How to secure WordPress server on Ubuntu 18.04 when starting from scratch

Posted May 9, 2020 2.8k views

I’m planning on spending the time and setting up an Ubuntu server 18.04 for a WordPress website, but I want to make sure the installation is secure as the One-Click WordPress droplet offered by DigitalOcean.

So, besides the enabling the firewall and using the wp fail2ban plugin do I need anything else to have a secure server online?

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

Hello, @mhweb

There are other tweaks that you can implement in order to tight up the security. You can disable the PasswordAuthentication and also limit the root login to a certain amount of IP addresses. Tweak IP tables as well as using fail2ban and UFW.

I will recommend you to check this tutorial on how to secure your Linux VPS:

Hope this helps!


by Justin Ellingwood
Linux security is a complex task with many different variables to consider. In this guide, we will attempt to give you a good introduction to how to secure your Linux server. We will discuss high-level concepts and areas to keep an eye on, with links to more specific advice.

Hi @mhweb,

You may enable a couple of things on your server to make it secure,

  1. Setup new user and disable root login via SSH.
  2. Disable Password Authentication, always use SSH tunnel.
  3. Secure Mysql server
  4. Secure Phpmyadmin (If you’re using)
  5. Setup firewall to enabled and disable inbound and outbound network connections, (You should use Cloudflare as it provides additional securities including Firewall, DDOS protection)

If you’ll use the Cloudflare, no one could easily know your real IP address, However, it is possible to know, but it is like an extra layer of security.

Never open all network ports, use only selected port.

  • When you say “Disable Password Authentication, always use SSH tunnel.” this is the same as when creating a new droplet and assigning and ssh key, right?

    And when you say “Secure Mysql server” you mean running the “mysqlsecureinstallation” right?