Pantheon Community

How do you secure WordPress?

What does your typical WordPress security configuration look like?

For a WAF I will add Cloudflare, but I am also looking at Incapsula as a possible option.

These are the three plugins I normally use.

Key settings

  1. Local/network bruteforce protection
  2. Disable XML-RPC
  3. Restrict REST API access

Key settings

  1. Apply all the hardening options

iThemes & Sucuri have some overlap, but they also have a lot of unique security features. I have not had any conflicts running these two security plugins vs some of the other options available.

I use GOTMLS to scan all the site files. It does have some security features, but I only use it for scanning.

I have used Wordfence in the past, and was not impressed. Has it gotten any better over the years?


Incapsula, from what I can tell, looks a lot like Cloudflare with very similar offerings. If you start layering up your WAFs and CDN’s you’ll start running into issues with rules conflicting or cancelling out each other. Best to stay with one WAF, and one CDN/Caching entity.

You’re correct. Incapsula would be an alternative WAF choice, not an additional WAF.

Does anyone have recommendations for securing the WP ADMIN login screen ( in a way that does not prevent customers from logging into their account for WooCommerce?

The iThemes plugin has settings to:

  • Limit the number of failed logins before blocking an IP address or account
  • Enforce strong passwords

Going with the iThemes Pro version will let you enabled 2FA. I would also look at Google Authenticator as an option.

Is there any specific security features you are looking for?

Both of those sound good. Would 2FA also apply to customer logins, since they use the same login page? I would rather not force that on non-admin users.

The free version of the GA plugin allows you to enable 2FA for a single account - if you only have one admin account, that could be a good option.

I would expect you could set a user role requirement from most of the 2FA plugins available, but without reviewing them, I am not entirely sure.

Has anyone used Sucuri web firewall with pantheon? I was going to enable Cloudflare but there is not a way to disable cdn that I can tell.

We use Cloudflare with Pantheon and we do not have issues with both CDN’s in use.


Thanks for the insight Kurt. I am leaning towards using Sucuri WAF instead of CF since it is significantly cheaper. I am testing on my test site and once I confirm that is working I plan on putting it on my live site and saving some money.

I just attended WordCamp here in Raleigh , NC over the weekend. There was many good things said about Securi’s WAF. Good luck and keep us posted on your progress and experience with Securi.

We use the Sucuri WAF on several of our sites. It takes some finagling to get it set up but in general it works. The worst thing is that there’s no way to automatically generate the Let’s Encrypt SSL on Sucuri until the site DNS records point there, so if the site is already on HTTPS and you point it to the firewall, there will be some SSL downtime while the Let’s Encrypt one is being generated. There is a manual way around this though. If you open a ticket, their support team can generate a custom GoDaddy SSL and install that on the firewall so that there’s no downtime after changing the DNS records. Then when the custom SSL expires in a year, it should revert back to Let’s Encrypt (we still have yet to see how smooth of a process that is).

I suggested that they implement a system like Pantheon where you can generate a TXT record for the domain that will allow Let’s Encrypt to verify the domain even if it’s not pointing at the firewall yet. (See: Terminus Acme Plugin) They thought it was a good idea but no word on if/when they will implement that.

Also, we make sure to turn off the default caching in the Sucuri WAF because it’s hard to clear when you make changes to the site.

It’s pretty good at blocking unwanted traffic and is pretty configurable, but you have to make sure your and your clients’ IP addresses are whitelisted or it may sometimes block certain admin actions. Let me know if you’re interested. Maybe I can write up a post with how we set everything up in Sucuri. They do have an excellent support team, though they can be a little slow to respond. They also have settings to allow you to use an external CDN but we haven’t tried that yet.