WordPress Safety For Server Admins
This topic is for agencies that has WordPress (here in WP) as their platform to hold their clients' websites. Multi-site especially. WP is famous and as you know, fame draws lot of attention. In world of web, we are talking about hacking attempts and brute forces. It is very important to protect your server with any kind of attack. So, in this post, I will go through some information that no other company shares!
So Sit tight! . . . Read the article . . . and forget everything you just read. . . Not!!
Before you attempt to tackle this process prepare with the following; a) try to understand the way WP works, b) know the software that is needed to run on your server, c) security precautions, etc. We have clients that come to us with a virus attacked site or a malware injected sites because they went with a low cost, unreliable hosting provider where their c-block is shared with millions of others. The bad news is, if you are not technically savvy, google is penalizing your website and even provide you with a nice "Un-trusted website !!" warning when people try to visit your website. So, I highly recommend anyone to research and understand how WP works.
The following recommendations are for NGINX server admins. WP works with Apache and Nginx but I prefer the latter because its fast, reliable, non-blocking and easy to create server blocks. Too much flexibility!
For server admins:
- Check the logs: The server logs typically located at
Look in access.log and error.log. Investigate the IP's and the paths. I'm sure you will find multiple post requests to wp-login / wp-admin and xmlrpc.php. Block those attempts and save bandwidth.
- Expensive operation: Compared to all the processes a server does, writing to a file is considered expensive process because it uses considerable amount of CPU and RAM. So, why not turn of logging and give more power to the server to respond to the incoming requests. Logging is found at /etc/nginx/nginx.conf . Comment out the current log paths and add following
access_log off; error_log off;
- Rate Limit: This is where you limit the number of requests hitting your server. Limit it something like 10 requests / second and 10 mb per request. Research on its implementation because there are many variables associated.
- Limit access to login portal: It is super easy to find out if you have WordPress installation and all it takes to add "/wp-admin" or "/wp-login" at the end of url and bam! I got the login screen. If you don't protect this screen with who can access it, its like an open invitation for hackers. And again, research the ip protected implementation. Typically, this is done at /wp-login directive in server block. You can allow the IP's you trust and deny the rest.