The Hardened WordPress Maintenance Protocol

1. The Core Security Perimeter

Security begins at the server level. Most hacks occur through “lazy” configurations rather than complex zero-day exploits.

• SSH Hardening: Disable password authentication and move to SSH keys. Change the default port 22 to a random high-range port to eliminate 90% of automated bot traffic.
• Firewall Strategy: Use UFW or IPTables to close all ports except 80, 443, and your custom SSH port.
• Intrusion Prevention: Install Fail2Ban. Configure it to monitor your access logs and automatically ban IPs that hit /wp-login.php or SSH repeatedly with failed credentials.

2. Automated Patch Management

Manual updates are the enemy of security. A vulnerability in a plugin can be exploited within hours of release.

• Unattended Upgrades: On Ubuntu, enable the unattended-upgrades package to ensure the OS kernel and security libraries (like OpenSSL) are patched automatically.
• WP-CLI Automation: Set up a cron job to run wp core update and wp plugin update --all on a staging environment first, or use a tool like MainWP or ManageWP for multi-site orchestration.

3. File System Integrity & Ownership

One of the most common mistakes is incorrect file permissions.

• The Rule of Least Privilege: WordPress files should be owned by the www-data user but set to 644 for files and 755 for directories.
• Immutable Core: Use the DISALLOW_FILE_EDIT constant in wp-config.php to prevent the theme and plugin editor from being accessed via the dashboard, neutralizing a major entry point for malicious code injection.

4. Database & Logging Hygiene

A bloated database isn’t just slow; it’s a security risk.

• Log Rotation: Ensure your error_log and access logs are rotated. A 10GB log file can crash your server, leading to a “Denial of Service” state.
• Table Maintenance: Regularly optimize the wp_options table to remove orphaned transients. Use Redis for object caching to keep these transient queries out of the database entirely.

5. The “3-2-1” Backup Strategy

Maintenance is meaningless without a recovery path.

Testing Restores: A backup isn’t real until you’ve successfully restored it. Run a quarterly “restoration drill” on a local Docker container or staging VPS.

Automated Off-site Backups: Use Rclone or a similar CLI tool to sync encrypted backups to S3-compatible storage (Backblaze B2 or AWS).