How to Build a Bullet-Proof WordPress Server

According to the Wikipedia more than 59% of present websites around the globe is powered by WordPress. All the credit goes to its Simple Innovative GUI that is user friendly. This is one of the best things about WordPress. It has some essentials that include the newbie web user can be easily use its features for creating some professional website with ease. The Main consideration when it comes to the security of WordPress Web Server. You need to follow this tutorial it helps to make your WordPress web server more secure.

There are some couple of things that you need to know when dealing with the WordPress Security. As the WordPress faces many types of security issues, bugs and vulnerabilities. WordPress is the most targeted and attacked CMS according the report by the security researchers. It has been attacked by using some WordPress exploit, SQL Injection, XSS, etc. To protect the web servers in a real time, however, in a meanwhile you need to follow all the WordPress Hardening Tips carefully.

Prerequisites

  1. You must have Ubuntu or Debian based Linux Distribution running on LAMP Stack with WordPress installed.
  2. You need a normal user account with sudo privileges

Tip-1  – Disable the Directory Browsing

The Directory Browsing is the method that is used by the attackers / users to access the sensitive information from the system. It also shows your directory structures that are useful to attackers to navigate the whole system. It should be disabled unless and until you need to use this feature in advance.

The Directory browsing illustration is given below:

image1

Step 1 – Modify the Virtual Host Configuration file.

Edit the Apache Virtual Host Configuration file.

$ sudo nano /etc/apache2/sites-available/000-default.conf

You will see the given lines

<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/html

<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Find the following line:

Options Indexes FollowSymLinks

Change it to:

Options FollowSymLinks

After that Save and exit the configuration file.

Finally restart the Apache Service

$ sudo service apache2 restart
The Directory browsing illustration is given below:

image2

 

Step 2 – Modify Apache Default Configuration file

Edit the Apache Default Configuration file.

$ sudo nano /etc/apache2/apache2.conf

You will see the given lines

<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Find the following line:

Options Indexes FollowSymLinks

Change it to:

Options FollowSymLinks

After that Save and exit the configuration file.

Finally, restart the Apache Service

$ sudo service apache2 restart

Tip 2 – Turn Off the Server Signature

The attacker wants to know about the server signature, including PHP versions and Apache Web server Versions. This makes helpful to attacker to find the vulnerabilities in the systems and launch the exploit related to it. It is recommended to turn off the server signature.

Step 1 – Hide the PHP version

Go to the php.ini file to hide the PHP versions

$ sudo nano /etc/php5/apache2/php.ini

Find the following line:

expose_php = On

Change it to:

expose_php = Off

After that Save and exit the php.ini file.

Finally, restart the Apache Service

$ sudo service apache2 restart
Step 2 – Hide the Apache Version

Check Your Websites for Server Signatures

$ curl --head https://www.techbrown.com

Sample Output

HTTP/1.1 200 OK
Date: Sat, 16 Jul 2016 11:12:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Server: Apache/2.4.7 (Ubuntu)

It shows the Server Signatures Server: Apache/2.4.7 (Ubuntu)

Turn off the Apache server signatures

$ sudo nano /etc/apache2/apache2.conf

Add these lines to the last lines

ServerSignature Off

After that Save and exit the configuration file.

Finally, restart the Apache Service

$ sudo service apache2 restart

Check your website for testing purpose

$ curl --head https://www.techbrown.com

Sample Output

HTTP/1.1 200 OK
Date: Sat, 16 Jul 2016 11:12:17 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

You won`t see the Server signatures. This mean that your server signatures are turned off.

Tip 3 – Enable Automatic Security Updates for Ubuntu or Debian based Distro.

Protect your web server from existing security vulnerability patch and update the server software’s regularly by implementing the automatic updates on your Ubuntu or Debian based distro. The bugs in server software’s, operating systems and Web Applications that leads to compromise the web server to the attackers. Apply all the security updates based on major and minor basis. There are many ways to integrate automatic updates one of these is the unattended-upgrades methods to enable the automatic updates to Ubuntu or Debian based distro. Always use the latest stable web server software’s and need to regularly update or patch the OS and Web Server Software’s. User proper patch management to protect your web server and patch the software regularly.

Using the “unattended-upgrades” package
$ sudo apt-get install unattended-upgrades

Activate the unattended-upgrades

$ sudo dpkg-reconfigure --priority=low unattended-upgrades

After that hit on yes to enable the automated updates

image3

Check whether it is activated or not

$ cat /etc/apt/apt.conf.d/20auto-upgrades

sample output

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

It shows you have successfully enabled the automatic security updates

Note: This is Optional Step (how to Make automatic reboots the Ubuntu or Debian after finishing upgrades without confirmation)

$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Find the following line:

Unattended-Upgrade::Automatic-Reboot "false";

Change it to:

Unattended-Upgrade::Automatic-Reboot "true";

After that Save and exit the configuration file.

Tip 4 – Enable Automatic WordPress Updates

Enable the automatic updated by using wp-config file

$ sudo nano /var/www/html/wp-config.php

Add the given lines

/** Automatically Updates the WordPress Core, Plugins and Themes. */
add_filter( 'auto_update_core', '__return_true' );
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

After that Save and exit the configuration file.

Tip 5 – Remove the Info Traces

Remove the file that contains information about systems. This makes the attacker to successfully identify your systems. This info file must delete before going in wrong hands.

Remove the PHP info files.

$ sudo rm -rf /var/www/html/info.php

Remove the Motd.tail file that shows the WordPress Database password.

$ sudo rm -rf /etc/motd.tail

Remove the WordPress Readme File that contains WordPress Versions.

$ sudo rm -rf /var/www/html/readme.html

Tip 6 – Integrate Some WordPress Tweaks

Step 1 – Create Robot.txt file

This is an essential step that makes the web crawlers / spiders to stop accessing your sensitive directory. This makes block access to the unwanted web-crawlers.

$ sudo nano /var/www/html/robots.txt

Add the given lines

User-agent: *
Disallow: /wp-admin/

After that Save and exit the configuration file.

Step 2 – Restrict and Protect the WP-config files using .htaccess file

The WP-config is the file contains credential of database and contains wp-salts of the WordPress CMS. You must block the important file before falling into the wrong hands.

$ sudo nano /var/www/html/.htaccess

Add the given lines

<files wp-config.php>
order allow,deny
deny from all
</files>

After that Save and exit the configuration file.

Step 3 – Perform MySQL Secure Installation

You need to run mysql_secure_installation before moving into production environment that makes your server secure.

$ sudo mysql_secure_installation

Select the recommended options to secure the MySQL database

Conclusion

Congratulations now you have successfully secured the WordPress Web Server by implementing the WordPress Hardening Tips for your Ubuntu or Debian Server.

Related Post

Develop New SysAdmin Skills with E-books (FREE Download)

COMMENTS