I’m new to hosting WordPress on Kinsta and come from a Laravel development background. With Laravel, the security model is straightforward - only a few files like index.php and .htaccess are in the public directory, with all sensitive files outside the web root.
With WordPress, I’m seeing many PHP files exposed in the document root:
xmlrpc.php
wp-trackback.php
wp-config.php
wp-cron.php
wp-mail.php
etc
This feels like a large attack surface compared to what I’m used to. I’ve already implemented WPS Hide Login and WPS Limit Login for basic protection.
My questions for the community:
What does Kinsta handle automatically at the server level? I know they use Nginx, so .htaccess rules aren’t an option.
For those who’ve migrated from other frameworks to WordPress on Kinsta, what additional hardening steps did you take?
Are there Kinsta-specific best practices that differ from generic WordPress security guides?
Should I be asking Kinsta support to add custom Nginx rules to block certain files, or is that overkill?
Any plugin recommendations that work particularly well with Kinsta’s infrastructure?
I want to make sure I’m not over-engineering the security based on my Laravel habits, but also not leaving obvious vulnerabilities. What’s the right balance for WordPress on Kinsta?
To ensure the security of your website, we automatically disable access to the xmlrpc.php file. Hackers often exploit this file to execute various attacks, making it a common entry point for malicious activity. This precaution is handled at the Nginx server level. For more detailed information, please visit Reference - Technical FAQ - Kinsta® Docs
As for the wp-config.php file, we have implemented a security Nginx rule designed to prevent public read/access to this critical file, which contains vital configuration settings and sensitive information about your WordPress installation.
To further enhance your understanding of website security, we have compiled a comprehensive guide that outlines best practices for protecting your WordPress site against various online threats. This guide covers essential strategies to mitigate risks and maintain a secure online presence. You can check it out here: 19 steps to protect your WordPress site from threats.
If you have any questions or need assistance, feel free to reach out!
Thanks for your time. I’d previously read the security blog post and implemented several recommendations, but I’ll go through it again to ensure I haven’t missed anything.