WordPress Security Step by Step

Part 1. Theory

The goal of this learning path is to give you a clear path forward for securing all the websites that you host on your GridPane provisioned servers. Before you begin locking down your sites though, here are two articles that will help provide an overview of the bigger WordPress security picture.

The first is focused on the threats and how GridPane’s security options help guard you against them. The second is a real world case study on locking down two websites where security was a very high priority.

1. THE OWASP TOP 10 AND GRIDPANE WORDPRESS SECURITY OPTIONS

2. CASE STUDY: SECURING MULTIPLE BANKING WEBSITES BUILT ON WORDPRESS

Part 2. GridPane Security Overview

Security is at the heart of everything we do here at GridPane, and we have some very cool features that you can use to secure each and every one of your websites. The two articles below offer an overview of what GridPane secures “out of the box”, and then the options that you can configure on a per website basis.

1. GRIDPANE DEFAULT SECURITY AND ADDITIONAL OPTIONS

2. SECURE YOUR WORDPRESS WEBSITES: AN OVERVIEW OF THE SECURITY TAB

Part 3. Securing Your Websites

At this point we’ve taken a look at the theory and the options GridPane offers for securing your websites. Now let’s use them to start locking your sites down.

Below we’ll take a look at the 7G WAF (we also offer ModSecurity as well, but we generally recommend using that only for enterprise type sites), Fail2Ban, and our server level WordPress hardening options.

1. CONFIGURING THE 7G WEB APPLICATION FIREWALL

2. CONFIGURING FAIL2BAN TO PREVENT BRUTE FORCE ATTACKS

3. WORDPRESS WEBSITE HARDENING FOR NGINX AND OPENLITESPEED (OLS)

Congratulations!
If you’ve implemented a WAF, WPFail2Ban, and our WordPress hardening options then you have locked your websites down tight. 

Part 4. Security Beyond GridPane

With all of the GridPane security measures now in place, your sites are locked down tight. Thousands of websites on GridPane use only these measures to keep secure, but if you want to go the extra mile, here are a few bonus options to consider.

1. CLOUDFLARE FIREWALL RULES FOR SECURING WORDPRESS WEBSITES

2. CONNECTING FAIL2BAN TO CLOUDFLARE

3. SECURITY PLUGINS: TO USE THEM OR NOT TO USE THEM?

Part 5. Additional Reading

WordPress security is a big topic. We have an entire section of our knowledge base dedicated to the topic that you can check out here: Knowledge Base: Security.

Below are a few the highlights from that archive.

1. MITIGATING DOS AND DDOS ATTACKS ON YOUR WORDPRESS WEBSITES

2. HOW TO BLOCK BAD BOTS FROM YOUR SITES/SERVERS

Bonus! Block Form and Comment Spam

HOW TO REDUCE ERIC JONES SPAM (AND ALL THE OTHER CONTACT FORM SPAM)

HOW TO STOP WORDPRESS COMMENT SPAM PERMANENTLY (FOR FREE)