Securing Wordpress on Lightsail: Hardening Wordpress
A Wordpress instance on Lightsail has a basic security posture. However, we can harden Wordpress and make it more efficient.
- Wordpress runs in the Apache web server. This means that securing a Lightsail Wordpress server requires configuring both Apache and Wordpress. The Apache configuration file is
wordpress-vhost.conf
in the/opt/bitnami/apache/conf/vhosts
directory. Let’s examine this file first, open the file with an editor of your choice.
1
2
3
4
5
6
7
8
<VirtualHost 127.0.0.1:80 _default_:80>
ServerName www.example.com
ServerAlias *
DocumentRoot /opt/bitnami/wordpress
<Directory "/opt/bitnami/wordpress">
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride None
Require all granted
wordpress-vhost.conf
file. Note that the directory is set to /opt/bitnami/wordpress
, and the directives inside the <Directory>
section apply to that directory. The line Options -Indexes +FollowSymLinks -MultiViews
configures Apache to disable directory listing with the -Indexes
option in the ./wordpress
directory. Adding ./htaccess files to disable directory listing is not needed.1
AllowOverride None
1
AllowOverride All
wordpress-vhost.conf
file, is the following line.1
Include "/opt/bitnami/apache/conf/vhosts/htaccess/wordpress-htaccess.conf"
wordpress-vhost.conf
file, it also read this file. Because we set AllowOverride All
, Apache will use the .htaccess directives set in wordpress-htacces.conf
file.wordpress-vhost.conf
file contains all the configuration directives for Wordpress making it easier to maintain. The default file will look similar to this with a directives for the akismet anti-spam plugin. Add the security headers below after akismet
configuration.1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<Directory "/opt/bitnami/wordpress/wp-content/plugins/akismet">
Only allow direct access to specific Web-available files.
...
</Directory>
<Directory "/opt/bitnami/wordpress">
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-DNS-Prefetch-Control "on"
Header set X-Content-Type-Options nosniff
Header set Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()"
Header set Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';"0
Header set Referrer-Policy "same-origin"
</Directory>
- Strict-Transport-Security allows access only through HTTPS and HTTP requests are converted to HTTPS.
- X-XSS-Protection "1; mode=block" response header is a feature in modern web browsers that blocks pages from loading when they detect cross-site scripting (XSS) attacks.
- X-Frame-Options "SAMEORIGIN" prevents the loading of your content in a frame, iframe, embed, or object on another website. Clickjacking is an attack that uses
iframes
to trick a user to clicking on a link that sends them to another page with malicious code. - X-DNS-Prefetch-Control "on" resolves the URL of documents and images and fetches the content to reduce latency when a user clicks on a link. Not all browsers support this directive, but it can decrease load time for Chrome and Edge browsers.
- X-Content-Type-Options nosniff blocks requests for styles and the MIME types that are not text/css, or if a script is requested and the MIME type is not a JavaScript MIME type
- Permissions-Policy controls which browser features in a document can be accessed. Features such as cameras or microphones are disabled when the
allowlist
, i.e.,()
is empty. - Content-Security-Policy treats HTTP URLs as if they were HTTPS URLs and specifies which resources can be loaded such as JavaScript, WebSocket and HTML requests, images, and style sheets.
- Referrer-Policy "same-origin" controls how a script or document from one origin can load with a resource from another origin. Same-origin means that the protocol, host, and port are all the same. For example,
https:/example.com/index.html
is the same origin ashttps://example.com/images/image.png
.
bitnami_application_password
and bitnami_credentials
) that let you log into Wordpress /wp-login
page as an administrator.1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ ls
bitnami_application_password bitnami_credentials htdocs stack
$ cat bitnami_application_password
Sup3r.S3cr3t-PassW0rd
$ cat bitnami_credentials
Welcome to the WordPress packaged by Bitnami
******************************************************************************
The default username and password is 'user' and 'Sup3r.S3cr3t-PassW0rd'.
******************************************************************************
You can also use this password to access the databases and any other component the stack includes.
Please refer to https://docs.bitnami.com/ for more details.
1
$ rm bitnami*
http://<your-ip-address>/wp-login.php
. You can find the IP address of the service in the Lightsail console for the server.Role
to Administrator
, and choose Add New User.user
, we need to log out of the account and sign in with the new administrator account. We want to delete the default user
account because it's the default account. It's not uncommon to keep the default user
account and change the password to a weaker but easier to remember password. To delete the default account, choose the user account in the Users
panel, select Delete, and choose Apply.Administrator
role.Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.