WordPress/Hardening
| Line 2: | Line 2: | ||
==Secure Updates/Installations== | ==Secure Updates/Installations== | ||
| + | performed on a Ubuntu 14.04LTS VM | ||
===Creating a new user=== | ===Creating a new user=== | ||
create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.<br> | create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.<br> | ||
| Line 29: | Line 30: | ||
Your public key has been saved in /home/wp-user/wp_rsa.pub | Your public key has been saved in /home/wp-user/wp_rsa.pub | ||
===setting file/folder permissions for wp user=== | ===setting file/folder permissions for wp user=== | ||
| + | ~$ sudo chown wp-user:www-data /home/wp-user/wp_rsa* | ||
| + | ~$ sudo chmod 640 /home/wp-user/wp_rsa* | ||
| + | create .ssh folder and allow webserver to log in | ||
| + | ~$ sudo mkdir /home/wp-user/.ssh | ||
| + | ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/ | ||
| + | ~$ sudo chmod 700 /home/wp-user/.ssh/ | ||
| + | copy public key created earlier so the user can log in and setup permissions | ||
| + | ~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys | ||
| + | ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys | ||
| + | ~$ sudo chmod 0644 /home/wp-user/.ssh/authorized_keys | ||
Revision as of 02:22, 5 October 2014
Hardening the security on WordPress should be taken seriously. With it being one of the most popular platforms out there, it becomes the most targeted.
Contents |
Secure Updates/Installations
performed on a Ubuntu 14.04LTS VM
Creating a new user
create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.
type in the following command below and then hit ENTER through all the prompts
~$ sudo adduser wp-user
It will prompt you multiple times for the password, just keep hitting ENTER to bypass them until you get to the "Try Again" prompt and hit N for No
Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied passwd: Authentication token manipulation error passwd: password unchanged Try again? [y/N] n
Create ssh keys
~$ sudo su - wp-user ~$ ssh-keygen -t rsa -b 4096
when it prompts to ask where to save the key, use this:
/home/wp-user/wp_rsa
hit enter through the passphrase prompts
It should then confirm it has created the keys
Your identification has been saved in /home/wp-user/wp_rsa. Your public key has been saved in /home/wp-user/wp_rsa.pub
setting file/folder permissions for wp user
~$ sudo chown wp-user:www-data /home/wp-user/wp_rsa* ~$ sudo chmod 640 /home/wp-user/wp_rsa*
create .ssh folder and allow webserver to log in
~$ sudo mkdir /home/wp-user/.ssh ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/ ~$ sudo chmod 700 /home/wp-user/.ssh/
copy public key created earlier so the user can log in and setup permissions
~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys ~$ sudo chmod 0644 /home/wp-user/.ssh/authorized_keys
