Prevent brute force attacks on WordPress login with rate limiting
Block brute force attacks on wp-login.php by implementing PHP-based login attempt rate limiting, adding CAPTCHA via the WordPress hooks, and hardening with .htaccess rules.
Run safe custom database queries in WordPress using wpdb
Use the $wpdb class with prepare(), get_results(), get_var(), and insert() to run safe, SQL-injection-proof custom database queries in WordPress.
Set up a free SSL certificate with Let’s Encrypt and Certbot on Ub ...
Install Certbot, obtain a free Let's Encrypt SSL certificate for your WordPress domain, and configure automatic renewal with a systemd timer on Ubuntu 20.04 or 22.04.
Harden WordPress file permissions and disable PHP execution in uploads
Set correct Linux file permissions for WordPress directories and use .htaccess rules to block PHP execution in the uploads folder, stopping a common malware vector.
Secure a WordPress VPS with UFW firewall and fail2ban
Lock down a WordPress VPS by enabling UFW to allow only necessary ports and configuring fail2ban to block repeated login attempts.
Disable XML-RPC in WordPress via .htaccess and functions.php
Block WordPress xmlrpc.php at the server level with .htaccess or nginx rules to prevent brute-force and DDoS amplification attacks.
WordPress user roles and capabilities explained with code
Create custom WordPress roles, add capabilities and restrict admin pages using current_user_can and add_role.
Prevent WordPress username enumeration attacks
Block the ?author=N redirect and disable the REST API users endpoint to prevent attackers from discovering WordPress usernames.
Create a custom WordPress REST API endpoint
Register a custom REST route with register_rest_route, handle GET parameters and protect endpoints with permission callbacks.