WordPress Security Hardening

Docker Container Security Hardening

Container security is the foundation of WordPress protection in 2025. With 75% of container images containing critical vulnerabilities, proper hardening is essential.

Non-Root Container Configuration

Run WordPress containers as non-privileged users to prevent privilege escalation attacks:

# Dockerfile security configuration
FROM wordpress:6.4-php8.3-fpm-alpine

# Create non-root user
RUN addgroup -g 1001 wordpress && \
    adduser -D -s /bin/sh -u 1001 -G wordpress wordpress

# Set proper ownership
RUN chown -R wordpress:wordpress /var/www/html
USER wordpress

# Drop unnecessary capabilities
RUN apk add --no-cache libcap && \
    setcap 'cap_net_bind_service=+ep' /usr/local/bin/php-fpm

Resource Limits and Security Constraints

Implement resource limits to prevent container breakouts and resource exhaustion:

# docker-compose.yml security constraints
wordpress:
  image: wordpress:secure
  deploy:
    resources:
      limits:
        cpus: '1.0'
        memory: 512M
      reservations:
        cpus: '0.5'
        memory: 256M
  security_opt:
    - no-new-privileges:true
    - apparmor:docker-default
  cap_drop:
    - ALL
  cap_add:
    - NET_BIND_SERVICE
  read_only: true
  tmpfs:
    - /tmp:rw,noexec,nosuid,size=100m

Automated Vulnerability Scanning

Implement continuous security scanning in your deployment pipeline:

# CI/CD security scanning with Trivy
- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'wordpress:latest'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'

Network Security and SSL Automation

Automated SSL/TLS Certificate Management

Implement automated SSL certificate provisioning and renewal:

# Traefik configuration for automatic SSL
traefik:
  image: traefik:v3.0
  command:
    - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
    - --certificatesresolvers.letsencrypt.acme.email=admin@yourdomain.com
    - --certificatesresolvers.letsencrypt.acme.storage=/acme.json
  labels:
    - "traefik.http.routers.wordpress.tls.certresolver=letsencrypt"
    - "traefik.http.routers.wordpress.tls=true"

Firewall Configuration and DDoS Protection

Configure advanced firewall rules and rate limiting:

• UFW (Uncomplicated Firewall): Basic host-level protection
• iptables: Advanced packet filtering rules
• Fail2Ban: Automated IP blocking for suspicious activity
• Cloudflare: Edge-level DDoS protection and WAF

# Fail2Ban WordPress jail configuration
[wordpress]
enabled = true
port = http,https
filter = wordpress
logpath = /var/log/nginx/access.log
maxretry = 3
bantime = 3600
findtime = 600
action = iptables-multiport[name=WordPress, port="http,https", protocol=tcp]

WordPress Application Security

Core WordPress Hardening

Implement WordPress-specific security measures:

1. Security Keys and Salts

# wp-config.php security configuration
define('AUTH_KEY',         'your-unique-auth-key');
define('SECURE_AUTH_KEY',  'your-unique-secure-auth-key');
define('LOGGED_IN_KEY',    'your-unique-logged-in-key');
define('NONCE_KEY',        'your-unique-nonce-key');

// Disable file editing
define('DISALLOW_FILE_EDIT', true);

// Limit login attempts
define('WP_LOGIN_ATTEMPTS', 3);

// Force SSL
define('FORCE_SSL_ADMIN', true);

2. Database Security

• Custom database prefix: Change default 'wp_' prefix
• Regular backups: Automated encrypted backups
• Database user permissions: Least privilege principle
• Connection encryption: SSL/TLS for database connections

Plugin and Theme Security

Secure WordPress plugins and themes:

• Automated updates: Keep plugins and themes current
• Security scanning: Regular vulnerability assessments
• Code review: Audit custom plugins and themes
• Minimal installation: Remove unused plugins and themes

Security Monitoring and Incident Response

Real-Time Security Monitoring

Implement comprehensive security monitoring:

# Falco rule for container security monitoring
- rule: Detect Container Escape Attempt
  desc: Detect attempts to escape from containers
  condition: >
    spawned_process and container and
    (proc.name in (nsenter, docker, runc, crictl) or
     proc.cmdline contains "/proc/self/ns" or
     proc.cmdline contains "unshare")
  output: >
    Container escape attempt detected (user=%user.name command=%proc.cmdline
    container_id=%container.id image=%container.image.repository)
  priority: CRITICAL

Automated Incident Response

Configure automated responses to security threats:

• Alert systems: Real-time notifications for security events
• Automatic blocking: IP blacklisting for malicious activity
• Container isolation: Quarantine compromised containers
• Backup restoration: Rapid recovery procedures