{{tag>linux security wordpress}} ====== Server hardening ====== ===== General tips ===== * Check all open/listening ports on each server and make sure everything looks ok there (no unexpected connections, etc.) * Get local user accounts on all servers * If SSH is enabled for remote management, I would disable password auth and switch to private key - if already in place, generate a new key * Check sudoers on all servers and make sure the proper users/groups are in there * Check all groups (local/directory server) to make sure no accounts are hanging around from the old admin * Along with users/groups, disable/remove any test/dummy accounts in case someone is using it as a back way in * * On Linode, check out the access settings to make sure there aren't any rules in there to allow management from anywhere (or non company locations) * On Linode, make sure only appropriate users have access to the account ===== WordPress ===== * Comb through the list of users with access and be sure to remove any former employees/admins * Check permissions carefully to make sure users have the appropriate access rights * Disable file editing in the admin using wp-config.php * Isolate user account for site from others * Make .htaccess inaccessible to site user (but accessible to www-data) * Make wp-config.php read-only * Remove any unused plugins * Check security reports on existing ones for outstanding or frequent issues * Check when plugins were last updated by author in repository - old / un-maintained plugins candidates for replacement or removal * Reduce permissions on DB account for site to SELECT / UPDATE / INSERT / DELETE (you will need to unlock when adding or updating plugins that use custom tables) * Setup wp-cli to automatically update plugins nightly (wp-cli plugin update —all) * Setup wp-fail2ban plugin, use wordpress-hard profile. * Globally disable access to xml-rpc.php in Apache config (403, helps prevent brute force and other quiet attacks) - unless actually used. * Globally disable access to any .log or .git files in Apache config * Consider WordFence or Sucuri plug-in for file integrity checks / monitoring * Setup daily backups of site ====== Tested on ====== * ====== See also ====== ====== References ====== * https://www.reddit.com/r/linuxadmin/comments/8uldes/my_first_security_audit_any_tips/