Wordpress Nginx



In recent times, bots have become a menace for WordPress sites. It have become absolutely critical to protect and safeguard these sites from brute force attack of automated bots. In this article we can see how to protect a WordPress site running behind Nginx server from brute force attack.

What is brute force attack ?

It’s a trail and error method to gain access into a system by logging in with probable usernames and random passwords. This is a time consuming approach and usually done through automated bots. In WordPress, with default settings, certain things like login url and login name are easy to figure out. The only remaining item that is required is the password and this is also one reason for common brute force attacks in WordPress sites.

In this article, we’ll learn how to deploy WordPress using NGINX, PHP-FPM and MariaDB using Docker Compose in an Ubuntu machine. The below image illustrates the multi-container deployment that. In this final chapter I offer a complete Nginx configuration optimized for WordPress sites. In addition to amalgamating all information from the previous 8 chapters, I will be drawing upon best practices from my experience and various sources I’ve come across over the years. If you are running your WordPress site on a Nginx server, the above settings alone is not sufficient. Although the above settings adds the bellow segment in.httaccess file of your site, this may not have an effect if appropriate changes are not done in Nginx config file.

First thing first

Before moving to Ngnix, let’s be sure that we have done the basics right by following the bellow security checks.
1. Have a strong password with mix of special characters and numbers with at least 10 characters length.
2. Do not use “site name” or “admin” as user name.
3. Block user registration if it’s not required.
4. If User Registration is required, enable Google re-captcha for registration.
5. Change “wp-login” url to something else.
6. Enable Two factor Authentication for logging in into site. This can be enabled with Two Factor or Word Fence Login Security Plugins
7. Install a WordPress security plugin to validate and protect the site.
8. Disable Rest API for anonymous users
9. Disable XML RPC
10. Lock down site for IP Address or Username for too many login attempts

Security Plugin

A huge number of security plugins are available for WordPress and selecting a best out of the others would be a herculean task. Word Fence and All In One WP Security & Firewall are some of the popular free plugins available to secure WordPress site. I personally prefer All In One WP Security & Firewall for its wide variety of features. Majority of the items that I have mentioned in the “First Thing First” is possible in AIOWP (All In One WP Security & Firewall) Security plugin.

Protecting login URL

Changing the login url or protecting the login url is much easier with AIOWP Plugin. Changing the the login URL may be bit risky as it may be referred by certain site back-up & restore plugins. Instead, I would suggest to protect the login URL from un-authorised access. This is possible by setting a cookie based URL access through AIOWP plugin.

Under “WP Security” menu, select “Brute Force” and navigate to “Cookie Based Brute Force Login Prevention” tab. Select “Enable Brute Force Attack Prevention” and provide a secret name for the query string. In the below example I have provided the secret word as “mysecreturl” so the login url would be http://mysite/?mysecreturl=1

If you are running your WordPress site on a Nginx server, the above settings alone is not sufficient. Although the above settings adds the bellow segment in .httaccess file of your site, this may not have an effect if appropriate changes are not done in Nginx config file.

Nginx Settings

In addition to the standard location block that handles the php requests, this additional inner location block checks for the availability of Cookie with name “mysecreturl”. If the Cookie is preset, the user would be redirected to wp-login page else the Nginx server will stop the connection and returns HTTP Error code 444.

HTTP Error Code 444 is a special status code used by Nginx to indicate that the connection is closed without any response.

Making this changes will reduce the login attempts by automated bots to zero. In the subsequent blog post, let us see some of the security settings of Nginx that is relevant for any web application.

Students and new users who want to install a new WordPress website with Nginx support and use Let’s Encrypt SSL, the steps below should help them get there easily…

This brief tutorial will show students and new user a step by step guide on how to setup WordPress websites and use Let’s Encrypt free SSL/TLS certificates and security features to help improve their website performance and protect their sites against malicious actors..

