Step-by-Step Security Hardening for WordPress on a Public VPS
🔐 Overview
This guide explains how to harden your public WordPress site using free plugins and smart configuration. It includes login obfuscation, brute-force protection, 2FA, and XML-RPC lockdown.
🔧 Step 1: Hide the Default Login Page
Change the default /wp-admin or /wp-login.php to prevent brute-force login scans.
➤ Install the Plugin
Go to Plugins > Add New, and search for WPS Hide Login.
Click Activate and proceed to Settings > General to configure.
⚙️ Configure Login Path
Change the login path to something unique like <secret panel> and redirect unauthorized users to /404.
Click Save Changes to finalize the setting.
🚫 Step 2: Rate-Limit Login Attempts
Block bots and brute-force attempts using Limit Login Attempts Reloaded.
➤ Install the Plugin
Search for Limit Login Attempts Reloaded.
🚷 Skip Premium Prompts
Click “No, I don’t want advanced protection” during setup:
Then skip the email/cloud opt-in:
⚙️ Set Lockout Thresholds
Once installed, configure:
-
Allowed retries:
3 -
Lockout time:
20 minutes -
Lockout escalation: After 4 fails, extend to
24 hours -
Retry reset:
24 hours
Use REMOTE_ADDR for trusted IP origins.
🔒 Step 3: Enforce Two-Factor Authentication (2FA)
Add strong login protection with time-based one-time codes using WP 2FA.
➤ Install the Plugin
Search and install WP 2FA:
🛠️ Configure Authentication Method
In the wizard:
-
Enable TOTP App (Google Authenticator, Authy, etc.)
-
Optionally enable Email fallback
⏳ Set Grace Period
Allow users a short time (e.g., 3 hours) to configure 2FA.
Choose to block dashboard access if they don’t enroll in time.
✂️ Step 4: Disable XML-RPC
XML-RPC is often abused and rarely needed unless you're using remote publishing or Jetpack.
➤ Install the Plugin
Search for Disable XML-RPC-API by Amin Nazemi:
Activate it — no configuration required.
✅ Final Notes
You’ve now: