An Introduction to WordPress Linux VPS Security

Written by on July 15, 2015

An Introduction to WordPress Linux VPS Security

While my blog primarily contains information about mobile development I’ve decided also to share my knowledge about blogging and everything related I learned in past few years.

Before I even wrote my first article I had the task of choosing which way to go. Should I choose shared hosting or some VPS system.

It did not take me much time to decide DigitalOcean was my best choice. Prices were affordable, and I could get my system up and running in a matter of minutes. Though I had some previous Linux (Ubuntu) experience, everything was still new and shiny to me.

And I was hacked in a matter of hours.

Lesson learned. Thus, I spent several more days learning everything I could about Linux security.

Note: If this tutorial was helpful, you need further clarification, something is not working or you have a request for another Ionic post? Furthermore, leave me a comment below if you don't like something about this blog, if something is bugging you, don't like how I'm doing stuff here. Feel free to comment below, subscribe to my blog, mail me to Thanks and have a nice day!

First step

This step is also the most important one, securing your Linux VPS must be your number one priority. Think about it, months or even years of your hard work (or in this case future hard work) can go into flames if someone manage to break into your VPS and wreck havoc.

There are many different security topics we could discuss that fall under the general category of Linux security, but we will talk standard security measure. Nothing prevents you from going above and beyond once everything is set up. There are always risks and the trade-offs, and you will need to decide what is the best course of action, balancing between usability and security. I will also provide links to other possible measures you can take care off.

This article is also a prelude to a much longer article chain I’m going to write covering everything WordPress related.

File Editor

We’re starting with an application that has nothing to do with security, but we still need it to be able to modify system files.

In this article we’ll use the nano text editor, though you can use any other application like vi, etc.

Open terminal and type nano, or type this command if your VPS don’t have it preinstalled:

sudo apt-get install nano

Get The Ubuntu Packages Up To Date

A first thing to do after a new VPS installation is to update the package lists and to upgrade currently installed packages with latest patches/security fixes/upgrades.

sudo apt-get update
sudo apt-get upgrade

You should execute these two commands every once in a while.

Change ROOT password

This step is optional, but you will probably want to do this, especially if you’ve received randomly generated 16+ character password.

Make sure you’re logged as the root user.


You’ll be prompted to enter the new password twice.

Create another user

It’s a good practice on any OS (Linux, Windows, MacOS, etc.) to run applications on a user level and leave administrative tasks to the root/administrator user. This way, even if someone breaks into VPS, he or she will not have root privileges or be able to do any serious harm (we’re also going to disable remote root access).

Warning: Replace {username} with a user name of your choosing, you'll encouter it all through the tutorial.

sudo useradd -d /home/{username} -s /bin/bash -m {username}
sudo apt-get upgrade

This line will create a new user called {username} and create it a home directory at this location: /home/{username}.

Now we need to set a password for the new user:

sudo passwd {username}

You will be prompted to enter new user password twice:

Enter new UNIX password: ********
Retype new UNIX password: ********

Now we need to give this new user an ability to gain root powers temporarily with the use of the sudo command:

sudo visudo

Go to the last line in this file and insert this:

{username} ALL=(ALL) ALL

If this is a fresh VPS installation sudoers file should finally look like this:

# /etc/sudoers
# This file MUST be edited with the 'visudo' command as root.
# See the man page for details on how to write a sudoers file.

Defaults        env_reset

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification

root    ALL=(ALL) ALL
{username} ALL=(ALL) ALL

Now log out of your VPS and make sure you can log back in using this new user:

sudo logout

When you are back in make sure you can gain root privileges:

sudo -i

You will be prompted to enter the root user password twice.

Restrict The SSH access

We need to go a little bit further securing our SSH access, to disallow root SSH login and change a default SSH access port.

Warning: Further steps requires you to use newly created user.

We need to edit the /etc/ssh/sshd_config file:

sudo nano /etc/ssh/sshd_config

You will be prompted to enter your root password. Find these lines and change them like this:

Port 54325
PermitRootLogin no
X11Forwarding no
UsePAM no

Note: Use any port number you wish as long it's higher than 49152 and lower than 65535.

Add the following line at the end of the sshd_config file:

AllowUsers {username}

Be careful with this last line, if you write a wrong username, you will lock yourself out of the VPS once the changes became active.

Now we have to reload SSH to activate previous changes:

sudo service ssh restart

Now comes this chapter most important step, open a new Putty terminal (or any other terminal software you’re using), enter VPS connection information, your new username, and new SSH port. If everything went well, you would see a login prompt. If not, get back to your previous SSH window and recheck everything we talked about here.

If you want a more secure way of remote access, you can switch from password login to SSH-Key login. Password logins are inherently less secure because they can allow a potential intruder to brute-force (continuously guess) passwords until they find a correct one. SSH-keys, operate by generating two secure keys. a secure key pair. The first one called the public key is created to identify a user. The second one is called the private key; keep it a secret. If you want to implement this solution take a look at this tutorial.


Leave a Reply