www.bonsaiframework.com
Page tree

Versions Compared

Old Version 59

changes.mady.by.user Tin Pham

Saved on

compared with

New Version 60

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning

This article is in process of being written by Tin.

Table of Contents

Install PHP

Install the PHP Packages

Code Block
languagebash
sudo apt-get install php5

As of Ubuntu 12 (an maybe even earlier), the installer will automatically restart Apache2 for you.

Verify

Quickly verify that everything works by creating a php info file with your favourite editor,

...

Save the file and browser to file using a browser. You can use either the IP Address or the valid Domain Name. For example, http://173.194.75.94/info.php or http://www.dailyplanet.com/info.php which should show a purple and grey PHP informational screen.

Secure PHP

The security posture is from an administrative perspective and with shared hosting.

Panel

Determine if this actually increases security - http://www.suphp.org/Home.html. suPHP and LiteSpeed make the most sense for shared hosting.

This article indicates that suphp is slow as it makes php run as a cgi. Instead a poster recommended using what is available with mod_php - http://serverfault.com/questions/279938/should-i-use-suphp-or-mod-php-for-shared-hosting. Along this thread another poster recommends, http://mpm-itk.sesse.net/ which allows vhosts to be run under different uid and gid.

A great discussion on using permissions, same conclusion I was coming to using www-data group - http://unix.stackexchange.com/questions/30879/what-user-should-apache-and-php-be-running-as-what-permissions-should-var-www

Probably the most complete but also complex solutions is to use ACLs - http://serverfault.com/questions/339948/user-permissions-for-both-apache-and-local-user/357977

php.ini for WordPress

Edit php.ini to only allow execution of php scripts in specific directories.

Code Block
languagebash
sudo vi /etc/php5/apache2/php.ini

Restrict the Execution of PHP to a Specific Folder

Search for the open_basedir line and modify to include the directories setup for WordPress

...

Note

I'm considering a simpler directory approach with one top level folder for WordPress... does separating the directories actually provide more protection? Probably not.

Select Temporary Folder

Because open_basedir has been set, WordPress no longer has access to the general temporary folder it expects which is required for certain operations (for example to upload plugins through the Administrator web interface).

...

Code Block
; Temporary directory for HTTP uploaded files (will use system default if not
; specified).
; http://php.net/upload-tmp-dir
upload_tmp_dir = /opt/wordpress/tmp

Make Changes Take Effect

Restart Apache for the changes to take effect,

...

You will now find that php scripts will only run in the designated directories specified in php.ini.

Install MySQL

Code Block
languagebash
sudo apt-get install mysql-server 

For the root administration database password, use the standard password algorithm based on the server name.

Connect PHP to MySQL

Install the necessary libraries so that PHP will be able to connect to MySQL.

Code Block
languagebash
sudo apt-get install php5-mysql 

Configure MySQL

Secure MySQL

As a staff user run the Secure Installation script included with MySQL,

...

For now that's it to securing MySQL.

Connect

Connect into MySQL,

Code Block
languagebash
mysql -u root -p 

...

The remainder of this section happens inside of the mysql shell.

Create the WordPress Database and Accounts in MySQL

Enter the following MySQL commands,

...

Tip

Database Admins will not like granting all privileges. After the initial setup is done we will restrict to more minimal privileges.

Exit MySQL Shell

Exit the MySQL shell,

Code Block
languagesql
EXIT

Setup WordPress

WordPress is incredibly easy to setup and there are many shorter tutorials than this.

...

Warning

WordPress out of the box can be very quickly broken into. In fact, I personally go so far as to keep the Ubuntu firewall up with port 80 or 443 closed until WordPress is completely hardened. When the setup steps required using the browser, I use ssh tunnelling to access 80 securely. A writeup of using ssh tunnelling should be added to the Bonsai Framework and linked or included here.

