WordPress/Hardening
| Line 39: | Line 39: | ||
~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys | ~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys | ||
~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys | ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys | ||
| − | ~$ sudo chmod | + | ~$ sudo chmod 644 /home/wp-user/.ssh/authorized_keys |
| + | restrict the ssh key to only be able to used from the local machine | ||
| + | ~$ sudo vi /home/wp-user/.ssh/authorized_keys | ||
| + | Add the following at the beginning of the file | ||
| + | from="127.0.0.1" ssh-rsa... | ||
Revision as of 02:28, 5 October 2014
Hardening the security on WordPress should be taken seriously. With it being one of the most popular platforms out there, it becomes the most targeted.
Contents |
Secure Updates/Installations
performed on a Ubuntu 14.04LTS VM
Creating a new user
create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.
type in the following command below and then hit ENTER through all the prompts
~$ sudo adduser wp-user
It will prompt you multiple times for the password, just keep hitting ENTER to bypass them until you get to the "Try Again" prompt and hit N for No
Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied passwd: Authentication token manipulation error passwd: password unchanged Try again? [y/N] n
Create ssh keys
~$ sudo su - wp-user ~$ ssh-keygen -t rsa -b 4096
when it prompts to ask where to save the key, use this:
/home/wp-user/wp_rsa
hit enter through the passphrase prompts
It should then confirm it has created the keys
Your identification has been saved in /home/wp-user/wp_rsa. Your public key has been saved in /home/wp-user/wp_rsa.pub
setting file/folder permissions for wp user
~$ sudo chown wp-user:www-data /home/wp-user/wp_rsa* ~$ sudo chmod 640 /home/wp-user/wp_rsa*
create .ssh folder and allow webserver to log in
~$ sudo mkdir /home/wp-user/.ssh ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/ ~$ sudo chmod 700 /home/wp-user/.ssh/
copy public key created earlier so the user can log in and setup permissions
~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys ~$ sudo chmod 644 /home/wp-user/.ssh/authorized_keys
restrict the ssh key to only be able to used from the local machine
~$ sudo vi /home/wp-user/.ssh/authorized_keys Add the following at the beginning of the file from="127.0.0.1" ssh-rsa...
