Basic steps to secure your WordPress site.
Change the WP site URL to HTTPS:
cd /opt/bitnami/apps/wordpress/htdocs
sudo nano wp-config.php
#To change the WP seting URL to HTTPS
define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] . '/');
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] . '/');
define('FORCE_SSL_ADMIN', true);
#To disallow file edits by unauthorized users
define('DISALLOW_FILE_EDIT', true);
To force HTTP to HTTPS rewrite:
cd /opt/bitnami/apps/wordpress/htdocs
sudo nano .htaccess
#To force HTTP to HTTPS rewrite
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>
#Prevent directory listing - ad at the end of the .htaccess file
Options All -Indexes
Disable protocols less than TLS 1.2:
sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
or
sudo nano /opt/bitnami/nginx/conf/nginx.conf
Edit the “ssl_protocols” directive: Change SSLProtocol to "SSLProtocol TLSv1.2"
sudo /opt/bitnami/ctlscript.sh restart
Test the SSL version using nmap.
Update the time setting:
sudo apt-get install ntpdate
sudo ntpdate 1.ca.pool.ntp.org
sudo ntpdate 0.ca.pool.ntp.org
sudo timedatectl set-ntp true
timedatectl status
check your current admin email address with this command:
wp option list --search="admin_email"
Change the email address and update the options table with this command:
wp option update admin_email user@example.com
If you're running your WordPress site on AWS, the instance (EC2) metadata can be retrieved by going to the following URL:
http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hostname
identity-credentials/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
product-codes
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
This can be helpful when you're writing scripts to run from your instance.
Update the iptables to prevent non-root users from being able to perform this function.
Iptables -L
Iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP
Other settings:
sudo /opt/bitnami/apps/wordpress/bnconfig --disable_banner 1
sudo /opt/bitnami/ctlscript.sh restart apache
Configure a SSL cert:
sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m YOURMAIL -d YOURDOMAIN