Best WordPress security

(Skip if you are on shared hosting.) In this tutorial I will introduce OS level protection which is the 1st level and the most important one when you want to protect your WordPress website.

0
39

The best WordPress security is the one you implement without installing plugins. 🙂
OS level security can protect WordPress better than any plugin.
ModSecurity runs before the request hits PHP, which means the WordPress will not even know that anything happened.

Dependencies:

  1. VPS (I host my website on GCP – Ubuntu 18.o4 LTS, running CyberPanel which is based on OpenLiteSpeed)
  2. SSH access
  3. glass of water (in case you get thirsty)

CyberPanel provides everything you need out of the box. All you need is to ‘activate’ security features.

Let’s GO

  1. To protect your website/s first install/enable CSF firewall.
  2. Then Install and activate ModSecurity,
  3. and finally enable OWASP ModSecurity rules pack.
INSTALL and turn it ON



Then…

INSTALL and turn it ON


Then…

finally, enable OWASP rules or COMODO

In case CSF shuts itself off every time you refresh/revisit its settings, I suggest
re-installation – just click ‘completely remove’ and then again ‘install’.

After you make sure everything works, you should visit the “ConfigServer Services” which can be found all the way down in the main navigation pane. From there you will have all the options to configure and control on what is happening with your server, security wise.

Additional steps

There are security steps which you get as recommendations to make your server/website even safer. There is one which is very very important. You should make sure that you adjust SYSLOG_CHECK option and set it to ex. 600. You can do that through the pane mentioned above. When you set a number for it, hit ‘Enter’, which will ask you to restart the CSF. Do that!

Check on what suggestions you get from CSF and fix them if you like

After that you should make a SWAP file. Swap is super important for server stability. To do that just follow this set of commands.

Type the following command to create 3GB swap file (1024 * 3072MB = 3145728 block size):

dd if=/dev/zero of=/swapfile1 bs=1024 count=3145728

The output should something like this:

3145728+0 RECORDS IN
3145728+0 RECORDS OUT
3221225472 BYTES (3.2 GB, 3.0 GIB) COPIED, 81.4183 S, 39.6 MB/S

Then we must secure this file: by entering following commands you will make sure that only root user can read and write to the file.

 chown root:root /swapfile1
 chmod 0600 /swapfile1 

Set up a Linux swap area in a file:

 mkswap /swapfile1 

Sample output:

Setting up swapspace version 1, size = 3 GiB (3221221376 bytes)
no label, UUID=3b006f27-9ba4-497e-b6de-a798d1c4f7f2

To activate /swapfile1 swap space immediately, enter this:

 swapon /swapfile1 

IMPORTANT

To activate /swapfile1 after Linux system reboot, add entry to /etc/fstab file. Open this file using a text editor such as nano:

 nano /etc/fstab 

Now, the file is opened, and you should add this at the bottom of the file:

 /swapfile1 none swap sw 0 0 

Press ctrl + x, then y, and then hit ‘enter’ to save the file.
Next time when your server restarts, it will enable the new swap file automatically.

To verify the swap is working:

free -m
total used free shared buff/cache available
Mem: 1687 522 167 33 997 955
Swap: 3071 0 3071

Finito.

Leave a reply

Please enter your comment!
Please enter your name here