How to Secure Your WordPress EC2 Server: OpenSSH 9.3p2, SSH Hardening, Admin Lockdown, TLS & WPScan
In this premium step-by-step guide, weโll walk you through how we secured a real WordPress website hosted on AWS EC2. From upgrading OpenSSH to 9.3p2 to enforcing HTTPS, every step in this process was implemented to enhance server security, reduce attack surfaces, and protect user data.
Whether you're a developer, startup founder, or technical business owner โ this guide is designed to help you implement the same production-grade server hardening techniques we use for our clients.
โ Why WordPress Security on EC2 Matters
AWS EC2 is powerful, but not secure out of the box. If you:
- Host WordPress on EC2
- Use SSH to manage your instance
- Havenโt enforced TLS or restricted admin access
โฆyour site could be vulnerable to brute-force attacks, data leaks, and downtime.
Letโs fix that.
๐ 1. Upgrade OpenSSH to 9.3p2
Upgrading OpenSSH is critical for patching known exploits. The default version on many EC2 AMIs is outdated.
Commands:
sudo apt update
sudo apt install -y build-essential zlib1g-dev libssl-dev libpam0g-dev wget
cd /usr/local/src
sudo wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
sudo tar -xzf openssh-9.3p2.tar.gz
cd openssh-9.3p2
sudo ./configure --with-md5-passwords --with-pam
sudo make
sudo make install
Confirm version:
/usr/local/bin/ssh -V
Add this to your PATH to use the updated version:
echo 'export PATH="/usr/local/bin:$PATH"' | sudo tee -a /etc/profile
source /etc/profile
๐ 2. Disable SSH Agent Forwarding
Agent forwarding can be exploited if the server is compromised. Disable it.
Edit config:
sudo nano /etc/ssh/sshd_config
Add or update:
AllowAgentForwarding no
Restart SSH:
sudo systemctl restart ssh
๐ 3. Remove Weak KEX and MACs
To reduce attack surface, only allow secure algorithms:
Edit sshd_config:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
MACs hmac-sha2-512,hmac-sha2-256
Then restart:
sudo systemctl restart ssh
๐ 4. Restrict Access to /wp-admin
Limit access to /wp-admin based on IP address to prevent unauthorized login attempts.
Commands:
cd /opt/bitnami/wordpress/wp-admin/
sudo nano .htaccess
Add:
<IfModule mod_rewrite.c>
Order deny,allow
Deny from all
Allow from YOUR_STATIC_IP
</IfModule>
Restart Apache:
sudo /opt/bitnami/ctlscript.sh restart apache
๐ค 5. Add or Update robots.txt
Block sensitive paths from being indexed by search engines:
Commands:
cd /opt/bitnami/wordpress
sudo nano robots.txt
Add:
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
๐ 6. Run WPScan Security Audit
WPScan helps identify vulnerable plugins, themes, and configurations.
Install:
sudo gem install wpscan
Run scan:
wpscan --url https://yourdomain.com --enumerate vp,vt,cb,dbe,u,m
โ ๏ธ Optional: use a free WPScan API token for deeper scan results.
๐ 7. Enforce TLS and Hide Server IP
Enforce HTTPS via .htaccess
sudo nano /opt/bitnami/wordpress/.htaccess
Add above WordPress block:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
Use Cloudflare (or a proxy) to mask server IP
- Enable proxy mode for your domain
- Configure Apache to use
mod_remoteipif needed
๐ Final Thoughts
With these 7 steps, youโve just implemented a production-grade WordPress security setup on AWS EC2:
- Reduced attack surface
- Encrypted traffic
- Restricted sensitive paths
- Scanned for known vulnerabilities
This guide is not just technical โ itโs tactical. It helps you build trust with your visitors, rank higher in Google, and prevent future downtime.
๐ Need help implementing this on your server? Letโs talk.
