Security Tips for the OpenLiteSpeed WordPress Marketplace App
Introduction
The OpenLiteSpeed image includes a powerful set of tools to start a WordPress site. Before launching your site, there are a few extra steps to ensure your site and server stay secure.
Prerequisites
- Deploy an OpenLiteSpeed WordPress instance
- Follow the setup steps provided in the Vultr Dashboard.
- Make a note of the phpMyAdmin location and the database password.
- Connect to the server via SSH as a root user.
1. Disable PHP Execution in Unsafe Directories
Specific directories can hold user-uploaded content or have no need for PHP execution. The directories to forbid PHP execution in are:
wp-content/uploads
wp-includes
Add the .htaccess Rules for the uploads
Folder
Navigate to the WordPress
uploads
folder.# cd /var/www/html/wp-content/uploads
Edit the .htaccess file.
# nano .htaccess
Add the following rule and save the file.
# BEGIN Block PHP Execution RewriteEngine on RewriteRule (.*)php$ - [F] # END Block PHP Execution
Change ownership of the file to
www-data
.# chown www-data .htaccess && chgrp www-data .htaccess
Add the .htaccess Rules for the wp-includes Folder
You'll repeat the same steps as the uploads
folder, except in the wp-includes
folder.
Navigate to the
wp-includes
folder.# cd /var/www/html/wp-includes
Edit the .htaccess file.
# nano .htaccess
Add the following rule and save the file.
# BEGIN Block PHP Execution RewriteEngine on RewriteRule (.*)php$ - [F] # END Block PHP Execution
Change ownership of the file to
www-data
.# chown www-data .htaccess && chgrp www-data .htaccess
Restart LiteSpeed
After changing .htaccess
rules, you must restart LiteSpeed.
# /usr/local/lsws/bin/lswsctrl restart
You'll also need to restart LiteSpeed whenever a WordPress plugin modifies .htaccess
files. For example, many popular caching and security plugins will modify .htaccess
. You can also reboot the server, which serves the same purpose.
2. Security changes for .htaccess
There are several security improvements you can make to the .htaccess
file in the web root, such as:
- Disable XML-RPC: This function is normally safe to disable unless you know that you need it.
- Hide Static Files: Fingerprinting static files allows attackers to determine the WordPress version.
- Secure the
wp-config.php
File: Securing thewp-config.php
file keeps your database credentials safe. These steps prevent unauthorized access and prevent LiteSpeed from serving the file in plain text if the server stops executing PHP. - Disable PHP Error Reporting: By default, OpenLiteSpeed instances have
display_errors
disabled in the PHP configuration. - Block User Enumeration Attempts: If you visit
https://YOUR_DOMAIN/?author=1
, you can see your main administrator's username. Username enumeration can make brute force attacks easier for bad actors.
To make all those changes, follow these steps.
Navigate to the WordPress root folder and edit the
.htaccess
file.# cd /var/www/html/ # nano .htaccess
Before the
# BEGIN WordPress
line, add these rulesets and save the file.# BEGIN Block Sensitive Files RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|xmlrpc.php|readme.html|readme.txt|license.txt|wp-config.php|php.ini [NC] RewriteRule .* - [F,L] # END Block Sensitive Files # BEGIN Block Author RewriteCond %{REQUEST_URI} !^/wp-admin [NC] RewriteCond %{QUERY_STRING} ^author=\d+ [NC,OR] RewriteCond %{QUERY_STRING} ^author=\{num RewriteRule ^ - [L,R=403] # END Block Author
Set appropriate file permissions for
wp-config.php
.# cd /var/www/html && chmod 600 wp-config.php
3. Block XML-RPC
You've already blocked access to the PHP file, but you'll need to create a new custom plugin for your site to delete the function.
Create a new plugin to block XML-RPC.
# cd /var/www/html/wp-content/plugins # nano example.php
Replace
example.php
with a unique name for your plugin.Insert the following code and save the file. Replace
Example Security Features
andexample_remove_xmlrpc
with a unique name for your plugin.<?php /** * Plugin Name: Example Security Features */ // -- Disable XML-RPC // Return nothing for XML-RPC methods function example_remove_xmlrpc( $methods ) { return array(); } add_filter( 'xmlrpc_methods', 'example_remove_xmlrpc' );
Set appropriate file ownership.
# chown www-data example.php # chgrp www-data example.php
Replace
example.php
with the filename you created earlier.Restart LiteSpeed.
# /usr/local/lsws/bin/lswsctrl restart
Activate the plugin in the WordPress Admin area.
4. Add Hotlink Protection
"Hotlinking" is linking directly to a file or image instead of the blog page that contains it. Internet users often do not understand the implications of hotlinking or even what it is. For site owners, it can be costly for a site to have unwanted HTTP requests and bandwidth usage. LiteSpeed offers a hotlink protection module.
Edit the
vhconf.conf
file.# nano /usr/local/lsws/conf/vhosts/wordpress/vhconf.conf
Add the following configuration to the bottom of the file, replacing
YOUR_DOMAIN
with your website's domainhotlinkCtrl { allowedHosts YOUR_DOMAIN www.YOUR_DOMAIN google.com yahoo.com bing.com facebook.com twitter.com enableHotlinkCtrl 1 suffixes bmp, bpg, css, eot, gif, ico, jpeg, jpg, js, otf, png, svg, tiff, ttc, ttf, webp, woff, woff2 allowDirectAccess 1 redirectUri onlySelf 0 }
These settings allow only specified domains to serve files from your server. You can add additional hosts seperated by spaces in the
allowedHosts
line. By adding the social media and search engine domains, you allow those services to hotlink to your images. Thesuffixes
line allows you to set the blocked file extensions for hotlinking. TheredirectUri
allows you to redirect to a specified path, such as a hotlinking warning image.Restart LiteSpeed
# /usr/local/lsws/bin/lswsctrl restart
5. Change Login Page URL
To keep your login page hidden and not located at the predictable /wp-admin/
directory, install a plugin to hide your login page unless you already use a comprehensive security login that offers that functionality.
The OpenLiteSpeed image includes the DoLogin Security plugin for another layer of security. Activate this plugin to limit login attempts.
6. Hide WordPress Version On the Frontend (Optional)
Keeping the WordPress version hidden makes it harder for attackers to perform version-specific attacks on your site. Security plugins such as Wordfence or Sucuri allow you to hide your WordPress version.
If you use Wordfence, navigate to Wordfence > All Options. Under the General Wordfence Options tab, toggle the Hide WordPress version option.
If you use the Sucuri plugin, it hides the WordPress version by default after activation.
7. Restrict Access to phpMyAdmin
By default, the phpMyAdmin interface is publicly accessible. To block outside access, edit the virtual host configuration.
Edit the
vhconf.conf
file.# nano /usr/local/lsws/conf/vhosts/wordpress/vhconf.conf
Locate the following lines.
accessControl { allow * }
Replace them with these.
accessControl { deny * allow 127.0.0.1 }
Save the file and restart LiteSpeed.
# /usr/local/lsws/bin/lswsctrl restart
If you browse to https://YOUR_DOMAIN/phpmyadmin/
, you should now see a 403 error. To access phpMyAdmin again, either connect to the server with an SSH Tunnel (Port Forward) or add a trusted IP for the allow
value.
Next Steps
If you have not already installed a security plugin, consider installing one to ensure the highest level of protection ongoing. Some widely-supported plugins include: