WordPress Security

From WordPress hosting - “Harden Security”, Ticket 6540

To Do

  1. Admin Accounts (manual install and configuration).

  2. Set WP_DEBUG to false in wp-config.php.

  3. Security plugins (manual install and configuration).

  4. Remove all .htaccess files (hopefully using Salt)


Admin Accounts

Add 2FA to admin level user accounts using (a good plugin). Perhaps one of these, https://kinsta.com/blog/wordpress-security-plugins/


We run WordPress cron tasks using the Linux cron system, so disable the fire on every page load option in wp-config.php:

# 'wp-config.php'
define('DISABLE_WP_CRON', true);

For information:

  1. Our Nginx configuration disables calling wp-cron.php via an HTTP process e.g:

    location ~* ^/(?:wp-cron.php|wp-links-opml ...
        deny all;
  2. The Linux cron task is created using Salt, https://gitlab.com/kb/salt/-/commit/809a65cdd8119a0faeab9afd9d64fe5799694968



The following plugins are compatible with fail2ban:

For more information, see, fail2ban - chat with Malcolm.


One of our customers was using Really Simple SSL, https://wordpress.org/plugins/really-simple-ssl/ but this duplicates the features provided by our LetsEncrypt certificates. For more information, see Really Simple SSL - chat with Malcolm

Security plugins

For now, we are using Sucuri, https://sucuri.net/website-security-platform/signup/

Chosen from, https://kinsta.com/blog/wordpress-security-plugins/


All copies of .htaccess should be removed from the live folder (and sub-folders) e.g:


For more information, see: