One Click Install App, is it bundled with seacurity enhancement setting as well?

July 30, 2017 305 views
Apache LAMP Stack One-Click Install Apps CentOS

When using One Click Install App to install Wordpress or Lamp stack or any other app, is its security setting already strengthened as well? Or is it just basic set up that I need to change or add security measurement myself?

1 Answer

Hi @MrWorldWideWeb

The One-Click apps has firewall and a few other things enabled - and stronger passwords then what most people would manually set for their database, but other than that, no, there's not a lot of security hardening.
I would recommend that you go through everything yourself - and enhance the security to the level you feel is necessary for your website.

Did you expect anything specific or are you looking for hints?

  • I'm just looking for a hint. I just added PHPMyAdmin on my droplet, for security I added 2nd verification (Apache verification) on it, other than that, I'm only need to add fail2ban as additional security hardening right? should I add anything else? My droplet is One-Click Instal LAMP.

    I'm new on VPS, so it's better if I add more effort on hardening the server rather than getting hacked and have a headache as it will be harder to fix.

    • @MrWorldWideWeb

      Adding .htpasswd to something like phpMyAdmin is definitely recommended - and adding fail2ban will help you a lot.
      Also, if you're using WordPress (or another popular CMS), then follow the official guides on hardening that system - adding fail2ban to that mix helps a lot too.

      In general, having everything up-to-date is one of the most important things, but limiting every service to the least required options is good too. Meaning, if you're not using a certain feature, then remove/disable or limit that feature.

      Make sure you never use the same password twice - and use long passwords - but preferably use SSH Keys to gain access to the server instead of passwords.

      And every type of communication should be encrypted if it leaves the server, so add Let's Encrypt to get HTTPS instead of accessing your site over HTTP.

      • Ah yeah, almost forget, I'm already using SSH keys. For Wordpress hardening, I also already implement it on my current sites.

        Do you have sampe of working jail.local file? Is [apache] similar with [apache-auth] jail? Because I can't find [apache] jail on this file, maybe I should add it?

        For Let's Encrypt, that's free SSL right? If I use it, will my site changed to HTTPS or this is only for my backend connection to the server? I think for my site I will use paid SSL later.

        In general, having everything up-to-date is one of the most important things, but limiting every service to the least required options is good too. Meaning, if you're not using a certain feature, then remove/disable or limit that feature.
        I'll be using this server for Wordpress only, which features should I disable? Any guide for this specific one?

        Thanks

        • @MrWorldWideWeb

          I don't use Apache - and my jail.local is not something that will work well on regular systems.
          But have a look in /etc/fail2ban/filter.d/ to see all the different filters you can use for your jails.

          Let's Encrypt is free certificates, yes. You would generate the certificate for your server and then change your <VirtualHost *:80> to redirect to HTTPS, so all communication is done over HTTPS.
          There's no reason to use a paid certificate unless you need something other than a Domain Validated (DV) certificate, which is currently what Let's Encrypt provides, but which is also what most websites needs.

          If you're going to run WordPress mostly/only, then install and setup the Fail2Ban Redux plugin, which will integrate well with fail2ban:
          https://wordpress.org/plugins/wp-fail2ban-redux/
          And might want to look at one of the security plugins too:
          https://wordpress.org/plugins/better-wp-security/

Have another answer? Share your knowledge.