# Step-by-Step Security Hardening for WordPress on a Public VPS

## 🔐 Overview

#### This guide explains how to harden your public WordPress site using free plugins and smart configuration. It includes login obfuscation, brute-force protection, 2FA, and XML-RPC lockdown.

## 🔧 Step 1: Hide the Default Login Page

Change the default `/wp-admin` or `/wp-login.php` to prevent brute-force login scans.

### ➤ Install the Plugin

Go to **Plugins &gt; Add New**, and search for **WPS Hide Login**.

[![2025-05-12 18_52_23-Add Plugins ‹ Nate Networks — WordPress — Mozilla Firefox.png](https://docs.natenetworks.com/uploads/images/gallery/2025-05/scaled-1680-/VVzznp9teTxcpFqU-2025-05-12-18-52-23-add-plugins-nate-networks-wordpress-mozilla-firefox.png)](https://docs.natenetworks.com/uploads/images/gallery/2025-05/VVzznp9teTxcpFqU-2025-05-12-18-52-23-add-plugins-nate-networks-wordpress-mozilla-firefox.png)

Click **Activate** and proceed to **Settings &gt; General** to configure.

### ⚙️ Configure Login Path

Change the login path to something unique like &lt;secret panel&gt; and redirect unauthorized users to `/404`.

![2025-05-12 18_54_12-General Settings ‹ Nate Networks — WordPress — Mozilla Firefox.png](https://docs.natenetworks.com/uploads/images/gallery/2025-05/1YJkokegzOU065z0-2025-05-12-18-54-12-general-settings-nate-networks-wordpress-mozilla-firefox.png)

Click **Save Changes** to finalize the setting.

## 🚫 Step 2: Rate-Limit Login Attempts

Block bots and brute-force attempts using **Limit Login Attempts Reloaded**.

### ➤ Install the Plugin

Search for **Limit Login Attempts Reloaded**.

![2025-05-12 18_55_20-Add Plugins ‹ Nate Networks — WordPress — Mozilla Firefox.png](https://docs.natenetworks.com/uploads/images/gallery/2025-05/xRKo4e2Pb0lgXwsv-2025-05-12-18-55-20-add-plugins-nate-networks-wordpress-mozilla-firefox.png)

### 🚷 Skip Premium Prompts

Click “No, I don’t want advanced protection” during setup:

![2025-05-12 18_56_45-Limit Login Attempts ‹ Nate Networks — WordPress — Mozilla Firefox.png](https://docs.natenetworks.com/uploads/images/gallery/2025-05/EPtjRvYmJUo5pUWp-2025-05-12-18-56-45-limit-login-attempts-nate-networks-wordpress-mozilla-firefox.png)

Then skip the email/cloud opt-in:

![Cloud Opt-in - Skip](https://docs.natenetworks.com/attachments/file-4qtd6x233ZYxB8JBqha9Ve)

### ⚙️ Set Lockout Thresholds

Once installed, configure:

- **Allowed retries**: `3`
- **Lockout time**: `20 minutes`
- **Lockout escalation**: After 4 fails, extend to `24 hours`
- **Retry reset**: `24 hours`

Use `REMOTE_ADDR` for trusted IP origins.

## 🔒 Step 3: Enforce Two-Factor Authentication (2FA)

Add strong login protection with time-based one-time codes using **WP 2FA**.

### ➤ Install the Plugin

Search and install **WP 2FA**:

![2025-05-12 19_00_11-Add Plugins ‹ Nate Networks — WordPress — Mozilla Firefox.png](https://docs.natenetworks.com/uploads/images/gallery/2025-05/60olYWTf3ztZdE5A-2025-05-12-19-00-11-add-plugins-nate-networks-wordpress-mozilla-firefox.png)

### 🛠️ Configure Authentication Method

In the wizard:

- Enable **TOTP App** (Google Authenticator, Authy, etc.)
- Optionally enable **Email fallback**

### ⏳ Set Grace Period

Allow users a short time (e.g., 3 hours) to configure 2FA.  
Choose to block dashboard access if they don’t enroll in time.

## ✂️ Step 4: Disable XML-RPC

XML-RPC is often abused and rarely needed unless you're using remote publishing or Jetpack.

### ➤ Install the Plugin

Search for **Disable XML-RPC-API** by **Amin Nazemi**:

![2025-05-12 19_05_39-Add Plugins ‹ Nate Networks — WordPress — Mozilla Firefox.png](https://docs.natenetworks.com/uploads/images/gallery/2025-05/flHAVSCbbkesrGxg-2025-05-12-19-05-39-add-plugins-nate-networks-wordpress-mozilla-firefox.png)

Activate it — no configuration required.

## ✅ Final Notes

You’ve now:

- Hidden your login URL
- Enabled brute-force protection
- Enforced 2FA
- Disabled a major backdoor vector (XML-RPC)