8 mins read

How to Secure WordPress Installation on a Linux Server

WordPress is the world’s most popular content management system (CMS), powering millions of websites. While it’s known for its ease of use, securing your WordPress installation is crucial to protect against hackers, malware, and other online threats. Below, we’ll walk you through the steps to secure your WordPress site on a Linux server, using language that’s accessible even if you’re not a tech expert.

Step 1: Keep Everything Up to Date

The first and simplest step in securing your WordPress site is to keep your WordPress core, themes, and plugins up to date. Updates often include security patches for known vulnerabilities.

  1. Backup Your Site: Before making any updates, backup your entire site. You can do this with a plugin or manually by copying your site’s files and exporting the database.
  2. Update WordPress Core: Log in to your WordPress dashboard, and you will see a notification if an update is available. Click on the notification and follow the prompts to update.
  3. Update Themes and Plugins: In your dashboard, go to ‘Themes’ and ‘Plugins’ to check for updates. Update each one by one.

Step 2: Use Strong Passwords and User Permissions

Strong passwords are a must. Use a combination of letters, numbers, and special characters. Also, limit the number of users who have admin access to your site.

  1. Update Your Password: Go to ‘Users’ in your WordPress dashboard, select your account, and set a new strong password.
  2. Manage User Roles: Review the roles of your users and ensure that only a few trusted people have ‘Administrator’ roles.

Step 3: Install a Security Plugin

A security plugin can help block common security threats and monitor your site for suspicious activity.

  1. Choose a Security Plugin: Popular options include Wordfence, Sucuri, or iThemes Security.
  2. Install and Activate: In your WordPress dashboard, go to ‘Plugins’ > ‘Add New’, search for your chosen security plugin, install it, and then activate it.

Step 4: Set Up a Web Application Firewall (WAF)

A WAF can help protect your site from common attacks by filtering and monitoring HTTP traffic between a web application and the Internet.

  1. Choose a WAF Service: This could be a plugin like Wordfence or a cloud-based service like Cloudflare.
  2. Follow the Service’s Setup Instructions: This typically involves changing your site’s DNS settings to route traffic through the WAF.

Step 5: Disable File Editing

Disabling the file editing feature in the WordPress dashboard prevents attackers from modifying your plugin and theme files. To disabling the file editing feature add the following line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

Step 6: Implement SSL/HTTPS

Secure Sockets Layer (SSL) encrypts data between your user’s web browser and your web server.

  1. Obtain an SSL Certificate: You can get a free one from Let’s Encrypt or purchase one from a certificate authority.
  2. Install the SSL Certificate: Follow your hosting provider’s instructions to install the certificate on your server.
  3. Configure WordPress to Use HTTPS: In your WordPress settings, change your site address to start with ‘https://’ instead of ‘http://’.

Step 7: Regularly Back Up Your Site

Regular backups ensure that you can restore your site if anything goes wrong.

  1. Choose a Backup Solution: Use a plugin or your web host’s built-in solution.
  2. Set Up Automated Backups: Schedule backups to occur regularly without your intervention.

Step 8: Change the WordPress Database Prefix

By default, WordPress uses the wp_ prefix for all tables in its database, which is well-known to attackers. Changing this can help prevent SQL injection attacks.

  1. Backup Your Database: Always backup your database before making changes.
  2. Change Prefix in wp-config.php: Locate the $table_prefix line in your wp-config.php file and change it to something unique, like wp_a1b2c3_.
  3. Rename Existing Database Tables: You can use a plugin like “Change DB Prefix” or manually rename tables via phpMyAdmin.

Step 9: Disable XML-RPC

XML-RPC is a feature that enables remote connections to your WordPress site. Unfortunately, it’s a common target for brute force attacks. To disable XML-RPC edit .htaccess file by adding the following code to your .htaccess file:

# Block WordPress xmlrpc.php requests 
<Files xmlrpc.php> 
order deny,allow 
deny from all 

Step 10: Harden Your .htaccess File

The .htaccess file is used to configure the details of your server. Securing this file adds another layer of protection.

  1. Restrict Access: Add rules to .htaccess to deny access to critical files and directories.
  2. Protect Against Directory Browsing: Prevent users from seeing a list of files in a directory by adding:Options -Indexes
  3. Implement Security Headers: Add headers to prevent clickjacking, XSS attacks, and ensure transport security:
Header set X-Content-Type-Options "nosniff" 
Header always append X-Frame-Options DENY 
Header set X-XSS-Protection "1; mode=block" 
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Step 11: Configure File Permissions

Incorrect file permissions can be exploited by attackers. Ensure that your file permissions are secure. Use an FTP client or command line to check permissions. Directories should be set to 755 or 750, files should be 644 or 640, and the wp-config.php file should be 600.

Step 12: Use SSH for Secure Connections

SSH (Secure Shell) is a protocol for securely accessing your server. Use SSH instead of FTP when transferring files.

  1. Connect via SSH: Use an SSH client with your credentials to connect to your server.
  2. Transfer Files Securely: Use SFTP (SSH File Transfer Protocol) for file transfers, which is encrypted unlike standard FTP.

Step 13: Regularly Scan for Malware

Regular malware scans can help detect and remove any malicious code that may have been injected into your site.

  1. Use a Plugin: Install a security plugin that includes malware scanning.
  2. Schedule Regular Scans: Set the plugin to scan your site at regular intervals.

Step 14: Implement Two-Factor Authentication (2FA)

Two-factor authentication adds an extra layer of security by requiring a second form of identification.

  1. Choose a 2FA Plugin: Plugins like Google Authenticator, Authy, or Duo can be used.
  2. Configure for Users: Set up the plugin and require users to configure their 2FA devices.

Step 15: Disable PHP Execution in Certain WordPress Directories

Disabling PHP execution in directories where it’s not needed can prevent malicious scripts from running. Edit .htaccess: In the wp-content/uploads directory, create or edit the .htaccess file and add following code:

<Files *.php> deny from all </Files>

Step 16: Set Up a System for Logging and Auditing

Maintain logs of user actions, changes, and login attempts to monitor for unauthorized access.

  1. Install an Audit Log Plugin: Use a plugin like WP Security Audit Log.
  2. Review Logs Regularly: Check the logs frequently for any unusual activity.

Step 17: Regularly Update Server Operating System and Software

Keep your Linux server’s operating system and software up to date with the latest security patches.

  1. Automatic Updates: Enable automatic security updates for your Linux distribution.
  2. Manual Updates: Regularly check for updates by using package managers like apt for Ubuntu/Debian or yum for CentOS.

Step 18: Monitor Your Site

Keep an eye on your site’s activity to catch any suspicious behavior early.

  1. Set Up Alerts: Use your security plugin to set up alerts for any suspicious activity.
  2. Regularly Check Logs: Review your site’s access and error logs through your hosting account.


Securing your WordPress site on a Linux server doesn’t have to be overwhelming. By following these steps, you’ll significantly reduce the risk of security breaches and ensure your site remains safe for your visitors. Remember, security is an ongoing process, not a one-time setup. Regularly review your site’s security posture and stay informed about new security best practices.

Leave a Reply

Your email address will not be published. Required fields are marked *