Keep WordPress Safe From Brute Force Attacks with Fail2ban

Security plugins for WordPress are very popular these days, I bet you have a list of must-have security plugins on your WordPress sites.

Among all the common security issues related to WordPress, I personally hate brute force attacks most, which cost one of my clients’ sites down and a painful customer service experience. So last year when I started some new WordPress sites on a Media Temple VPS hosting, I chose to use Fail2ban to deal with such attacks.

Read moreKeep WordPress Safe From Brute Force Attacks with Fail2ban

Set Up Gandi Standard SSL Certificate on Nginx

If you register a domain name on, you’ll get a free Standard SSL certificate from them for a year. The best part is you don’t have to apply for the SSL certificate right away, you can apply it anytime during the first year of your domain name registration.

So yesterday when I realized (which is registered with them) will be renewed in about a month, it just came to me I haven’t got a SSL certificate for my site, and now it’s about time.

The process is easy, you just log into your Gandi account, purchase a Standard SSL certificate, when checkout, the amount will be discounted to 0 if you haven’t purchased one for your domain. That means the first year (starts from the day you purchase the SSL, not the domain) will be free, and $16 per year thereafter.

Basically I followed all steps from Julien’s post: Nginx #1: Set up Gandi Standard SSL Certificate, even I was pretty sure that I got everything right, I still can’t get the SSL work with Firefox, it took me hours to find the solution.

Read moreSet Up Gandi Standard SSL Certificate on Nginx

Improve Security on My Digital Ocean Droplet

After was live on a Digital Ocean droplet, I started to google about what to do to secure my server. It turns out that there are many useful Community posts on their website. Here are 3 of them I’ll suggest any new VPS user to follow step by step. Initial Server Setup with Ubuntu 12.04: The same rules …

Read moreImprove Security on My Digital Ocean Droplet

Lessons learned after brute force attacks

Few days ago one of my sites got brute force attacked. The site is hosted on a shared server, and the webhosting shut my site down for consuming too much resources. After that I decided to dig into this issue a little deeper, so I started a discussion on a LinkedIn Group called “WordPress Developers.”

My question is: “My site got brute force attacked. Anyone had the same experiences, would you please share how your hosting company dealt with it? Any suggestions on preventing DDOS or brute force attacks, or hosting recommendation are welcome!”

Read moreLessons learned after brute force attacks

Brute force attacks on a shared hosting

Last night I got an email from my hosting company, they shut down one of my WordPress site for it was brute force attacked on login page. The support guy asked me if I could recognize the source IP, and sent a Google search results link about how to solve the problem, that means I have to solve the problem by myself.

I’m pretty upset when I got this email, but still tried to block the IP in the .htaccess file. I found the hosting company changed the file privileges so I couldn’t update the .htaccess. The only thing I could do is replied the email and called their EMERGENCY service number, which was answered by an answering machine, asked them how could I do any fix if I couldn’t edit the .htaccess file.

Read moreBrute force attacks on a shared hosting