This is the Second Part of Our Hardening Rackspace Cloud Server Series of Guide. There are relatively unknown points which need some care to get fixed. So, we have started from Hardening Rackspace Cloud Server for WordPress Part 1 and obviously there are some points on the full step by step guide to Install WordPress on Ubuntu 13.10 on Rackspace. For any kind website, know it very well – do not run tests on relatively unknown websites offering free tools. As none of us has very well known domains; listing ourselves can expose to dangers!
Hardening Rackspace Cloud Server for WordPress : Users and Access Restriction
Normally, some Firewall Software is installed; be it IP Tables of ufw (Uncomplicated Firewall). The root user’s account should be limited from SSH via port 22 and a custom username should be used. These files of WordPress are known to be dangerous and often a point of security breech :
As we run the script to install WordPress, the
wp-config-sample.php remains. It should be deleted or moved up to some publicly non-accessible folder. Point your browser to view our readme.html file.
So, first part is that, we have blocked the access from apache’s settings file, usually people do it from .htacess. But, people actually by chance can read your
.htaccess. How people can read? Via compromised WordPress Plugin. If your WordPress is at
/var/www ; you should change the permission, ownership etc :
sudo chown root:root /var/www/.htaccess
sudo chmod 400 /var/www/.htaccess
sudo chgrp root /var/www/.htaccess
chgrp becomes chirp by autocorrection by Mac. A reader tried a lot with chirp command on an older guide and eventually got quite angry. “Your all commands running properly but chirp is not running.”
So, the known vulnerable files should be blocked in both ways.
But you received an custom error document, right? It is actually quite easy to set from .htaccess :
# within the block for WordPress pretty permalink
ErrorDocument 403 /403.html
# unix path of this new 403.html is at /var/www/403.html when
# your WordPress is at /var/www
Actually there is tracking script too. If someone jumps too much, you will add the IP to Ban list (consider using some software on the server).
Hardening Rackspace Cloud Server for WordPress : No Third Party Content Policy
Content means – the static files. You must not use a community version of some CDN to save $1 / month charge of Cloud Files. We need to use Google’s things as we are forced to use, try to use as less as possible. Google’s CDN, Server are of very poor quality – obviously, who is using a $3/month shared server, Google’s CDN appears blazing fast, but we have more faster, actually the fastest CDN – Cloud Files. It is Akamai’s Edge Server; from IBM to Microsoft all are clients of Akamai. Plus, Google is quite efficient at Spyware activities.
Never use other kind of Cloud DNS except of Rackspace, there is no need. Increase the TTL to near about 2 days to encourage DNS caching. If TTL is set to 2 days, even if someone changes your DNS; actually the materials will go from your server for many hours. 5 minutes TTL is for testing purpose.
For PHP, there is a patch named suhosin patch. Its easy to install :
# Download Suhosin and cd to that place
echo 'extension=suhosin.so' > /etc/php.d/suhosin.ini
Service https restart
Check with Suhosin v0.9.35-dev, Copyright (c) 2007-2014, by SektionEins GmbH
We have covered almost all the common tricks used for Hardening Rackspace Cloud Server for WordPress. There might be one or two isolated tips, which will be linked on these two articles.