222
sudo systemctl restart ssh
- Disable root login:
PermitRootLogin no
- Use SSH keys instead of passwords:
ssh-keygen -t ed25519
ssh-copy-id user@vps_ip
6. Install Security Plugins
WordPress plugins that help:
- Wordfence Security – Firewall + malware scan
- iThemes Security – Brute force protection
- Limit Login Attempts Reloaded – Prevent multiple failed logins
7. Change Database Table Prefix
Default prefix: wp_
Change to something unique, e.g., wp7xq_ to prevent SQL injection attacks.
This can be done during installation or via plugins like iThemes Security.
8. Disable File Editing
Prevent hackers from editing files via dashboard:
Add to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
9. Secure wp-config.php and .htaccess
- Move
wp-config.phpone level above root - Protect
.htaccess:
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
10. Use SFTP Instead of FTP
- FTP sends passwords in plain text
- Use SFTP or SCP for secure file transfer
11. Limit Login Attempts & Enable 2FA
- Limit login attempts to 3–5
- Enable Two-Factor Authentication using plugins
- Brute-force attacks are common; this stops them
12. Regular Backups
Backup WordPress + Database:
- Plugins: UpdraftPlus, All-in-One WP Migration
- Manual: Use
mysqldump+tarfor files
Store backups offsite (Google Drive, AWS S3)
13. Protect Against DDoS
- Use Cloudflare free or paid plan
- Block suspicious IPs in firewall
- Enable rate limiting on login pages
14. Disable XML-RPC if not used
- XML-RPC allows remote posting but is often abused
- Disable via
.htaccess:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
15. Monitor Logs and Activity
- Check
/var/log/auth.logfor SSH login attempts - Install WordPress activity logging plugin: WP Activity Log
16. Use Strong File Permissions
Set permissions carefully:
sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;
- Folders: 755
- Files: 644
- wp-config.php: 600
Conclusion
Securing WordPress on a VPS is not difficult if you follow best practices:
- Keep everything updated
- Use strong credentials
- Harden server and WordPress configuration
- Regular backups and monitoring
A secure WordPress VPS setup not only protects your site but also builds trust with visitors and improves SEO.
