sudo nano \/etc\/fail2ban\/jail.d\/wordpress.conf<\/pre>\nAdd the following configuration to the newly created file:<\/p>\n
[wordpress]\r\nenabled = true\r\nfilter = wordpress\r\nlogpath = \/var\/log\/auth.log\r\nport = http,https<\/pre>\nRestart the Fail2Ban service:<\/p>\n
sudo service fail2ban restart<\/pre>\nTest if you can try and fail to authenticate in your WordPress before you consider being protected. In my case did not work right away and I had to troubleshoot it.<\/p>\n
Implement 2FA (Two Factor Authentication) with 2FAS Prime<\/strong> (by Two Factor Authentication Service Inc) plug-in.<\/p>\nAfter go to the option Users on the left menu and enable 2FA to your user. It is serv explanatory and only requires the Google Authenticator to scan the QR Code and type the generated temporary code.<\/p>\n
A quick analysis with Loginizer<\/strong> (by Softaculous). After installing and enabling it, find its menu on the left side.<\/p>\nOn the first page, a quick analysis of your environment may reveal opportunities such as changing the privileges to file to prevent modification:<\/p>\n
sudo chmod 444 \/var\/www\/wordpress\/wp-config.php<\/pre>\nNow you could disable, delete, or just leave this plug-in there.<\/p>\n
If you do not use any API that requires XML-RPC, disable this feature because this could be a vulnerability.<\/p>\n
Install and activate the Disable XML-RPC-API<\/strong> (by Neatmarketing) plug-in. No further action needs to be taken.<\/p>\nIf the website will have many users it is recommended to install the plug-in WP Activity Log<\/strong> (by WP White Security). It will provide relevant information about user’s activities.<\/p>\nManually append the following line to the wp-config.php to prevent file editing:<\/p>\n
sudo nano \/var\/www\/wordpress\/.htaccess<\/pre>\nAdd the content:<\/p>\n
Options -Indexes<\/pre>\nConfigure Apache:<\/p>\n
sudo nano \/etc\/apache2\/apache2.conf<\/pre>\nMake sure the .htaccess files will override the configurations:<\/p>\n
<Directory \/var\/www\/>\r\n...\r\n AllowOverride All\r\n<\/strong> ServerSignature Off\r\n...\r\n<\/Directory><\/pre>\nAs a manual alternative to disable the xmlrpc.php<\/strong> file append the following to the .htaccess<\/strong>:<\/p>\n# BEGIN Disable XML-RPC.PHP\r\n\r\n<Files xmlrpc.php>\r\nOrder Deny,Allow\r\nDeny from all\r\n<\/Files>\r\n\r\n# END Disable XML-RPC.PHP<\/pre>\nAlso, disable the execution of PHP files on the upload directory.<\/p>\n
sudo nano \/var\/www\/wordpress\/wp-content\/uploads\/.htaccess<\/pre>\nAdd the content:<\/p>\n
<Files *.php>\r\ndeny from all\r\n<\/Files><\/pre>\nRestart the Apache.<\/p>\n
sudo chmod 444 \/var\/www\/wordpress\/.htaccess\r\nsudo chmod 444 \/var\/www\/wordpress\/wp-content\/uploads\/.htaccess\r\nsudo chown www-data: -R \/var\/www\/\r\nsudo systemctl restart apache2<\/pre>\nIf the purpose of this server is to host multiple websites enable the Multi-Site<\/strong>. It will create a network where many websites can be created and managed on a single instance of WordPress.<\/p>\nThe multiple sites would have one of the following address schemas:<\/p>\n
example.com\/site1
\nexample.com\/site2<\/p>\n
OR<\/p>\n
site1.example.com
\nsite2.example.com<\/p>\n
It can be better customized using Multi-Domain<\/strong> to be allowed to use multiple domain addresses:<\/p>\nexample.com
\nanotherexample.com<\/p>\n
sudo nano \/var\/www\/wordpress\/wp-config.php<\/pre>\nAppend the following lines:<\/p>\n
\/* Multisite *\/\r\ndefine('WP_ALLOW_MULTISITE', true);<\/pre>\nGo you the WP-Admin and navigate to Tools > Network Setup and select the option for subdomains.<\/p>\n
On the next page, the configuration for the .htaccess<\/strong> will be shown. Just copy and paste.<\/p>\nRefresh the browser and a new option will show up on the top menu.<\/p>\n
![\"\"](\"https:\/\/dft.wiki\/wp-content\/uploads\/sites\/15\/2020\/10\/Screenshot-from-2021-04-06-10-23-36.png\")
<\/p>\n
The multi-domain functional works better with the plug-in WordPress MU Domain Mapping<\/strong> (by Donncha O Caoimh).<\/p>\nIt is also a very good practice to implement a Web Application Firewall (WAF) on the server or over a third-party Content Delivery Network (CDN).<\/p>\n
A recommended WAF plug-in is Wordfence Security – Firewall & Malware Scan<\/strong> (by Wordfence). And Cloud Flair [Link<\/a>] is a well know CDN provider that offers free services plus additional high-end paid features.<\/p>\nAnd for backing up of migrating websites the recommended plug-in is the Duplicator<\/strong> (by Snap Creek).<\/p>\n","protected":false},"excerpt":{"rendered":"I just installed WordPress on your server and what is the first concern? Security! We […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-405","post","type-post","status-publish","format-standard","hentry","category-web"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=405"}],"version-history":[{"count":10,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/405\/revisions"}],"predecessor-version":[{"id":1714,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/405\/revisions\/1714"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}