Enterprise WordPress Security at Scale

Why Security Matters More at Scale

At low traffic, security breaches affect hundreds of users. At enterprise scale, breaches affect millions.

High-traffic sites are attractive targets:

  • DDoS attacks: Take down high-profile sites for ransom or disruption
  • Data breaches: Millions of user records worth money on dark web
  • SEO spam: Inject spammy links to high-authority sites
  • Resource hijacking: Use your servers for cryptocurrency mining

Security isn’t optional at enterprise scale—it’s essential infrastructure.

Layer 1: DDoS Protection

Distributed Denial of Service attacks overwhelm your site with traffic, making it unavailable to legitimate users.

Types of DDoS Attacks

Volume-based attacks:

  • Flood your servers with massive traffic
  • Goal: Saturate bandwidth, overwhelm infrastructure

Application-layer attacks:

  • Target WordPress specifically (wp-login.php, wp-admin)
  • Looks like legitimate traffic but exhausts resources

Protocol attacks:

  • SYN floods, fragmented packets
  • Exploit network protocol weaknesses

DDoS Protection Implementation

Cloudflare (recommended for most sites):

Free tier includes:

  • Basic DDoS protection
  • CDN with caching
  • SSL/TLS encryption

Pro/Business tiers add:

  • Advanced DDoS mitigation
  • WAF (Web Application Firewall)
  • Rate limiting

Enterprise tier for largest sites:

  • Custom rules
  • Dedicated support
  • Advanced bot management

Setup for WordPress:

  1. Add domain to Cloudflare
  2. Update DNS to Cloudflare nameservers
  3. Enable “Under Attack Mode” during active DDoS

AWS Shield:

Shield Standard (free):

  • Automatic protection against common attacks
  • Included with AWS services

Shield Advanced ($3,000/month):

  • DDoS Response Team (24/7)
  • Cost protection (AWS credits for scaling costs during attack)
  • Advanced detection and mitigation

When to use Shield Advanced:

  • Critical applications (downtime = massive revenue loss)
  • Frequent attack target
  • AWS-native infrastructure

DDoS Response Plan

Don’t wait for attack to figure out response.

Before attack:

  • Enable DDoS protection (Cloudflare, Shield)
  • Document response procedures
  • Test “Under Attack Mode”
  • Have support contacts ready

During attack:

  1. Verify it’s actual attack (not legitimate traffic spike)
  2. Enable enhanced protection (Cloudflare Under Attack Mode)
  3. Monitor traffic patterns
  4. Block attack sources if identifiable
  5. Notify team and management

After attack:

  • Review attack patterns
  • Improve protections
  • Document what worked/didn’t work

Layer 2: Web Application Firewall (WAF)

WAF filters malicious HTTP requests before they reach WordPress.

What WAF Protects Against

  • SQL injection: Attempts to manipulate database queries
  • Cross-site scripting (XSS): Injecting malicious JavaScript
  • File inclusion attacks: Accessing files they shouldn’t
  • Brute force attacks: Repeated login attempts
  • Zero-day exploits: Attacks on new vulnerabilities

WAF Implementation Options

Cloudflare WAF:

OWASP Core Rule Set:

  • Blocks common attack patterns
  • Updated regularly
  • Minimal false positives

Custom rules for WordPress:

// Block access to xmlrpc.php (common attack vector)
(http.request.uri.path eq "/xmlrpc.php")

// Block wp-admin except from specific IPs
(http.request.uri.path contains "/wp-admin" and ip.src ne YOUR_OFFICE_IP)

// Block requests with suspicious patterns
(http.request.uri.path contains "../" or 
 http.request.uri.query contains "union select" or
 http.request.uri.query contains "base64_decode")

Sucuri Website Firewall:

  • Cloud-based WAF specifically for WordPress
  • Virtual patching (protects against known WordPress vulnerabilities)
  • Incident response if site compromised

Wordfence (plugin-based WAF):

  • Runs on your server (not cloud-based)
  • Good for sites not using Cloudflare
  • Free tier available, premium adds features

WAF Configuration for WordPress

Block common attack vectors:

# .htaccess rules (if not using cloud WAF)
<IfModule mod_rewrite.c>
RewriteEngine On

# Block xmlrpc.php
RewriteRule ^xmlrpc\.php$ - [F,L]

# Block access to wp-config.php
RewriteRule ^wp-config\.php$ - [F,L]

# Block PHP execution in uploads
RewriteRule ^wp-content/uploads/.*\.php$ - [F,L]

# Block suspicious query strings
RewriteCond %{QUERY_STRING} (union.*select|concat.*\() [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode|base64_decode) [NC]
RewriteRule .* - [F,L]
</IfModule>

Whitelist known good IPs:

  • Office IPs bypass WAF restrictions
  • API clients get special treatment
  • Reduces false positives

Layer 3: Rate Limiting and Bot Management

Limit requests per IP to prevent abuse.

Rate Limiting Configuration

Cloudflare Rate Limiting:

Login protection:

  • Rule: More than 5 requests to wp-login.php in 60 seconds
  • Action: Challenge (CAPTCHA) for 1 hour

API protection:

  • Rule: More than 100 requests to /wp-json/* in 60 seconds
  • Action: Block for 10 minutes

Search protection:

  • Rule: More than 20 search requests in 60 seconds
  • Action: Challenge

Bot Management

Not all bots are bad (search engines = good bots).

