DigitalOcean Kubernetes: new control plane is faster and free, enable HA for 99.95% uptime SLA

Question

Security measures

Hi!

I have taken the basic security measures concerning my droplet. Let’sencrypt, Firewall and also for updates and installations in Wordpress. A plugin like Wordfence is still needed after that?

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Sign up now

Jonathan TittleApril 11, 2017

@Areku

On DigitalOcean, skip swap. On solid-state hard drives it can actually cause more harm than good. Instead of swap, you need to more effectively manage your RAM usage (if it’s an issue) or upgrade RAM.

On a LEMP Stack (NGINX, MySQL/MariaDB, and PHP-FPM), the majority of your RAM is going to be consumed by MySQL/MariaDB, so that’s where I’d look first unless you’re not caching anything, then you may also see PHP consuming quite a bit (in medium-high traffic scenarios). NGINX doesn’t use RAM like Apache does as NGINX is effectively offloading the processing to PHP-FPM using FastCGI.

SSL

In terms of security, start with SSL and make sure it covers your site from endpoint to endpoint. Make sure requests on port 80 are redirected to 443, thus ensuring SSL is used in all instances.

Passwords

There’s two main types of passwords that should be used – completely random or phrases.

The degree of randomness is only limited to what you’re application accepts. While most will accept special characters, some won’t. For example, a good random password, in my eyes, would look like:

i40CTTeyybTVh9KwoBMBIbYOlmM1ihjPDBloyyEQQhIHyhEClS39yg0QJv8T102

or

nM`1p&91>3vlv^7,maL&IjWi9',TGp#?v+f[Q2S}eLTMa5JPAGcsb3Vy>~^+V3Q

or

3D64B7B214061748CBDA8DCD3DDDC08151C92A869727DEAA93529EA584812BC6

Compliments of https://www.grc.com/passwords.htm

Now, unless you use a Password Manager, those passwords are going to be impossible to remember. If you use one of those for a root password and forget it, you’ll be loading from recovery or starting from scratch, so be careful.

On the flip side, random phrases are easier to remember and provide relatively high security, when used correctly.

For example, we could use a phrase such as:

complete-government-northern-building-glossary-surprise-DIRECTION-QUESTIONS

This was randomly generated compliments of https://xkpasswd.net. Now, that is a little easier to remember in terms of remembering words instead of completely random characters.

It’s your choice which to use, but at minimum, I’d recommend 4-6 words on the phrases and at least 32-64 characters on random passwords. Switching case (upper and lower) is advised. Adding in extra characters where you feel is needed is also advised (i.e. I would use - then -- then -_- so that the phrase isn’t using the same separator each time).

The biggest issue here is making sure that your users are doing the same, especially those who may have any sort of elevated rights, whether server or application. If they aren’t, they are now the weakest link in your security chain.

Server

Always use a firewall. Since you’re using Ubuntu, I’d recommend setting up default deny policies and then only allowing the ports you want to allow access on in.

For example, let’s make sure ufw is disabled (i.e. off).

ufw disable

Now let’s reset it (delete all existing rules):

ufw reset

Now let’s set default policies – don’t worry, they won’t take effect until you turn ufw back on, so you won’t be blocked by running these commands.

ufw default deny incoming

ufw default allow outgoing

Now let’s allow in ports that we know we need to allow access on. For you, we need SSH, HTTP, and HTTPS.

ufw allow 22/tcp

ufw allow 80/tcp

ufw allow 443/tcp

Now you can connect over SSH using Port 22 (default port) and accept both HTTP and HTTPS requests. So let’s turn ufw back on.

ufw enable

Confirm you want to enable ufw and boom, that part is done. You now have a working firewall that will allow outgoing connections (which are needed to update/upgrade software from repos) and will only allow incoming connections on 22, 80, and 443.

Beyond the firewall, software such as Fail2Ban can be helpful, but it can be a pain to setup and also manage. It’s definitely not a bad solution though, just make sure you read over how to set it up and how to use it. If you don’t make use of it and “just let it run” without monitoring, it’s useless (as is the case with most things).

Beyond a firewall and similar solutions, keep things up to date. When a new version of NGINX, PHP, MySQL/MariaDB is released and the intent is to patch flaws in the software, make sure you update. A firewall and similar won’t protect you from issues that can be exploited from the web.

Likewise, keep WordPress updated, update your plugins when new releases are made, and keep your theme updated. If there’s a security hole that can accessed from the web via one of those, and it can be exploited, assume that it will be and make sure you’re doing your due diligence to prevent it.

There’s a lot that goes in to security. Simple things like the above are easy to manage, but you should also be checking your logs, checking failed logins, checking for software updates/upgrades, patching, etc. A lot happens very quickly in software development and when it comes to managing servers, it’s all part of keeping up with it.

Flamber HansenApril 11, 2017

Hi @Areku

Let’s break it down :-)

Let’s Encrypt - will only give protection against man-in-the-middle attacks, where someone sniffs the username/password when you for instance login from a public connection like the local coffee shop. But it’s very important to protect against that - and it comes with extra features such as http/2 and better SEO.

Firewall - will only allow access to whatever ports you’ve allowed. This is important to ensure you don’t accidentally have your database available from the outside. You can enhance the firewall by actively monitoring the log files with something like fail2ban which blocks multiple login failures. https://www.digitalocean.com/community/tutorials/how-to-protect-wordpress-with-fail2ban-on-ubuntu-14-04 Instead of using the plugin WP fail2ban please consider WP Fail2Ban Redux

Up-to-date - keeping both plugins and themes, but also Ubuntu up-to-date is probably the thing that will keep you most secure. And avoid plugins/themes that has not been updated for a long time.

WordFence - will give you extra security, but fail2ban will help with some of the most critical part, which is brute-force login attacks.

+Passwords - remember to have unique, strong, long passwords. And use public keys for SSH and the like if possible.

+Backup - have multiple backups (in multiple locations) and check that they actually work. This is probably the best security you can have.

Adam RobertsonApril 11, 2017

I like to use Login Lockdown plugin. for .htaccess my goto is: https://perishablepress.com/6g/

Also, I always change my wp-login.php to something different. You can google for various methods to do that. It is not hard, and keeps a lot of scripted hack attempts off your Wordpress (which can crash your database)

Also: set up a swap file. set up regular backups of your Wordpress database and files (I use DO volumes to backup everything…then unmount the volume when not in use)

Try DigitalOcean for free

Click below to sign up and get $100 of credit to try our products over 60 days!

Sign up