How to Secure WordPress on a VPS Server

WordPress is the most popular CMS, but this makes it a prime target for hackers. Hosting WordPress on a VPS gives you more control, but also more responsibility for security. Unlike shared hosting, you need to secure the server, database, and WordPress itself.

In this guide, you’ll learn step-by-step how to secure WordPress on a VPS server, protect it from common attacks, and maintain long-term security.


1. Keep VPS and WordPress Updated

Security begins with updates:

  • Update server packages:
sudo apt update && sudo apt upgrade -y
  • Update WordPress core, themes, and plugins regularly.
  • Remove unused plugins and themes.

2. Use a Strong Username & Password

  • Avoid admin as username
  • Use complex passwords with letters, numbers, symbols
  • Consider using a password manager like LastPass or Bitwarden

3. Configure a Firewall

VPS usually allows ufw (Ubuntu Firewall):

sudo ufw allow OpenSSH
sudo ufw allow 80
sudo ufw allow 443
sudo ufw enable
sudo ufw status

This blocks all unused ports and reduces attack surface.


4. Enable SSL/HTTPS

Use Let’s Encrypt:

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx

Benefits:

  • Encrypts traffic
  • Boosts Google SEO
  • Prevents data interception

5. Secure SSH Access

  • Change default SSH port:
sudo nano /etc/ssh/sshd_config
Port 2222
sudo systemctl restart ssh
  • Disable root login:
PermitRootLogin no
  • Use SSH keys instead of passwords:
ssh-keygen -t ed25519
ssh-copy-id user@vps_ip

6. Install Security Plugins

WordPress plugins that help:

  • Wordfence Security – Firewall + malware scan
  • iThemes Security – Brute force protection
  • Limit Login Attempts Reloaded – Prevent multiple failed logins

7. Change Database Table Prefix

Default prefix: wp_
Change to something unique, e.g., wp7xq_ to prevent SQL injection attacks.

This can be done during installation or via plugins like iThemes Security.


8. Disable File Editing

Prevent hackers from editing files via dashboard:

Add to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

9. Secure wp-config.php and .htaccess

  • Move wp-config.php one level above root
  • Protect .htaccess:
<Files .htaccess>
Order allow,deny
Deny from all
</Files>

10. Use SFTP Instead of FTP

  • FTP sends passwords in plain text
  • Use SFTP or SCP for secure file transfer

11. Limit Login Attempts & Enable 2FA

  • Limit login attempts to 3–5
  • Enable Two-Factor Authentication using plugins
  • Brute-force attacks are common; this stops them

12. Regular Backups

Backup WordPress + Database:

  • Plugins: UpdraftPlus, All-in-One WP Migration
  • Manual: Use mysqldump + tar for files

Store backups offsite (Google Drive, AWS S3)


13. Protect Against DDoS

  • Use Cloudflare free or paid plan
  • Block suspicious IPs in firewall
  • Enable rate limiting on login pages

14. Disable XML-RPC if not used

  • XML-RPC allows remote posting but is often abused
  • Disable via .htaccess:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

15. Monitor Logs and Activity

  • Check /var/log/auth.log for SSH login attempts
  • Install WordPress activity logging plugin: WP Activity Log

16. Use Strong File Permissions

Set permissions carefully:

sudo find /var/www/html -type d -exec chmod 755 {} \;
sudo find /var/www/html -type f -exec chmod 644 {} \;
  • Folders: 755
  • Files: 644
  • wp-config.php: 600

Conclusion

Securing WordPress on a VPS is not difficult if you follow best practices:

  • Keep everything updated
  • Use strong credentials
  • Harden server and WordPress configuration
  • Regular backups and monitoring

A secure WordPress VPS setup not only protects your site but also builds trust with visitors and improves SEO.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *