When you are hosting an application on your own, you will have to go through a series of steps to secure and manage the server properly. Here in this article I am going to guide you step by step on how to secure your WordPress setup and the server from the get go.
*Remember there could be more steps, you can apply anything extra you know.
**I am on Ubuntu system, but these commands will work on most systems with little bit change in it.
The first thing to do and think about is to enable and setup firewall on the server. Ubuntu comes with UFW (uncomplicated firewall) by default, if not you can just install it with
apt install ufw.
2- Key based authentication with SSH
Default login method is password for most servers. This can be easily changed to use key based authentication instead and is recommended to do so. You should disable root access too and have a strong password for root. Login with a normal user via key first.
I have explained well how to create a user and disable root access in the article below.
3- File and folder permissions
Once you install WordPress, the first thing is to set correct permissions on files and folders including files/folders ownership.
4- Access to admin
In most situations, it is normal that you will get login attempts on Admin interface. These will be reported to you if you have setup SMTP for emails on your WordPress instance. You can block IPs, but I would not recommend that as IP could be dynamic of that intruder. Instead just password protect the Admin area.
If you have one user or many in your WordPress install, always have strong passwords and rotate them when possible. Random passwords of a minimum length 16 could be a start.
Use password manager on your local machine to save passwords.
6- Less plugins
I see most users install plugins for testing and then leave them there OR install a plugin which they don’t need. This is dangerous and unnecessary. Keeping up with updates is the most time consuming process. With updates the chances are your site can break. The key is to use less plugins and update them on a staging server first, once confirmed update them on the live server.
You may think, then why not more plugins?
The thing is, why a plugin which you don’t need or the impact on your site is equal to none, while the overhead of taking risk to keep it or update is more? The point is keep it simple.
So less plugins means less work in the long run.
This is the most important part, once update is available it should be applied as soon as possible to keep you secure. Most updates are bug fixes and security related.
Note if you want to make sure about an update, always test on a staging system first.