Allow good bots:

  • Googlebot, Bingbot (search engines)
  • Monitoring services (UptimeRobot, Pingdom)
  • Your own testing tools

Challenge suspicious bots:

  • Unknown user agents
  • Bots scraping content aggressively
  • Bot patterns (fast requests, no JavaScript execution)

Cloudflare Bot Management:

  • Identifies bot traffic automatically
  • Good bots allowed, bad bots challenged
  • Machine learning detects new bot patterns

Layer 4: WordPress-Specific Security

Harden WordPress itself.

Limit Login Attempts

Prevent brute force attacks on wp-admin.

Limit Login Attempts Reloaded plugin:

  • Blocks IP after X failed login attempts
  • Customizable lockout duration
  • Email notifications

Or use .htaccess:

# Limit wp-login.php access
<Files wp-login.php>
  # Allow your IP
  Allow from YOUR_IP
  # Deny all others
  Deny from all
</Files>

Disable XML-RPC (If Not Needed)

XML-RPC enables remote publishing but is frequent attack target.

// functions.php
add_filter('xmlrpc_enabled', '__return_false');

If you need XML-RPC (Jetpack, mobile apps), restrict to specific IPs.

File Permissions

Correct permissions prevent unauthorized file modifications.

Recommended permissions:

  • Directories: 755
  • Files: 644
  • wp-config.php: 440 or 400 (read-only)
# Set correct permissions
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
chmod 440 /var/www/html/wp-config.php

Disable File Editing in Admin

Prevent attackers from editing theme/plugin files if they compromise admin.

// wp-config.php
define('DISALLOW_FILE_EDIT', true);

Security Keys and Salts

WordPress uses security keys for encryption. Change them regularly.

Generate new keys: https://api.wordpress.org/secret-key/1.1/salt/

// wp-config.php
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
// ... etc

Change these keys every 6-12 months (forces all users to re-login).

Layer 5: Security Monitoring and Incident Response

Detect and respond to security issues quickly.

File Integrity Monitoring

Detect unauthorized file changes.

Wordfence scans:

  • Compares your files to WordPress.org repository
  • Alerts on changes, new files, or malware signatures

OSSEC (open-source):

  • System-level file integrity monitoring
  • Alerts on any file modifications
  • Integrates with log management

Security Logging

Log all security-relevant events.

What to log:

  • Failed login attempts
  • Successful admin logins
  • Plugin/theme installations
  • File uploads
  • Database errors
  • WAF blocks

WordPress Activity Log plugin:

  • Tracks all admin actions
  • Searchable logs
  • Alerts on suspicious activity

Centralized logging:

  • Send logs to external service (AWS CloudWatch, Datadog, Splunk)
  • Survives if site is compromised
  • Enables correlation across servers

Vulnerability Scanning

Regularly scan for known vulnerabilities.

WPScan:

  • Open-source WordPress vulnerability scanner
  • Checks core, plugins, themes for known issues
# Scan your site
wpscan --url https://yoursite.com --api-token YOUR_TOKEN

Patchstack (formerly WebARX):

  • Continuous vulnerability monitoring
  • Virtual patching for zero-days
  • Priority alerts for critical issues

Incident Response Plan

When security breach occurs, every minute counts.

Preparation:

  1. Document response procedures
  2. Identify response team (who does what)
  3. Have backups readily accessible
  4. Maintain list of all plugins/themes installed

Detection:

  • Monitoring alerts unusual activity
  • Users report site defacement
  • Search results show spam

Containment:

  1. Take site offline (maintenance mode) if needed
  2. Block attacker IPs at firewall
  3. Disable affected plugins/themes
  4. Preserve logs and evidence

Eradication:

  1. Identify how breach occurred
  2. Remove malware/backdoors
  3. Change all passwords and keys
  4. Update/patch vulnerable software

Recovery:

  1. Restore from clean backup (if needed)
  2. Re-scan for malware
  3. Bring site back online
  4. Monitor closely for re-compromise

Post-incident:

  1. Document what happened
  2. Improve defenses to prevent recurrence
  3. Notify users if data compromised (legal requirements)

Security Monitoring Tools

Sucuri SiteCheck: Free website scanner ImmuniWeb: SSL/TLS configuration testing VirusTotal: Check URLs/files for malware Qualys SSL Labs: SSL certificate testing Security Headers: Check HTTP security headers

Security at Enterprise Scale

At 10M+ daily visitors with sensitive data:

Must-haves:

  • Cloud-based DDoS protection (Cloudflare/Shield)
  • WAF with OWASP rules + custom WordPress rules
  • Rate limiting on admin pages and APIs
  • File integrity monitoring
  • Centralized security logging
  • Incident response plan

Best practices:

  • Security audits quarterly
  • Vulnerability scanning weekly
  • Update WordPress/plugins within 24 hours of security releases
  • Penetration testing annually
  • Security training for team

Monitor:

  • Failed login attempts
  • WAF blocks
  • File modifications
  • Traffic anomalies

Security is never “done”—it’s continuous monitoring and improvement.

If you need help securing enterprise WordPress, we’d be happy to review your setup and recommend improvements.

Connect with Matt Dorman on LinkedIn or reach out at ndevr.io/contact

Next in This Series

Monitoring and Testing WordPress Performance at Enterprise Scale →

The final post in the series: Learn comprehensive monitoring strategies, load testing practices, and performance optimization workflows.

Categories
Tags

Newsletters

We send emails geared toward helping you become smarter about scaling your digital platforms.

See Details

Ready to optimize and scale?

See how we help

Our Solutions