What’s the best way to secure a DigitalOcean Droplet running WordPress against brute-force attacks?

Heya, @ayanaliwhale

What you’ve done already (fail2ban, security plugin, non-default admin) is a good start, but you can harden the droplet further so those bots don’t even reach PHP.

You can also do the following:

• Consider restricting wp-login.php by IP or location.
• Add two-factor authentication in WordPress
• Change the default wp-login page, plugins like WPS Hide Login let you change the login path, which removes a lot of bot traffic. Still, don’t rely on obscurity alone.

Hope that this helps!

Hey Ayan,

On the server level you can use UFW or DigitalOcean Cloud Firewalls to only allow the ports you actually need, like 80 and 443 for web and 22 for SSH. At the Nginx layer you can add simple rate limiting to wp-login.php so that repeated requests from the same IP get blocked or slowed down. That way bots don’t get unlimited attempts.

Another useful step is to hide the default login page with a plugin like WPS Hide Login, since most automated attacks only try the standard wp-login.php path. Adding two-factor authentication for your admin account gives you a strong last line of defense if someone does manage to guess a password.

If you want to go further, putting your site behind Cloudflare or another CDN can help filter bots before they even hit your Droplet. Between firewall rules, rate limiting, and Cloudflare, most of the noise will be blocked at a low level, and then the plugin and 2FA cover the application side.