Areku
By:
Areku

Security measures

April 11, 2017 1.2k views
Nginx Security WordPress Ubuntu 16.04

Hi!

I have taken the basic security measures concerning my droplet. Let'sencrypt, Firewall and also for updates and installations in Wordpress. A plugin like Wordfence is still needed after that?

4 Answers

@Areku

On DigitalOcean, skip swap. On solid-state hard drives it can actually cause more harm than good. Instead of swap, you need to more effectively manage your RAM usage (if it's an issue) or upgrade RAM.

On a LEMP Stack (NGINX, MySQL/MariaDB, and PHP-FPM), the majority of your RAM is going to be consumed by MySQL/MariaDB, so that's where I'd look first unless you're not caching anything, then you may also see PHP consuming quite a bit (in medium-high traffic scenarios). NGINX doesn't use RAM like Apache does as NGINX is effectively offloading the processing to PHP-FPM using FastCGI.

...

SSL

In terms of security, start with SSL and make sure it covers your site from endpoint to endpoint. Make sure requests on port 80 are redirected to 443, thus ensuring SSL is used in all instances.

Passwords

There's two main types of passwords that should be used -- completely random or phrases.

The degree of randomness is only limited to what you're application accepts. While most will accept special characters, some won't. For example, a good random password, in my eyes, would look like:

i40CTTeyybTVh9KwoBMBIbYOlmM1ihjPDBloyyEQQhIHyhEClS39yg0QJv8T102

or

nM`1p&91>3vlv^7,maL&IjWi9',TGp#?v+f[Q2S}eLTMa5JPAGcsb3Vy>~^+V3Q

or

3D64B7B214061748CBDA8DCD3DDDC08151C92A869727DEAA93529EA584812BC6

Compliments of https://www.grc.com/passwords.htm

Now, unless you use a Password Manager, those passwords are going to be impossible to remember. If you use one of those for a root password and forget it, you'll be loading from recovery or starting from scratch, so be careful.

On the flip side, random phrases are easier to remember and provide relatively high security, when used correctly.

For example, we could use a phrase such as:

complete-government-northern-building-glossary-surprise-DIRECTION-QUESTIONS

This was randomly generated compliments of https://xkpasswd.net. Now, that is a little easier to remember in terms of remembering words instead of completely random characters.

It's your choice which to use, but at minimum, I'd recommend 4-6 words on the phrases and at least 32-64 characters on random passwords. Switching case (upper and lower) is advised. Adding in extra characters where you feel is needed is also advised (i.e. I would use - then -- then -_- so that the phrase isn't using the same separator each time).

The biggest issue here is making sure that your users are doing the same, especially those who may have any sort of elevated rights, whether server or application. If they aren't, they are now the weakest link in your security chain.

Server

Always use a firewall. Since you're using Ubuntu, I'd recommend setting up default deny policies and then only allowing the ports you want to allow access on in.

For example, let's make sure ufw is disabled (i.e. off).

ufw disable

Now let's reset it (delete all existing rules):

ufw reset

Now let's set default policies -- don't worry, they won't take effect until you turn ufw back on, so you won't be blocked by running these commands.

ufw default deny incoming
ufw default allow outgoing

Now let's allow in ports that we know we need to allow access on. For you, we need SSH, HTTP, and HTTPS.

ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp

Now you can connect over SSH using Port 22 (default port) and accept both HTTP and HTTPS requests. So let's turn ufw back on.

ufw enable

Confirm you want to enable ufw and boom, that part is done. You now have a working firewall that will allow outgoing connections (which are needed to update/upgrade software from repos) and will only allow incoming connections on 22, 80, and 443.

Beyond the firewall, software such as Fail2Ban can be helpful, but it can be a pain to setup and also manage. It's definitely not a bad solution though, just make sure you read over how to set it up and how to use it. If you don't make use of it and "just let it run" without monitoring, it's useless (as is the case with most things).

...

Beyond a firewall and similar solutions, keep things up to date. When a new version of NGINX, PHP, MySQL/MariaDB is released and the intent is to patch flaws in the software, make sure you update. A firewall and similar won't protect you from issues that can be exploited from the web.