Install WordPress

Using a staff account, download and install WordPress,

Code Block
languagebash
cd /opt/www.dailyplanet.com/www/
wget http://wordpress.org/latest.tar.gz
tar -xvpf latest.tar.gz
mv ./wordpress/ ./blog/ # We do not need to make the technology obvious.
chmod -R o-rwx ./blog/

Setup File Permissions

There is no need to setup file permissions if you have followed the Bonsai Framework Apache Virtual Hosting with ACLs article. Extracting the tar while within the directories already setup with ACLs will result in the permissions being inherited.

...

... still being worked on...

Configure WordPress

Create Config File for Database Access

Launch a browser and hit the WordPress setup page for your machine at http:// dailyplanet.com/blog/wp-admin/install.php and you will be prompted to create a configuration file.

...

Once you have saved the file, go back to your browser and click "Run the install".

Enter Site Information

Finally enter the site information,

...

Click, "Install WordPress" which should result in a success screen. At this point you are actually done the setup. Do not click "Log In".

Customize WordPress

At this point WordPress is already working. There are two urls to take note of,

...

If you have the Install WordPress Success Screen still up, click "Log In" will take you to the Word Press Administration url or use the url in the table above.

Minimal Security - Block Login Attacks

PluginDescriptionReview
Google Authenticator

The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on your Gmail or Google Apps account.

The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.

If You need to maintain your blog using an Android/iPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin, but please note that enabling the App password feature will make your blog less secure.

Very good plugin.

Tricky part is making sure time is synced with same time servers across the phone and server. For example, my iphone was off by 2 minutes because it was set manually to Toronto.

Best thing to do is turn on the 4 minute drift allowance.

Duo Two-Factor Authentication

This plugin enables Duo Security's two-factor authentication for WordPress logins.

Duo provides simple two-factor authentication as a service via:

  • Phone callback
  • SMS-delivered one-time passcodes
  • Duo mobile app to generate one-time passcodes
  • Duo mobile app for smartphone push authentication
  • Duo hardware token to generate one-time passcodes

This plugins allows a WordPress administrator to quickly add strong two-factor authentication to any WordPress instance without setting up user accounts, directory synchronization, servers, or hardware.

Free signup but it looks like only 1000 transactions for the life of the account.

Looks very professional.

BAW More Secure LoginGrid Cards 
Login Security SolutionMost useful feature I find when used with Google Authenticator is that it blocks user for x number of minutes progressively more as more attempts are tried. Also blocks by cookie and ip. 

Should have link to how to ssh in to disable plugins if they misbehave.

Set Up Users

The default user created is an administrator and has more privileges than necessary. The very first step is to create users with specific roles provided by WordPress. The roles are outlined below in order of most privileges to least.

...

Warning

Past this point is not yet organized or complete.

Lock Down WordPress

WordPress and PHP simply due to the model is inherently insecure when compared to more Enterprise solutions.

...

Warning

WordPress updates through the built in admin interface will fail unless the restrictions are relaxed. With this security approach, privileges must be temporarily be granted as part of the upgrade process.

Restrict WordPress Database Account

As part of good application security, the WordPress database account should only be granted minimal privileges.

...

Code Block
languagesql
SHOW GRANTS FOR 'wpdailyplanetuser'@'localhost';

File Permissions

Warning

I need to work out what folders explicitly need permissions to perform uploads and plugin updates. Still to finalize placement of this section.

...

Info

Covered on the Ubuntu WordPress guide, for automatic updates to occur, the folder and all its files and sub-folders must be owned by www-data with write access. I'm not sure we will take this approach. I think I'd rather update manually.

...

Writing Next Topics

  • Repeat for the second instance.

FAQ

Why do some of the php5 installations say to use install libapache2-mod-php5?

...

Nothing I can see. It just looks like php5 is an overarching package name.

References

Setup

Ubuntu Server Documentation - https://help.ubuntu.com/12.04/serverguide/php5.html

Security

Has some ok details around suPHP - https://help.ubuntu.com/community/ApacheMySQLPHP#Installing_MYSQL_with_PHP_5

...