Aztec Logo
Security Completed

WordPress on Kubernetes with Private Network

Hardened wp-admin with detailed logging

WordPress site management on Kubernetes with wp-admin access through a private network, detailed logging of every administrative action, auto-scaling, persistent storage with EFS, and strict security policies on AWS.

aws, cloudflare
5 weeks
2025
2 engineers

The Problem

WordPress admin panels (wp-admin) were accessible from the public internet, exposed to brute-force attacks and bots. No record of who made what changes, no ability to scale during spikes, and ephemeral storage that was lost when pods restarted.

The Solution

Implemented exclusive wp-admin access through a private network with Tailscale and multiple Ingress controllers. Every admin panel action is logged to CloudWatch with timestamps, user, IP, and changes made. Auto-scaling with HPA based on CPU and requests. Persistent storage with EFS mounted on each pod. Cloudflare WAF for additional public traffic protection.

The Results

Zero successful wp-admin attacks since implementation, complete traceability of every administrative change, automatic scaling handling 10x traffic spikes without intervention, and guaranteed persistent data between pod restarts.

Measurable Results

wp-admin attacks

~500/día

0

100% improvement

Change traceability

Ninguna

100%

Auto-scale capacity

Manual

10x automático

Data loss

En cada reinicio

0 — EFS persistente

100% improvement

Want results like these?

Let's scope your project — 30 min, no commitment.

Schedule assessment

Project Phases

Security assessment

1 week

Attack surface analysis, existing log review, and threat model definition.

Private network & VPN

1 week

VPC configuration, private subnets, Tailscale for wp-admin access, multiple Ingress controllers, and K8s Network Policies.

Logging system

1.5 weeks

CloudWatch for centralized logging, monitoring dashboards, and critical action alerts.

Auto-scaling & EFS

1 week

Per-site HPA configuration, EFS as StorageClass for PersistentVolumes, and load testing.

WAF & hardening

0.5 weeks

Cloudflare WAF rules, security headers, and pod security policies.

Tech Stack

Technologies

kuberneteswordpressdockernginxtailscalephp

Cloud Services (AWS, CLOUDFLARE)

EKSEFSCloudWatchVPCALBIAMCloudflare WAFCloudflare DNS

Tools

helmterraformtailscalecloudwatch

Implementation Details

Security model

The core principle: wp-admin must never be accessible from the public internet.

Layers of protection

  1. Private network: wp-admin accessible only via Tailscale + multiple Ingress controllers
  2. WAF: Protection of public traffic (site frontend)
  3. Logging: Every administrative action recorded in CloudWatch with full context
  4. Network Policies: Restricted communication between pods

Detailed logging

Each log entry includes:

  • Precise timestamp
  • WordPress user
  • Source IP (within the private Tailscale network)
  • Action performed (create post, modify plugin, change configuration)
  • Change diff when applicable

Related Case Studies

WordPress to Kubernetes Migration

From fragile VMs to auto-scaling containers

Deploy time: 10 min (78%)

Have a similar technical challenge?

Let's talk about your infrastructure, architecture or pipeline. No commitment.

Schedule a Technical Assessment