Likewise, keep WordPress updated, update your plugins when new releases are made, and keep your theme updated. If there's a security hole that can accessed from the web via one of those, and it can be exploited, assume that it will be and make sure you're doing your due diligence to prevent it.

...

There's a lot that goes in to security. Simple things like the above are easy to manage, but you should also be checking your logs, checking failed logins, checking for software updates/upgrades, patching, etc. A lot happens very quickly in software development and when it comes to managing servers, it's all part of keeping up with it.

I like to use Login Lockdown plugin. for .htaccess my goto is: https://perishablepress.com/6g/

Also, I always change my wp-login.php to something different. You can google for various methods to do that. It is not hard, and keeps a lot of scripted hack attempts off your Wordpress (which can crash your database)

Also:
set up a swap file.
set up regular backups of your Wordpress database and files (I use DO volumes to backup everything...then unmount the volume when not in use)

Hi @Areku

Let's break it down :-)

Let's Encrypt - will only give protection against man-in-the-middle attacks, where someone sniffs the username/password when you for instance login from a public connection like the local coffee shop.
But it's very important to protect against that - and it comes with extra features such as http/2 and better SEO.

Firewall - will only allow access to whatever ports you've allowed. This is important to ensure you don't accidentally have your database available from the outside.
You can enhance the firewall by actively monitoring the log files with something like fail2ban which blocks multiple login failures.
https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-with-fail2ban-on-ubuntu-14-04
Instead of using the plugin WP fail2ban please consider WP Fail2Ban Redux

Up-to-date - keeping both plugins and themes, but also Ubuntu up-to-date is probably the thing that will keep you most secure. And avoid plugins/themes that has not been updated for a long time.

WordFence - will give you extra security, but fail2ban will help with some of the most critical part, which is brute-force login attacks.

+Passwords - remember to have unique, strong, long passwords. And use public keys for SSH and the like if possible.

+Backup - have multiple backups (in multiple locations) and check that they actually work. This is probably the best security you can have.

WordPress is a very robust content-management system (CMS) that is free and open source. Because anyone can comment, create an account, and post on WordPress, many malicious actors have created networks of bots and servers that compromise and spam WordPress sites through brute-force attacks. The tool Fail2ban is useful in preventing unauthorized access to both your Droplet and your WordPress site. It notes suspicious or repeated login failures and proactively bans those IPs by modifying firewall
  • @hansen - Hello! Thanks for caring!

    I successfully installed Fail2Ban following this tutorial: https://ubuntu101.co.za/security/fail2ban/fail2ban-persistent-bans-ubuntu/

    I didn't test it (i would need further guidance, i am afraid of locking myself out), but at least it is running without errors. I also installed the sendmail of the tutorial you mentioned in your message.

    And i installed the WP-Fail2ban-Redux. My doubts are:

    1) i have two WP sites running in my server. For my second site, i just need to rename the config/filters/wordpress-hard.conf file? Like, wordpress-hard-1.conf and make a new jail in the jail.local file? (well, making the same procedures as i did in the first site?).

    2) Can we test if sendmail is working?

    3) There is no such thing as a 'panel' for wp-fail2ban-redux, so that we can see it is running allright?

    Thanks a lot!

    • @Areku

      1. No, you only need one wordpress-hard.conf - because it's the same thing it does. You don't even need to create a new jail, since the jail configuration isn't related to the domain. It is required to install the plugin on all sites though.

      2. How much bantime have you defined for your jail? If it's 600 (which is in seconds, meaning 10 minutes), then you try to login with wrong logins until you get banned (probably 3-5 failed logins should do it).

      3. There is no panel or user interface for this plugin, because all the real actions are handled by fail2ban. You can view the log /var/log/auth.log for any WordPress failed logins. And watch the fail2ban log /var/log/fail2ban.log for any actions.

Hey, @hansen, @jtittle, @sierracircle

Thanks for your contribution. I'll study them and come back for any doubts i may encounter.

All the best!

Have another answer? Share your knowledge.