Keep WordPress Safe From Brute Force Attacks with Fail2ban

Security plugins for WordPress are very popular these days, I bet you have a list of must-have security plugins on your WordPress sites.

Among all the common security issues related to WordPress, I personally hate brute force attacks most, which cost one of my clients’ sites down and a painful customer service experience. So last year when I started some new WordPress sites on a Media Temple VPS hosting, I chose to use Fail2ban to deal with such attacks. Read More…

Set Up Gandi Standard SSL Certificate on Nginx

If you register a domain name on, you’ll get a free Standard SSL certificate from them for a year. The best part is you don’t have to apply for the SSL certificate right away, you can apply it anytime during the first year of your domain name registration.

So yesterday when I realized (which is registered with them) will be renewed in about a month, it just came to me I haven’t got a SSL certificate for my site, and now it’s about time.

The process is easy, you just log into your Gandi account, purchase a Standard SSL certificate, when checkout, the amount will be discounted to 0 if you haven’t purchased one for your domain. That means the first year (starts from the day you purchase the SSL, not the domain) will be free, and $16 per year thereafter.

Basically I followed all steps from Julien’s post: Nginx #1: Set up Gandi Standard SSL Certificate, even I was pretty sure that I got everything right, I still can’t get the SSL work with Firefox, it took me hours to find the solution. Read More…

Improve Security on My Digital Ocean Droplet

After was live on a Digital Ocean droplet, I started to google about what to do to secure my server. It turns out that there are many useful Community posts on their website. Here are 3 of them I’ll suggest any new VPS user to follow step by step.

  1. Initial Server Setup with Ubuntu 12.04:
    The same rules apply to Ubuntu 13.x and above. It’s about how to create a new user with root privileges, restrict root login, and change the port of SSH.
  2. How To Protect SSH with fail2ban on Ubuntu 12.04:
    Last time when one of my client’s site was brute force attacked, I’ve learned about fail2ban is a powerful tool to “automatically protect virtual servers from malicious behavior”. In this article, I found fail2ban is easy to config, hope that helps so I don’t need to install extra security plugins on my site.
  3. How To Setup a Firewall with UFW on an Ubuntu and Debian Cloud Server:
    Setting up firewall on the server sounds kind of scary at first, but UFW make it dead simple! It should be a must-have on any Ubuntu server.

It’s the Day 2 of my Digital Ocean journey. Let me keep digging more about it and share with server dummies like me!

Lessons learned after brute force attacks

Few days ago one of my sites got brute force attacked. The site is hosted on a shared server, and the webhosting shut my site down for consuming too much resources. After that I decided to dig into this issue a little deeper, so I started a discussion on a LinkedIn Group called “WordPress Developers.”

My question is: “My site got brute force attacked. Anyone had the same experiences, would you please share how your hosting company dealt with it? Any suggestions on preventing DDOS or brute force attacks, or hosting recommendation are welcome!” Read More…

Use .htaccess to secure your WordPress by WPMU DEV

In this video, WPMU DEV teach you how to use .htaccess to secure your WordPress site, code snippets from the video are listed here.

Brute force attacks on a shared hosting

Last night I got an email from my hosting company, they shut down one of my WordPress site for it was brute force attacked on login page. The support guy asked me if I could recognize the source IP, and sent a Google search results link about how to solve the problem, that means I have to solve the problem by myself.

I’m pretty upset when I got this email, but still tried to block the IP in the .htaccess file. I found the hosting company changed the file privileges so I couldn’t update the .htaccess. The only thing I could do is replied the email and called their EMERGENCY service number, which was answered by an answering machine, asked them how could I do any fix if I couldn’t edit the .htaccess file. Read More…