Applying critical security measures to your WordPress

Applying critical security measures to your WordPress site is essential to protect against hacks, malware, and other cyber threats. Since you’re using Hostinger VPS with AlmaLinux, here are the most important security steps you should take:

🔒 Server-Level Security

1. Use a Firewall (WAF)
   • Install CSF (ConfigServer Security & Firewall) for AlmaLinux.
   • Enable ModSecurity in cPanel to block malicious requests.
2. SSH Hardening
   • Change the default SSH port (22) to something else.
   • Disable root login (PermitRootLogin no in /etc/ssh/sshd_config).
   • Use SSH keys instead of passwords.
3. Regular System Updates
   • Keep AlmaLinux, PHP, MySQL, and cPanel updated.
   • Run dnf update -y regularly or set up automatic updates.
4. Disable Unused Services
   • Turn off unnecessary services (systemctl disable <service>).
   • Close unused ports using iptables or firewalld.
5. Enable Fail2Ban
   • Prevent brute force attacks on SSH, cPanel, and WordPress login.

🛡️ WordPress Security Measures

6. Use a Security Plugin
   • Install Wordfence or iThemes Security to monitor threats.
7. Limit Login Attempts
   • Set login attempt limits with Limit Login Attempts Reloaded plugin.
8. Disable XML-RPC
   • Prevent DDoS and brute force attacks by disabling XML-RPC (Disable XML-RPC plugin).
9. Use Strong Passwords & 2FA
   • Enforce strong passwords using the Password Policy Manager plugin.
   • Enable two-factor authentication (2FA) via Wordfence or Google Authenticator.
10. Restrict WP-Admin Access
    • Limit access to /wp-admin using .htaccess rules: <Files wp-login.php> order deny,allow Deny from all Allow from YOUR_IP </Files>
11. Change WP Login URL
    • Use WPS Hide Login plugin to change /wp-login.php to something unique.
12. Disable File Editing
    • Prevent attackers from modifying themes/plugins in wp-config.php: define('DISALLOW_FILE_EDIT', true);

📂 Database & File Security

13. Change Database Prefix
    • Change wp_ to a random prefix (wp3x4y_) during installation.
14. Restrict Database Access
    • Use strong MySQL user passwords.
    • Limit database user privileges (no GRANT or DROP permissions).
15. Secure wp-config.php
    • Move wp-config.php above the public_html directory.
    • Restrict access using .htaccess: <Files wp-config.php> order allow,deny deny from all </Files>

🚀 Backups & Monitoring For Critical Measures

16. Daily Backups
    • Enable Hostinger’s automatic backups or use UpdraftPlus.
17. Monitor File Changes
    • Install Sucuri Security or Wordfence for real-time file change monitoring.
18. Scan for Malware
    • Regularly scan with MalCare or Virusdie.
19. Enable Logging
    • Monitor /var/log/auth.log, /var/log/messages, and /var/log/httpd/access_log.
20. DDoS Protection
    • Use Cloudflare CDN & DDoS Protection.

🔑 Final Steps

Run a security audit using Wordfence Scanner.
Set up automatic software updates.
Use a reliable security plugin like All In One WP Security & Firewall.