WordPress/Hardening
Hardening the security on WordPress should be taken seriously. With it being one of the most popular platforms out there, it becomes the most targeted.
Contents |
Secure Updates/Installations
performed on a Ubuntu 14.04LTS VM
Creating a new user
create a new user without a password. it will not be needed since we'll be using SSH keys. It should also be noted that without a password is appears that this user account cannot ssh if trying to use a password or leaving the password blank when asked.
type in the following command below and then hit ENTER through all the prompts
~$ sudo adduser wp-user
It will prompt you multiple times for the password, just keep hitting ENTER to bypass them until you get to the "Try Again" prompt and hit N for No
Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied Enter new UNIX password: Retype new UNIX password: No password supplied passwd: Authentication token manipulation error passwd: password unchanged Try again? [y/N] n
Create ssh keys
~$ sudo su - wp-user ~$ ssh-keygen -t rsa -b 4096
when it prompts to ask where to save the key, use this:
/home/wp-user/wp_rsa
hit enter through the passphrase prompts
It should then confirm it has created the keys
Your identification has been saved in /home/wp-user/wp_rsa. Your public key has been saved in /home/wp-user/wp_rsa.pub
setting file/folder permissions for wp user
~$ sudo chown wp-user:www-data /home/wp-user/wp_rsa* ~$ sudo chmod 640 /home/wp-user/wp_rsa*
create .ssh folder and allow webserver to log in
~$ sudo mkdir /home/wp-user/.ssh ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/ ~$ sudo chmod 700 /home/wp-user/.ssh/
copy public key created earlier so the user can log in and setup permissions
~$ sudo cp /home/wp-user/wp_rsa.pub /home/wp-user/.ssh/authorized_keys ~$ sudo chown wp-user:wp-user /home/wp-user/.ssh/authorized_keys ~$ sudo chmod 0644 /home/wp-user/.ssh/authorized_keys