September 27, 2020

Basic steps to secure your WordPress site.

Change the WP site URL to HTTPS:

cd /opt/bitnami/apps/wordpress/htdocs
sudo nano wp-config.php

#To change the WP seting URL to HTTPS
define('WP_SITEURL', 'https://' . $_SERVER['HTTP_HOST'] . '/');
define('WP_HOME', 'https://' . $_SERVER['HTTP_HOST'] . '/');
define('FORCE_SSL_ADMIN', true);
#To disallow file edits by unauthorized users
define('DISALLOW_FILE_EDIT', true);

To force HTTP to HTTPS rewrite:

cd /opt/bitnami/apps/wordpress/htdocs
sudo nano .htaccess

#To force HTTP to HTTPS rewrite
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

#Prevent directory listing - ad at the end of the .htaccess file
Options All -Indexes

Disable protocols less than TLS 1.2:

sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf
or
sudo nano /opt/bitnami/nginx/conf/nginx.conf

Edit the “ssl_protocols” directive: Change SSLProtocol to "SSLProtocol TLSv1.2"

sudo /opt/bitnami/ctlscript.sh restart

Test the SSL version using nmap.

nmap_tls-1

Update the time setting:

sudo apt-get install ntpdate 
sudo ntpdate 1.ca.pool.ntp.org
sudo ntpdate 0.ca.pool.ntp.org
sudo timedatectl set-ntp true 
timedatectl status
check your current admin email address with this command: 
wp option list --search="admin_email"
Change the email address and update the options table with this command: 
wp option update admin_email user@example.com

If you're running your WordPress site on AWS, the instance (EC2) metadata can be retrieved by going to the following URL:

http://169.254.169.254/latest/meta-data/

curl http://169.254.169.254/latest/meta-data
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
events/
hostname
identity-credentials/
instance-action
instance-id
instance-type
local-hostname
local-ipv4
mac
metrics/
network/
placement/
product-codes
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups

This can be helpful when you're writing scripts to run from your instance.

Update the iptables to prevent non-root users from being able to perform this function.

Iptables -L
Iptables -A OUTPUT -m owner ! --uid-owner root -d 169.254.169.254 -j DROP

Other settings:

sudo /opt/bitnami/apps/wordpress/bnconfig --disable_banner 1
sudo /opt/bitnami/ctlscript.sh restart apache

Configure a SSL cert:

sudo /opt/bitnami/letsencrypt/scripts/generate-certificate.sh -m YOURMAIL -d YOURDOMAIN