Server Guide

This security guide is for WordPress users that manage their own OS/Server and have CLI access through a dedicated server, VPS or cloud. If your on a shared host you most likely won’t be able to do any of this.

The commands in this guide are for Debain/Ubuntu by can easily apply to any OS, well hopefully your not in windows.

Please keep in mind some of this stuff, such as the firewall settings and security packages, will effect your server performance.

1. SSH port

1. Change your SSH port number to something above 1000. I don’t care what anyone says, most lazy hackers/bots use default scanner settings that only scan the first 1k ports, move your ssh port higher. Does this add real security, not really, but you will get pounded/indexed much less.

  • Edit you sshd_config file most likely found in etc/ssh/
  • Change port #
  • Reload SSH –> sudo /etc/init.d/ssh reload

Don’t forget to change your client’s port number.

 

2. Disable root login

Most everyone under the sun will try and guess your root login password, so just disable ALL root logins, just make sure you have another account to login with or your toast.

  • Head to your sshd_config file most likely found in etc/ssh/
  • Search for the text PermitRootLogin and set this to “no”
  • Reload SSH –> sudo /etc/init.d/ssh reload

 

3. Disable username and password logins

Not only can you disable root but go ahead and disable ALL username and password logins and use encrypted authentification keys instead. This will not only prevent brute force attacks but anyone trying man-in-the-middle snooping.
The steps require generating a private and publish encryption key, a detailed guide can be found here (Ubuntu) https://help.ubuntu.com/community/SSH/OpenSSH/Keys. Once your keys are set up you can use your standard SSH client to login without sending any username/password over the internet, if your on windows you will need something like Pageant for Putty. Don’t forget to head back to your SSH config file and disable user based logins.

 

4. Install some security packages

These are packages you can grab of the repository for your OS using apt-get or yum.

 

5. Run MySQL secure installation

Make sure you disable remote connections and delete the default DB/User.

#Head over to yourMySQL shell prompt and type:
shell> mysql_secure_installation
#follow the easy intructions.

 

6. Enabling SSH/SFTP Updates

To enable updates through ssh for WordPress you will need to install libssh2 for php either from http://www.libssh2.org/ or using

apt-get install libssh2-php

and restart apache. You will then see a new option in WordPress for SSH connections magically show up.

 

7. Install Mod_Security 2

Mod_Security 2 is an apache server firewall with extensive configuration and documentation. On most OS’s you will need to compile and make it from binary due to licensing restrictions. That means don’t install the packages from the repo, they are old and most likely mod_sec ( not version 2). The files and knowledge base can be found on the offical site here http://www.modsecurity.org/.

Running mod_sec can be a full time job and by default it will probably break some WordPress functionality, we will be adding a detailed guide and some mod_sec rules specific to WordPress. Mod_sec provides a real layer of protection and extensive rule based logging, and is one of the only measures you can take vs zero day exploits that target the WordPress core.
I have added a more detailed guide on how to install and get started with mod_sec in a blog post http://www.wpsecure.net/blog-post/using-mod_security-with-wordpress/

 

7. Iptables tricks

Iptables is another security firewall measure that is very detailed, here are some tips and tricks.

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day.
iptables -A INPUT   -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT   -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt.
iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT   -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
#Force SYN packets check
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#Drop all NULL packets
iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP
#Drop ping
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

More tips @ servefault http://serverfault.com/

 

8. Additional measures
  • Get familiar with iptables -iptables are the Linux firewall and have extensive rules and documentation.
  • Implement portknocking to reduce port sniffing to practically zero
  • Use a file integrity check like Md5sum , Tripwire or AIDE.
  • Permissions, user groups and more permissions!