Using this article you can launch absolutely secure WordPress website. and implement best hardening wordpress practise. Security is a prerequisite for a commercial website, 90% of hacking attempts could be prevented during equipment setup. But in fact – very often, developers neglect these settings, or they are not executed because there is no System Administrator at all, or someone does not have time. etc.
Standard SysAdmin activities to implement wordpress security – to close all open “doors” for intruder:
1. Exclude the ability to connect via SSH
2. Transfer from the WordPress folder all files which are not used
3. Deny access to the system files from the outside, using web server
This article could be continued by protecting forms from exploits and SQL-injections and backups, but be sure if you complete the first 3 hardening wordpress steps – this is enough for your website to be practically invulnerable for intruders, because in common cases hackers are use fairly standard software that “works” by weak WordPress website sides, due to these settings – these sides will be just inaccessible for the intruder.
Why does an attacker hunt to your website?
Because you are really do commercial activity and store customers data, or another commercial information. Also, your website could be used by intruder for Black SEO, to put links from your website or display advertising for some customers and etc. This kind of activities will damage your website positions in Search Engines. So, if you have decide to use WordPress for the commercial website, these wordpress hardening steps are must have.
The given example is made for a standard corporative website. For the online store, other types of websites, some settings may differ, if you understand the topic, you can use the main hardening wordpress principles that are outlined here.
Controversial question
VPS / VDS / Droplet
VS
Shared Hosting
On Shared hosting, you can reproduce the set of commands at the .htaccess file, however shared hosting is less secure just because you don’t manage the server itself, but use the provided settings. The website physically located inside one of the virtual machines, there are located websites of other shared hosting users.
Case when you have access to all your websites folders from ftp or list via browser is not good security practise for production website too.
Secure WordPress hosting should be implemented on Virtual Private Server.
Provided “How to Secure WordPress” use
Droplet Digital Ocean
Centos 7
1Gb Memory
25Gb Disk
work is done using MacOs computer.
The first thing to do after buying a virtual server:
– Change root password (You will be asked for password change while first login to the server via SSH)
– Create New User (* do not use admin)
adduser johny
passwd johny
– Add sudo
usermod -aG wheel johny
su johny
sudo ls /root How to Generate SSH key
How to setup SSH Keys on centOs
– Generate a SSH key for a new user
Important!!!
* Do not use “admin” user name
* Create paraphrase password
* Use long passwords, 16 symbols minimum
– Now connect to the server from a new user using SSH key
Here is macOs example, on Windows use putty or another soft
Run in Terminal:
vi /Users/johny/.ssh/config
Add the following:
Host myhost - Connection name ( set yours )
User johny
Port 22
Hostname 11.222.333.44 - Your server IP
IdentityFile ~/.ssh/id_rsa - location of generated key
Save file and close by typing Escape then :wq + Enter
Now type in Terminal:
ssh myhost– After successful connection, delete the private key file in the folder /home/johny/.ssh/id_rsa ( on the Server)
Restrict access to the server via sshDetailed information
Securing OpenSSH
Important!!!
* Restart the sshd service after changing each parameter in the configuration file.
* Reconnect after each sshd restart.
service sshd restartSSH Configuration File
/etc/ssh/sshd_configActions
— Change standard SSH port from 22 to another
/etc/ssh/sshd_config
Port 23451 // Set yours
Then allow new port in firewall
Bash:
iptables -I INPUT -p tcp --dport 23451 -j ACCEPT
semanage port -a -t ssh_port_t -p tcp 23451
— Disable ssh root login
/etc/ssh/sshd_config
PermitRootLogin no— Allow ssh only for your user
/etc/ssh/sshd_config
AllowUsers johny— Ensure you are use only 2 Protocol
/etc/ssh/sshd_config
# Protocol 2,1
Protocol 2— Disable authentication by password
/etc/ssh/sshd_config
PasswordAuthentication no— Allow ssh only from your IP ( if it is static )
Bash:
iptables -A INPUT -p tcp -s yourIP --dport 23451 -j ACCEPTDone, now ssh is available only from your IP address, with your login (which known only to you) and only with private key with a paraphrase password.
It is not paranoid settings, but necessary to prevent someone connect to your server and make changes in the server settings, programs and files.
VESTA Control Panel Installation
To manage your virtual web server lets install VESTA CP. The panel is comfortable and free for use.
https://vestacp.com/install/
# Connect to your server via SSH
# Change user to root: su root
# Download installation script
curl -O http://vestacp.com/pub/vst-install.sh
# Run it
bash vst-install.shInstallation will take about 15-20 minutes
Close Vesta CP from unwanted connections.
– Vesta CP Firewall
https://yourip:8083/list/firewall/
VESTA -> set your IP
FTP -> set your IP ( this setting could be reproduced with iptables same as ssh port)
SMTP -> 127.0.0.1
IMAP -> 127.0.0.1
DB -> 127.0.0.1If you need to access VESTA CP from few IP’s, you are available to add additional IP via modifying VESTA CP firewall settings file
usr/local/vesta/data/firewall/rules.confAdd new line to the End of file, set RULE number according to your numeration. Change “New IP” to yours.
RULE='12' ACTION='ACCEPT' PROTOCOL='TCP' PORT='8083' IP='New IP' COMMENT='Vesta1' SUSPENDED='no' TIME='14:48:38' DATE='2017-02-15'Restart Vesta to accept changes
service vesta restart– Disable Softaculous
https://yourIP:8083/edit/server/
Server -> Configure ->Vesta Control Panel Plugins->Softaculous->no– Remove .softaculuos from web folder
Bash:
cd /home/vestauser/
rm -rf .softaculous/– Setup your domain
– – https://yourip:8083/list/web/ – Create Domain
– – https://yourip:8083/list/db/ – Create Database
– Setup Wordpess
Bash:
cd /home/vestauser/web/yourdomain/public_html
wget https://wordpress.org/latest.tar.gz
tar --strip-components=1 -zxf latest.tar.gz
– Setup SSL for your website if required
– Immediately close WordPress Admin using .htaccess
Bash:
vi /home/vestauser/web/yourdomain/public_html/wp-admin/.htaccess
order deny,allow
deny from all
allow from YourIP_1
allow from YourIP_2
– Install and Setup your WordPress theme, then remove not used WordPress files from domain folder
/home/vestauser/web/yourdomain/public_html
wp-activate.php
wp-comments-post.php
wp-config-sample.php
wp-signup.php
wp-trackback.php
xmlrpc.php
Important!!!
* Do not remove files, just transfer to another directory, for example in /home folder of another user. After transfer of each file, check functionality of your website, in case after file transfer something went wrong on the website, recover file back to the domain folder.
– Make changes in main .htaccess file, add following:
/home/vestauser/web/yourdomain/public_html/.htaccess
<Files "wp-load.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>
<Files "wp-login.php">
Order Deny,Allow
Deny from all
Allow from YourIP_1
Allow from YourIP_2
</Files>
<Files "wp-config.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>
<Files "wp-cron.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>
<Files "wp-mail.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>
<Files "wp-settings.php">
Order Deny,Allow
Deny from all
Allow from SERVER IP
</Files>There should be listed each .php file except for index.php. By this settings you are restrict access to the WordPress system files from any IP, except for your Server IP, and only from your IP’s to wp-login.php
Close the remaining vulnerabilitiesImportant!!!
Restart Nginx after each change which was made. Check is your website Alive
service nginx restart– Transfer Nginx website configuration file from VESTA CP folder to common Nginx configuration folder
Bash:
mv /home/vestauser/conf/web/yourdomain.nginx.conf /etc/nginx/conf.d– Modify Nginx configuration file of website
In the server section, add new location – change yourdomain and Your IP by yours.
/etc/nginx/conf.d/yoursite.conf
location ~* ^.+\.(jpeg|jpg|png|gif|bmp|ico|svg|tif|tiff|css|js|htm|html|ttf|otf|webp|woff|txt|csv|rtf|doc|docx|xls|xlsx|ppt|pptx|odf|odp|ods|odt|pdf|psd|ai|eot|eps|ps|zip|tar|tgz|gz|rar|bz2|7z|aac|m4a|mp3|mp4|ogg|wav|wma|3gp|avi|flv|m4v|mkv|mov|mpeg|mpg|wmv|exe|iso|dmg|swf)$ {
root /home/vestauser/web/yourdomain/public_html/wp-admin;
access_log /var/log/httpd/domains/yourdomain.log combined;
access_log /var/log/httpd/domains/yourdomain.bytes bytes;
expires max;
try_files $uri @fallback;
allow Your IP;
deny all;
}– Restrict access to phpmyadmin and webmail (this block is outside of server section)
location /phpMyAdmin/ {
root /home/vestauser/web/yourdomain/public_html/phpMyAdmin;
allow YourIP;
deny all;
try_files $uri @fallback;
}
location /webmail/ {
root /home/vestauser/web/yourdomain/public_html/webmail;
allow Your IP;
deny all;
try_files $uri @fallback;
}– Comment or remove line in the End of file
include /home/vestauser/conf/web/yourdomain.conf*;– Restrict access to VESTA CP via IP of virtual server, create configuration file YourIP.conf in folder /etc/nginx/conf.d/
/etc/nginx/conf.d/YourIP.conf
server {
listen YourIP:80 default;
server_name _;
access_log /dev/null;
error_log /dev/null;
return 444;
}– Restrict index.php Vesta СP using Nginx configuration file of Vesta Control Panel
/usr/local/vesta/nginx/conf/nginx.confIn the server section of #Vhost add following
location / {
expires max;
index index.php;
allow YourIP;
deny all;
}Well Done. If you implement all above – your server, your Vesta CP and your WordPress website are protected for maximum. We emphasize that this example is made for the certain type of website, there is no comments forms and extra plugins. The complex of security settings and wordpress hardening may differ for the another website types.
Also, you may decide that one settings are duplicate another, and may harder of server administration.
The settings of Apache (.htaccess) then Nginx – are prevent the hack after hack. WordPress security is very weak and if some serious guys will working on hacking your wordpress website, one day they will found the door which opens. But they will be unable to change Nginx settings. While this time you could detect strange unusual activity on your website, find some new files or recently changed file by date – in other words, you will be available to find foot prints of penetration into the system and prevent the threat.