I would like to ask some questions about the WordPress One-Click Install on DigitalOcean. The website I am moving to this droplet gets around 800 daily users so I want to make sure it can handle the load and be secure.
Out the box is the default security enough or should more need to be done?
Why does does it install Ubuntu 20.04.5 LTS and not Ubuntu 22.04.1 LTS? Should I upgrade to Ubuntu 22.04.1 LTS? Are there benefits? Speed? Security?
Should any additional Fail2Ban filters be enabled? Currently only have the defaults are enabled -
# fail2ban-client status Status |- Number of jail: 3 `- Jail list: sshd, wordpress-hard, wordpress-soft
Fail2Ban has 90 filters available so shouldn’t more be used? For example is it recommended to enable this filter php-url-fopen.conf or any others?
Would you recommend renaming the WordPress admin login wp-login.php? This would make the wordpress-hard and wordpress-soft filters redundant?
I understand the less Fail2Ban filters enabled the less resource intense it will be. I would like to find a good balance but lean more towards security over performance.
On the WordPress Fail2Ban settings page it says -
Note: The Free version of WP fail2ban is configured by defining constants in wp-config.php
When I look in wp-config.php I don’t see any F2B constants added? Should they be? Should I add some?
The WP Fail2Ban docs says -
You should consider enabling Comment: Spam and Attempted Comment: Closed post, and, if you don’t use WordPress’s commenting system at all, you should enable all the Attempted Comment Events. source: https://docs.wp-fail2ban.com/en/5.0/configuration/logging.html
I haven’t got comments enabled on this website so should I add the following to wp-config.php -
include __DIR__.'/wp-content/plugins/wp-fail2ban/lib/constants.php'; /** * Log comments on 'Closed' and 'Draft' posts */ define('WP_FAIL2BAN_LOG_COMMENTS_EXTRA', WPF2B_EVENT_COMMENT_NOT_FOUND | WPF2B_EVENT_COMMENT_TRASH | WPF2B_EVENT_COMMENT_CLOSED | WPF2B_EVENT_COMMENT_DRAFT | WPF2B_EVENT_COMMENT_PASSWORD);
Also I noticed when I log into the droplet SSH I get this message -
- The must-use WordPress security plugin, fail2ban, is located at /var/www/html/wp-content/mu-plugins/fail2ban.php
I don’t have a /mu-plugins/ folder just /plugins/.
Is the WordFence plugin overkill?
Would I be right in thinking mod_security isn’t needed because UFW is enabled?
Should any of the UFW settings be adjusted or out the box is sufficient?
When it comes to file permissions I followed part of this guide so WordPress can automatically update via www-data - https://devanswers.co/configure-sftp-web-server-document-root/
I’ve added this to wp-config.php so WordPress can auto update without needing to do it via FTP -
define('FS_METHOD','direct'); define('WP_AUTO_UPDATE_CORE', true);
I’ve added these security headers to /etc/apache2/apache2.conf -
# Add Security Headers <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff Header always set Referrer-Policy "same-origin" Header always set X-Frame-Options "DENY" Header set X-Permitted-Cross-Domain-Policies "none" Header always set Feature-Policy "geolocation 'none'; midi 'none; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none';" </IfModule>
Will the website cope with this traffic or should the Apache Workers be increased? If yes where are these settings located? On my other droplet they are here /etc/apache2/mods-available/http2.conf but on this new droplet I can’t find them. Is it because this droplet is shared? I plan to resize to this dedicated droplet CPU-Optimized Dedicated CPU 2 vCPUs 4 GB 25 GB 4 TB $42/mo the current droplet is shared 1 GB Memory / 1 Intel vCPU / 25 GB Disk.
These are the Apache Worker settings on the other dedicated droplet -
ServerLimit 1200 MaxClients 1200 MaxRequestsPerChild 8000
I was thinking about trying the OpenLiteSpeed WordPress 1-Click as it supposed to be 300+ faster. Does this help get a higher score on Google Page Speed?
If anyone can recommend any improvements I would really appreciate any the advice.
Thank you for taking time to read my post!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.