Category Archives: WordPress

Configuring FTPS For WordPress Updates

Posted on by
Reply

WordPress has a convenient feature for updating itself and plugins through the Dashboard. Unfortunately it doesn’t support SFTP (SSH FTP), which would be provided by the excellent OpenSSH package. Instead, you’ll need to set up an FTPS (FTP over SSL) server. This short tutorial will guide you through installing a secure FTPS server on Ubuntu 11.10.

Step 1: Install vsftpd
APT (Advanced Packaging Tool) is the software package manager for Ubuntu.

> sudo apt-get update
> sudo apt-get install vsftpd

Step 2: Shut down vsftpd
The service will be started immediately after installation. For security reasons, we will shut it down until it is properly configured.

> service vsftpd stop

Step 3: Configure vsftpd
Edit /etc/vsftpd.conf and make these suggested changes and additions.

listen=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
anon_world_readable_only=NO
anon_upload_enable=NO
anon_mkdir_write_enable=NO
connect_from_port_20=NO
listen_port=2112

Step 4: Restart vsftpd
Now that anonymous access has been disabled and SSL has been enabled, the FTPS service can be restarted.

> service vsftpd start

Step 5: Create FTPS user
It’s a good idea to create a separate account for updates through the WordPress dashboard. For simplicity, I created a system account with the same username I use for the WordPress admin account. In this example I’m using “ftps”; use whatever username works best for you. The last argument must be the path to the web server directory; ignore the warning about the home directory not belonging to the user. Be sure to give the account a strong password.

> sudo adduser ftps –home /srv/www

Step 6: Add the FTPS user to the www-data group
The new user will need to belong to the www-data group. Again, I’m using “ftps” as the example username.

> sudo vi /etc/group
www-data:x:32:ftps

Step 7: Give the www-data group read/write access
The www-data group will need read/write access to the web server directory.

> sudo chgrp -R www-data /srv/www
> sudo chmod -R g+w /srv/www

Howto Secure WordPress

Posted on by
Reply

As a WordPress blog owner or provider, you want to ensure that your site is as secure as possible. An insecure site can mean downtime, defacement, and (worst of all) lost users. We present here a short list of steps you can take to lock down your site.

  1. First, your WordPress site will never be more secure than the server on which WordPress is running. If the server is not secure, then the following advice may do nothing to actually enhance security. See the How-To guides on Securing Linux and Windows for more details.
  2. Keep your WordPress software up-to-date. When security holes in WordPress and WordPress modules are found, they will be addressed and new versions released. By using the most recent software versions, you will ensure that your platform is not exposed to known hacks.
  3. The default user account that is created with every installation of WordPress is the admin account. Unfortunately everyone, including hackers, know this and can easily launch a dictionary attack on your website to try and guess your password. If a hacker already knows your username that’s half the battle. It’s highly recommended to delete or change the admin account username. You can do this during installation, or by manually changing the user_login value in the wp_users database table.
  4. Always use strong passwords for the WordPress administrative and database accounts.
  5. Enable SSL on your web server, and then force all logins to be done over SSL. This will encrypt passwords during transmission. You can generate your own or purchase a commercial SSL certificate. Add this line to wp-config.php (before the require of wp-settings.php): define(‘FORCE_SSL_ADMIN’, true);
  6. Protect your wp-config file. It should not be accessible from a web browser. Enter these lines into a .htaccess file in the same directory as wp-config.php:

    <Files wp-config.php>
       Order Allow,Deny
       Deny from all
    </Files>

    Then, set the permissions for both .htaccess and wp-config.php to 640.

    > chmod 640 .htaccess
    > chmod 640 wp-config.php

  7. Generate unique authentication keys for wp-config.php. The keys provided by WordPress in your configuration file work fine, but your site will be more secure to attacks if you generate your own random keys (the important word being “random”). Visit https://api.wordpress.org/secret-key/1.1/salt/ and copy the 8 generated lines into wp-config.php, overwriting the 4 lines that define AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY.
  8. Change the default WordPress database table prefix. This is to secure your installation against hacks, such as SQL injection attacks. Set $table_prefix in wp-config.php. Make sure to add an underscore at the end of the prefix. If you have already installed WordPress, the WP Security Scan plugin can be used to change the database table prefix.