Hardening removes easy wins for attackers without making day-to-day ops painful. This guide covers firewall basics, Fail2ban, permissions, and why virtual patching matters when plugins lag behind fixes.
Firewall basics (UFW)
- Allow required services:
sudo ufw allow OpenSSHsudo ufw allow 80/tcpsudo ufw allow 443/tcp
- Enable firewall:
sudo ufw enable - Verify:
sudo ufw status
Fail2ban (abuse mitigation)
- Install:
sudo apt install -y fail2ban - Check status:
sudo systemctl status fail2ban --no-pager - Start with SSH protection; add HTTP rules carefully to avoid false positives
Permissions and filesystem hygiene
- Avoid
777permissions - Lock down
wp-config.phpand secrets - Make only required directories writable (see WordPress uploads and permissions)
Virtual patching (important in 2026)
- Many plugin vulnerabilities remain unpatched for weeks or longer
- Virtual patching (via WAF or security services such as Patchstack-style tooling) can block known exploits while you wait for vendor fixes
- Treat this as a bridge—not a substitute for real updates and hardening
FAQ
Will UFW block my site?
No, if you allow 80 and 443 (and OpenSSH before enabling). Allow only what you need; deny by default is the goal.
What’s the first hardening step that doesn’t require new software?
Tighten permissions and ownership so the web user can’t write where it shouldn’t, and ensure wp-config.php isn’t web-readable.
Related
- Ubuntu security updates and WordPress risk — patch timing and risk
- Fixing WordPress uploads and updates with correct permissions — permissions pitfalls
- Blocking common WordPress vulnerabilities in 2026 — server-side controls and virtual patching