According to the Wikipedia more than 59% of present websites around the globe is powered by WordPress. All the credit goes to its Simple Innovative GUI that is user friendly. This is one of the best things about WordPress. It has some essentials that include the newbie web user can be easily use its features for creating some professional website with ease. The Main consideration when it comes to the security of WordPress Web Server. You need to follow this tutorial it helps to make your WordPress web server more secure.
There are some couple of things that you need to know when dealing with the WordPress Security. As the WordPress faces many types of security issues, bugs and vulnerabilities. WordPress is the most targeted and attacked CMS according the report by the security researchers. It has been attacked by using some WordPress exploit, SQL Injection, XSS, etc. To protect the web servers in a real time, however, in a meanwhile you need to follow all the WordPress Hardening Tips carefully.
Prerequisites
- You must have Ubuntu or Debian based Linux Distribution running on LAMP Stack with WordPress installed.
- You need a normal user account with sudo privileges
Tip-1 – Disable the Directory Browsing
The Directory Browsing is the method that is used by the attackers / users to access the sensitive information from the system. It also shows your directory structures that are useful to attackers to navigate the whole system. It should be disabled unless and until you need to use this feature in advance.
The Directory browsing illustration is given below:
Step 1 – Modify the Virtual Host Configuration file.
Edit the Apache Virtual Host Configuration file.
$ sudo nano /etc/apache2/sites-available/000-default.conf
You will see the given lines
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
Find the following line:
Options Indexes FollowSymLinks
Change it to:
Options FollowSymLinks
After that Save and exit the configuration file.
Finally restart the Apache Service
$ sudo service apache2 restart
The Directory browsing illustration is given below:
Step 2 – Modify Apache Default Configuration file
Edit the Apache Default Configuration file.
$ sudo nano /etc/apache2/apache2.conf
You will see the given lines
<Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
Find the following line:
Options Indexes FollowSymLinks
Change it to:
Options FollowSymLinks
After that Save and exit the configuration file.
Finally, restart the Apache Service
$ sudo service apache2 restart
Tip 2 – Turn Off the Server Signature
The attacker wants to know about the server signature, including PHP versions and Apache Web server Versions. This makes helpful to attacker to find the vulnerabilities in the systems and launch the exploit related to it. It is recommended to turn off the server signature.
Step 1 – Hide the PHP version
Go to the php.ini file to hide the PHP versions
$ sudo nano /etc/php5/apache2/php.ini
Find the following line:
expose_php = On
Change it to:
expose_php = Off
After that Save and exit the php.ini file.
Finally, restart the Apache Service
$ sudo service apache2 restart
Step 2 – Hide the Apache Version
Check Your Websites for Server Signatures
$ curl --head http://www.techbrown.com
Sample Output
HTTP/1.1 200 OK Date: Sat, 16 Jul 2016 11:12:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive Server: Apache/2.4.7 (Ubuntu)
It shows the Server Signatures Server: Apache/2.4.7 (Ubuntu)
Turn off the Apache server signatures
$ sudo nano /etc/apache2/apache2.conf
Add these lines to the last lines
ServerSignature Off
After that Save and exit the configuration file.
Finally, restart the Apache Service
$ sudo service apache2 restart
Check your website for testing purpose
$ curl --head http://www.techbrown.com
Sample Output
HTTP/1.1 200 OK Date: Sat, 16 Jul 2016 11:12:17 GMT Content-Type: text/html; charset=UTF-8 Connection: keep-alive
You won`t see the Server signatures. This mean that your server signatures are turned off.
Tip 3 – Enable Automatic Security Updates for Ubuntu or Debian based distribution.
Protect your web server from existing security vulnerability patch and update the server software’s regularly by implementing the automatic updates on your Ubuntu or Debian based distribution. The bugs in server software’s, operating systems and Web Applications that leads to compromise the web server to the attackers. Apply all the security updates based on major and minor basis. There are many ways to integrate automatic updates one of these is the unattended-upgrades methods to enable the automatic updates to Ubuntu or Debian based distribution. Always use the latest stable web server software’s and need to regularly update or patch the OS and Web Server Software’s. User proper patch management to protect your web server and patch the software regularly.
Using the “unattended-upgrades” package
$ sudo apt-get install unattended-upgrades
Activate the unattended-upgrades
$ sudo dpkg-reconfigure --priority=low unattended-upgrades
After that hit on yes to enable the automated updates
Check whether it is activated or not
$ cat /etc/apt/apt.conf.d/20auto-upgrades
Sample output
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
It shows you have successfully enabled the automatic security updates
Note: This is Optional Step (how to Make automatic reboots the Ubuntu or Debian after finishing upgrades without confirmation)
$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Find the following line:
Unattended-Upgrade::Automatic-Reboot "false";
Change it to:
Unattended-Upgrade::Automatic-Reboot "true";
After that Save and exit the configuration file.
Tip 4 – Enable Automatic WordPress Updates
Enable the automatic updated by using wp-config file
$ sudo nano /var/www/html/wp-config.php
Add the given lines
/** Automatically Updates the WordPress Core, Plugins and Themes. */ add_filter( 'auto_update_core', '__return_true' ); add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
After that Save and exit the configuration file.
Tip 5 – Remove the Info Traces
Remove the file that contains information about systems. This makes the attacker to successfully identify your systems. This info file must delete before going in wrong hands.
Delete PHP info files.
$ sudo rm -rf /var/www/html/info.php
Remove those traces Motd.tail file that shows the WordPress Database password.
$ sudo rm -rf /etc/motd.tail
Removal of WordPress Readme File that contains WordPress Versions.
$ sudo rm -rf /var/www/html/readme.html
Tip 6 – Integrate Some WordPress Tweaks
Step 1 – Create Robot.txt file
This is an essential step that makes the web crawlers / spiders to stop accessing your sensitive directory. This makes block access to the unwanted web-crawlers.
$ sudo nano /var/www/html/robots.txt
Add the given lines
User-agent: * Disallow: /wp-admin/
After that Save and exit the configuration file.
Step 2 – Restrict and Protect the WP-config files using .htaccess file
The WP-config is the file contains credential of database and contains wp-salts of the WordPress CMS. You must block the important file before falling into the wrong hands.
$ sudo nano /var/www/html/.htaccess
Add the given lines
<files wp-config.php> order allow,deny deny from all </files>
After that Save and exit the configuration file.
Step 3 – Perform MySQL Secure Installation
You need to run mysql_secure_installation before moving into production environment that makes your server secure.
$ sudo mysql_secure_installation
Select the recommended options to secure the MySQL database
Congratulation now you have learned hardening of WordPress Hosting.
