Skip to main content
📝 WordPress

How to Secure Your WordPress EC2 Server: OpenSSH 9.3p2, SSH Hardening, Admin Lockdown, TLS & WPScan

Secure your WordPress EC2 server — OpenSSH 9.3p2 update, SSH hardening, admin lockdown, TLS setup, and WPScan vulnerability scanning.

5 min

Read time

935

Words

Jul 06, 2025

Published

Engr Mejba Ahmed

Written by

Engr Mejba Ahmed

Share Article

How to Secure Your WordPress EC2 Server: OpenSSH 9.3p2, SSH Hardening, Admin Lockdown, TLS & WPScan

Secure WordPress EC2 SSH TLS: Full Hardening

A secure WordPress EC2 SSH TLS setup closes the doors attackers actually try — and on a fresh EC2 instance running WordPress, those doors are predictable: SSH, the admin login, unencrypted traffic, and vulnerable plugins. This walkthrough hardens all four in one sitting, using the exact sequence I run on every WordPress server I deploy.

Start With SSH, Because Everyone Else Does

Your auth log is already full of strangers trying root and admin — that's the internet's background radiation. Three changes end their careers. Disable password authentication entirely in /etc/ssh/sshd_config (PasswordAuthentication no) so only key holders can connect. Disable root login (PermitRootLogin no) and use a sudo-capable user instead. Then restrict the security group: port 22 open to your IP or your VPN range, not 0.0.0.0/0. With keys-only, no root, and a scoped source IP, brute force against SSH stops being a threat and becomes a log entry.

Reload the daemon and — before closing your session — open a second terminal and confirm you can still log in. The oldest hardening joke is locking yourself out with the door you just reinforced, and it stops being funny around the third time.

Lock Down the WordPress Admin

The login page is the second-favorite target. Enforce strong passwords for every account and delete any user named admin after transferring content ownership. Add two-factor authentication with any reputable plugin, and limit login attempts so credential stuffing gets rate-limited into futility. If your team's IPs are stable, restricting /wp-admin at the web server level is the bluntest and most effective control of all — attackers can't brute-force a page they can't reach.

Two wp-config.php lines complete the lockdown: DISALLOW_FILE_EDIT removes the built-in code editor (a compromised admin account otherwise becomes instant code execution), and unique salts — regenerated from the official generator — invalidate any stolen session cookies.

TLS Is the Floor, Not the Finish

Install a Let's Encrypt certificate and force HTTPS site-wide with a 301 redirect, then set Strict-Transport-Security so browsers refuse to downgrade. Update the site URL settings so WordPress generates HTTPS links natively rather than relying on redirects forever. Verify with an external scan — SSL Labs will flag weak protocols and incomplete chains that a green padlock quietly hides. Renewal must be automated and tested with a dry run; an expired certificate takes your credibility down with your uptime.

Scan Yourself Before They Scan You

WPScan enumerates what attackers enumerate: vulnerable plugin versions, exposed usernames, readable configuration files. Run it against your own site quarterly and after every plugin change. The findings drive the unglamorous work that actually prevents breaches — updating the plugin you forgot about, removing the theme you trialed once, closing user enumeration. Pair the scan with a monthly patch day for core, plugins, and system packages, staged first if the site earns money.

The Backup That Makes Everything Survivable

Hardening reduces the odds; backups cap the damage. Snapshot the EBS volume daily, keep at least a week of history, and store database dumps off-instance — a backup on the server it protects vanishes with the server. Restore one backup, once, on a scratch instance: a restore you've never rehearsed is a hypothesis, not a plan.

The Rhythm That Keeps It Locked

Hardening decays because software moves. First Monday monthly: patches. Quarterly: WPScan and an access audit — SSH keys that should die, admin accounts that outlived their humans, security group rules referencing IPs nobody remembers. After any incident or major change: re-run this whole checklist top to bottom. A server hardened once is briefly safe; a server on a maintenance rhythm stays that way.

The Firewall Layer Most Guides Skip

Security groups handle the network edge, but a web application firewall handles the application edge — and WordPress specifically benefits. Cloudflare's free tier in front of your EC2 instance filters the bulk of exploit scanning before it touches Apache, hides your origin IP, and absorbs the small-scale denial-of-service noise every WordPress site eventually attracts. Point DNS through the proxy, restrict your security group's HTTP/HTTPS ingress to Cloudflare's published ranges, and attackers lose the ability to even address your server directly. Fifteen minutes of setup, permanent reduction in attack surface.

What a Compromise Actually Looks Like

Know the symptoms so you catch them early: admin users you didn't create, unfamiliar PHP files in uploads/, cron entries running base64 blobs, traffic spikes to URLs that don't exist, or Google flagging your site. If any appear, don't clean in place — snapshot for forensics, restore the last known-good backup, rotate every credential, then diagnose the entry point before returning to service. The security groups, scans, and backups above exist precisely so this paragraph stays theoretical; the teams that skip them read it later as instructions.

The Checklist, Compressed

For your runbook: SSH keys-only with root disabled and source IPs scoped; admin behind 2FA with attempts limited and file editing off; TLS forced with HSTS and renewal tested; WPScan quarterly with monthly patch Mondays; daily snapshots with one rehearsed restore; Cloudflare proxying with origin ingress restricted. Six lines that cover the attacks WordPress servers actually face. Print it, run it on every new instance, and re-run it every quarter — the server you harden on a rhythm is the server that never makes the incident channel.

Hardening as a Rhythm, Not a Project

A secure WordPress EC2 SSH TLS posture decays without upkeep — patch monthly, scan quarterly, and re-run the checklist after every major change. Security is a cadence. My the SSL setup and permission hygiene go deeper.

If you want your stack hardened and kept that way, that's work I take on through Ramlit.

Advertisement
Coffee cup

Enjoyed this article?

Your support helps me create more in-depth technical content, open-source tools, and free resources for the developer community.

Related Topics

Engr Mejba Ahmed

About the Author

Engr Mejba Ahmed

Engr. Mejba Ahmed builds AI-powered applications and secure cloud systems for businesses worldwide. With 10+ years shipping production software in Laravel, Python, and AWS, he's helped companies automate workflows, reduce infrastructure costs, and scale without security headaches. He writes about practical AI integration, cloud architecture, and developer productivity.

Discussion

Comments

0

No comments yet

Be the first to share your thoughts

Leave a Comment

Your email won't be published

5  x  9  =  ?

Continue Learning

Related Articles

Browse All

Comments

Leave a Comment

Comments are moderated before appearing.

Learning Resources

Expand Your Knowledge

Accelerate your growth with structured courses, verified certificates, interactive flashcards, and production-ready AI agent skills.

Sample Certificate of Completion

Sample certificate — complete any course to earn yours

Engr Mejba Ahmed

Engr Mejba Ahmed

Claude Code Expert · Online

👋

Hey there!

Quick Actions

WhatsApp Instant reply

Chat on WhatsApp

+880 1723 741224 · Instant reply

Popular Questions

Engr Mejba Ahmed is connected
Engr Mejba Ahmed is typing...
Engr Mejba Ahmed avatar

✉ Want me to follow up? Drop your email

Engr Mejba Ahmed avatar

📞 Connect Directly

Choose how you'd like to reach me

WhatsApp

+880 1723 741224

Email

[email protected]

✓ Details sent! I'll get back to you shortly.

Powered by OpenAI

335+

Blog Posts

25

AI Courses

63

Projects

Services & Expertise

Pricing & Process

Learning & Resources

Connect & Support