Hardening Rackspace Cloud Server for WordPress : Part 1

Hardening Rackspace Cloud Server for WordPress is Important Because There Are Plugins Like W3 Total Cache Which Can Expose Things to Public. In general, we do NOT recommend to (1) Use an unmanaged server running WordPress for production sites (2) Use an unmanaged server running WordPress for production sites with various WordPress Plugins. (3) Use Popular Blogger Hero’s quick tips to make WordPress faster via .htaccess tricks.

One WordPress Plugin can be sufficient enough to fully compromise a website. We highly recommend to (1) Read all the topics written by Rackspace on their Knowledge base as articles (2) Get used with UNIX administration even if it is a managed server, the Home actually is yours but it is rented. You have more responsibilities than Rackspace Cloud Team. (3) Communicate with Rackspace Support in case you do some developmental works (quite risky); point to the webpage to ask to modify the things which probably increase server’s security, which are too related to a particular CMS (so out of scope for an UNIX administrator), like this guide on Hardening Rackspace Cloud Server for WordPress. (4) Read good blogs, articles on the web on UNIX Administration. (5) Use a different server for MySQL and close all the ports and use, activate only the IPv6 address for it.

Hardening Rackspace Cloud Server for WordPress : Part 1

Unmanaged Rackspace Cloud Server is actually a wrong terminology. There are many existing supports for normal accounts too. Please check Official Website for the list. Clearly, for the unmanaged – the Server Softwares are not configured by Rackspace for you and it is not monitored. But, actually there is monitoring, as one Server if get compromised can create trouble for the whole node. We DO NOT represent Rackspace and our recommendations can vary. Always give more importance to Rackspace’s current and let us know about such conflict. As, we are moving towards an age of Software Defined Data Center, after 5 years, probably you and me will rent a Software Defined Data Center instead of IaaS. WordPress, Google etc. might not exist after 5 years, but definitely – (1) Points on Security (2) Rackspace’s excellent support (3) OpenStack etc. will exist.

It is named Hardening Rackspace Cloud Server for WordPress Part 1 but actually you can take the story has started from How To Install WordPress on Ubuntu 13.10 on Rackspace Cloud Server, Create .htaccess Password for wp-login Page etc. articles. At current situation for enhanced privacy :

1. Try not to use certain products from Google – Web Fonts (Both Google and Adobe collects data), Javascript Library (use Cloud Files or Akamai as CDN), Analytics (use Piwik like F/OSS), Google’s Mail Server etc.
2. Block Google and other bot’s access to wp-admin, wp-includes, wp-content (except few folders like uploads) folder via .htaccess Password . It is quite difficult to configure to give the Ajax related PHP files to be allowed to pass port 80 or port 443, but it worths the time. Plugins can store API keys in raw text files. Robots.txt is never a secured way to block access.
3. Change the ownership of files like wp-config.php, .htaccess to root and CHMOD to 400.
4. Never ever CHMOD any folder to 0777. Read How To Fix Cannot Upload Media via WordPress Uploader or Update Plugins.
5. Use Redis Cache and Other Plugins. Avoid using W3 Total Cache at current situation.
6. Unless you are an educational institute or Governmental agency; it is unlikely to be a targeted fool to be attacked. But the number of newbie hackers is not less.
7. Offload Comments to other’s server like try to use some Commenting Platform.

Hardening Rackspace Cloud Server for WordPress : World Do Not Need To Know Your Server’s OS, PHP version, Apache’s Version

Medicine for the Script Kiddies

Hear about Script kiddie ? It is generally assumed that script kiddies are juveniles who lack the ability to write sophisticated hacking programs or exploits on their own, and that their objective is to try to impress their friends or gain credit in computer-enthusiast communities. Add these three lines (or check if already you have added) to your .htaccess file within in the WordPress’s default block for Pretty Permalink :

It is a kind of fix for running libwww-perl hack for Apache Servers. Use custom error html pages like :

401.html really should exist like ours.

Medicine for the Advanced Guys

Rexford H. Swain is a great person, he has excellent set of Online Tools :

Check your Header first :

Also use this tool :

You must get rid off :

1. Which Apache version is used
2. Which PHP version is used
3. Which OS the Server uses
4. Any X-Powered-By header, W3 Total Cache nicely adds their own increasing more vulnerability

First, activate ServerSignature and ServerToken to off state :

All server signatures will go away, any 401, 403 page will never tell about the Port number 80 and OS name!

Test here :

All X-Powered-By-(the-bitch) will go away if you unset :

By now, you should know where is php.ini file, is not it? Find and edit this line in nano text editor :

As we enable mod_rewrite, we must set TraceEnable to off :

Do a telnet now :

TraceEnable off causes apache to return a 403 Error. X-Powered-By-(the-bitches) has nothing to do with ‘encouraging caching’, actually they are for Reverse Proxy and Microsoft re-introduced it in ASP days for branding, they really encourage to get hacked by getting your setup identified. We should hide as much if we are serving plain html pages. Google is bad, but honestly they never say to expose these known vulnerabilities.