This setup might take a while to complete and the process below should work on other websites as well… It doesn’t have to be WordPress… This setup should work on other CMSes and plain HTML sites out of the box…When you’re ready to setup WordPress and Let’s Encrypt, follow the steps below:

Step 0: Get your Domain Name

Let’s Encrypt works with valid domain and a working server that the domain is pointing to… This setup assumes that your domain name is called example.com and is pointing to your server with IP address 192.168.1.2

Don’t forget to also make sure www CNAME is pointing to the domain name…. Should look like something below:

Step 1: Install and Configure WordPress

Now that you’ve configured your domain to point to your server, continue below to setting up WordPress and Let’s Encrypt…

First install Nginx HTTP server since we’re using Nginx for this post.. To install Nginx server, run the commands below:

After installing Nginx, the commands below can be used to stop, start and enable Nginx service to always start up with the server boots…

Now that Nginx is installed…. to test whether the web server is working, open your browser and browse to the URL below…

If you see the page above, then Nginx is successfully installed…

Step 2: Install MariaDB Database Server

WordPress also requires a database server to store its content… If you’re looking for a truly open source database server, then MariaDB is a great place to start… To install MariaDB run the commands below:

sudo apt-get install mariadb-server mariadb-client

After installing MariaDB, the commands below can be used to stop, start and enable MariaDB service to always start up when the server boots…

Nginx

Run these on Ubuntu 16.04 LTS

Run these on Ubuntu 19.04 and 18.04 LTS

Next, run the commands below to secure the database server with a root password if you were not prompted to do so during the installation…

sudo mysql_secure_installation

When prompted, answer the questions below by following the guide.

  • Enter current password for root (enter for none): Just press the Enter
  • Set root password? [Y/n]: Y
  • New password: Enter password
  • Re-enter new password: Repeat password
  • Remove anonymous users? [Y/n]: Y
  • Disallow root login remotely? [Y/n]: Y
  • Remove test database and access to it? [Y/n]: Y
  • Reload privilege tables now? [Y/n]: Y

Now that MariaDB is installed, to test whether the database server was successfully installed, run the commands below…

sudo mysql -u root -p

type the root password when prompted…

If you see a similar screen as shown above, then the server was successfully installed…

Step 3: Install PHP 7.2-FPM and Related Modules

WordPress CMS is a PHP based CMS and PHP is required… However, PHP 7.2-FPM may not be available in Ubuntu default repositories… To run PHP 7.2-FPM on Ubuntu 16.04 and previous, you may need to run the commands below:

Then update and upgrade to PHP 7.2-FPM

sudo apt update

Next, run the commands below to install PHP 7.2-FPM and related modules.

sudo apt install php7.2-fpm php7.2-common php7.2-mysql php7.2-gmp php7.2-curl php7.2-intl php7.2-mbstring php7.2-xmlrpc php7.2-gd php7.2-xml php7.2-cli php7.2-zip

After installing PHP 7.2, run the commands below to open PHP default configuration file for Nginx…

The lines below is a good settings for most PHP based CMS… Update the configuration file with these and save….

Everytime you make changes to PHP configuration file, you should also restart Nginx web server… To do so, run the commands below:

sudo systemctl restart nginx.service

Now that PHP is installed, to test whether it’s functioning, create a test file called phpinfo.php in Nginx default root directory…. ( /var/www/html/)

Wordpress Nginx

sudo nano /var/www/html/phpinfo.php

Then type the content below and save the file.

<?php phpinfo( ); ?>

Next, open your browser and browse to the server’s hostname or IP address followed by phpinfo.php

You should see PHP default test page…

Step 4: Create WordPress Database

Now that you’ve installed all the packages that are required for WordPress to function, continue below to start configuring the servers. First run the commands below to create a blank WordPress database.

To logon to MariaDB database server, run the commands below.

sudo mysql -u root -p

Then create a database called wpdatabase

CREATE DATABASE wpdatabase;

Create a database user called wpuser with a new password

CREATE USER 'wpuser'@'localhost' IDENTIFIED BY 'new_password_here';

Then grant the user full access to the database.

GRANT ALL ON wpdatabase.* TO 'wpuser'@'localhost' IDENTIFIED BY 'user_password_here' WITH GRANT OPTION;

Finally, save your changes and exit.

Step 5: Download WordPress Latest Release

To get WordPress latest release you will need to go to its official download page and get it from there… The link below is where to find WordPress latest archive versions…

Then run the commands below to set the correct permissions for WordPress root directory and give Nginx control….

Step 6: Configure Nginx

Nginx, configure Nginx site configuration file for WordPress… This file will control how users access WordPress content. Run the commands below to create a new configuration file called example.com

sudo nano /etc/nginx/sites-available/example.com

Then copy and paste the content below into the file and save it. Replace the highlighted line with your own domain name and directory root location.

Save the file and exit.

At this point Nginx should be configured and ready to respond over HTTP… It doesn’t yet support HTTPS.

Step 7: Install and Configure Let’s Encrypt

Now that our Nginx site is enabled and ready to use, run the commands below to install and configure Let’s Encrypt to secure the Nginx website…

First install Certbot… Certbot is a fully featured and easy to use tool that can automate the tasks for obtaining and renewing Let’s Encrypt SSL certificates…

To install it, run the commands below:

sudo apt install certbot

After installing Certbot, create a file to for Let’s Encrypt to the Webroot plugin to validate our domain in the ${webroot-path}/.well-known/acme-challenge directory….

To do that, create the directory and give Nginx access to it…

Next, create a well-known challenge file with the configurations below…

sudo nano /etc/nginx/snippets/well-known

Then copy and paste the content below into the file and save…

Save the file and exit

Step 8: Obtain Your Free Certificate

Gzip

At this point, your domain should be pointing to your server IP… Nginx HTTP server installed and configured and Certbot installed ready to obtain your certificate…

Before requesting your free certificate, open your example.com Nginx configuration file created above….

sudo nano /etc/nginx/sites-available/example.com

When the file opens, add the highlighted line below into the file and save…

Save the file and exit

When you’re done, enable the site and restart Nginx HTTP server by running the commands below…

At this point all is set and you’re ready to obtain your certificate… To do that run the commands below:

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

Let’s Encrypt should connect validate your domain and server, then install the domain certificate… If everything is successful, you should see a similar message as below:

At this point you have a certificate, now go and add it to Nginx configuration for example.com domain…

First, let’s generate a Diffie–Hellman key exchange (DH) certificate to securely exchange cryptographic keys… To do that, run the commands below to generate a certificate with 2048 bit…

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

Next, open your example.com config file and make it so that it looks similar to the one below:

sudo nano /etc/nginx/sites-available/example.com

Configure your file to look similar to the one below

Save your changes above and restart Nginx for the settings above to take effect..

sudo systemctl restart nginx

To setup a process to automatically renew the certificates, add a cron job to execute the renewal process.

sudo crontab -e

Then add the line below and save.

0 1 * * * /usr/bin/certbot renew & > /dev/null

The cron job will attempt to renew 30 days before expiring

Step 9: Complete WordPress Setup

Finally, open your browser and browse to the server domain name. You should see WordPress setup wizard to complete. Please follow the wizard carefully.

Then follow the on-screen instructions… Select the installation language then click Continue

You will need to know the following items before proceeding…. Use the database connection info you created above….

Wordpress Nginx Gzip

  • Database name
  • Database username
  • Database password
  • Database host
  • Table prefix (if you want to run more than one WordPress in a single database)

The wizard will use the database information to create a wp-config.php file in WordPress root folder….

If for any reason this automatic file creation doesn’t work, don’t worry… All this does is fill in the database information to a configuration file. You may also simply open wp-config-sample.php in a text editor, fill in your information, and save it as wp-config.php.

Next, type in the database connection info and click Submit

After that, click Run the installation button to have WordPress complete the setup…

Next, create the WordPress site name and the backend admin account…. then click Install WordPress

When you’re done, WordPress should be installed and ready to use…

Congratulation! You have successfully installed WordPress with Let’s Encrypt on Ubuntu 16.04 | 18.04….

You may also like the post below:





Comments are closed.