NGINX + WordPress: block debug.log and other sensitive files

If your WordPress site is being served by an NGINX web-server there are a couple of configuration directives you will want to add to your server configuration. If you are uncertain about how to do this, consult with your hosting provider and they can help you.

WordPress Core: debug.log

WordPress has a debug feature that logs PHP errors to ‘/wp-content/debug.log’. you don’t want anyone unauthorized to see this as it could provide them with information they can use to hack your website. So to prevent access to this file you want to add the following location directive in your NGINX configuration:

location ~ /wp-content/debug\.log { deny all; }

WordFence Security Plugin: .user.ini

Wordfence uses a configuration file called .user.ini which is placed in the root folder of your website. This file contains the full path of your website’s files which is semi-sensitive information. To block access to this file, add the following location directive in your NGINX configuration:

location = /.user.ini { deny all; }

Securing Your Site with WP-Bruiser

What is WP-Bruiser?

WP-Bruiser, formerly known as “Goodbye Captcha” is a free plugin for WordPress which blocks bot spam in your comment forms. It also has some non-free extensions which integrate with various popular contact forms and other addons to block bot spam in those as well. It does this using a clever token system which bots cannot defeat. This eliminates the need to annoy your users with a “Captcha” and presents a more professional web experience to your visitors. WP-Bruiser also includes some security features which is and what we are going to focus on today.

Installing WP-Bruiser

From your WordPress dashboard you can go to Plugins -> Add New and search for WP-Bruiser. You’ll find it in the standard WordPress plugin repository where you can install and activate it. The WP-Bruiser settings has several tabs at the top of the screen. The first tab, labeled simply “Settigns” is not strictly security related.

Security Tab

This tab offers a number of useful security features. At the top you can see Brute Force settings. For maximum security you should enable all of these. If you want your website to be accessible from anonymous TOR nodes then leave the Anonymoux Proxy IPs option unchecked, but be warned a lot of attacks use the TOR network.

Next you’ll see ‘White Listed IPs’, where you can provide some IP addresses which should never be blocked from the website. This section helpfully tells you your own IP in case you want to add it, but be aware that your IP might change and if it does you’ll want to update this section.

Following that is ‘Black Listed IPs’ which is where you can manually enter IP addresses you would like to ‘ban’ from accessing your site.

WordPress Tab

I recommend enabling all of the options in the WordPress Standard Forms Settings box, the first one you see. This will extend WP-Bruiser to prevent bots from registering accounts, as well as preventing certain kinds of scripted bot behaviors. Chances are you don’t want bots doing anything on your website.

The next section is ‘Tweaking WordPress’. You should enable Hide WordPress Version. Nobody needs to know what version of WordPress you’re using, and hackers will use that information to find vulnerabilities in your site. Next you should enable Remove RSD Header and Remove WLW Header if you don’t explicitly require them. If you aren’t making use of XML-RPC, and most people aren’t, then you should enable both of those options as well.

The next few tabs are specific to various extensions and outside the scope of this tutorial. If you are using any of those plugins I recommend paying for the license to integrate WP-Bruiser’s features with them. I personally use the Contact Form 7 extension on many websites and it has completely eliminated contact form spam.

Notifications Tab

This is a very handy feature. You should configure your E-mail address in the field provided and enable both checkboxes. This will notify you any time an administrator logs into your website, which can inform you if someone has compromised your website. If you operate a site with many people, have everyone use ‘Editor’ level accounts or lower for day to day tasks.

That’s it! WP-Bruiser is a very lightweight plugin and still provides a lot of additional security to a WordPress site, as well as eliminating 100% of bot submissions in your comment and contact forms.

Vendor Recommendations

We know it can be difficult for many people to navigate the technology marketplace, especially if technology is not your expertise. So we have compiled a list of vendors that we can personally vouch for. Some of these links will be “Affiliate” links which means we’ll get a little credit if you sign up using our link. Those links will be marked for the purpose of full disclosure.

You can rest assured that we would never recommend a service which we would be unwilling to use ourselves.

Domain Registration

For domain names we recommend Namesilo.com, they offer very low prices, free WHOIS privacy (you have to opt in during checkout, but it is free), and a pretty feature-packed and easy to use account control panel.

Computer Hardware

We recommend Newegg.com for purchasing computers and computer parts. We have been using them for more than 10 years and they often have the best prices, their shipping and checkout process is consistent and high quality, and their customer reviews and “Editor’s Choice” programs are excellent guides to making the best choices.

Unmanaged Hosting

For managed hosting, nobody offers better service or value than Pride Tech Design, but if you prefer to handle your own system administration you can save some money by choosing Unamanged Hosting. The best choice for Unmanaged Hosting is Digital Ocean. They offer low prices, high quality service and expertly maintained infrastructure. Just be warned, they do not offer any OS level support at all, so if you are not experienced in Linux System Administration you should use our Managed Hosting instead.

Search Engine Optimization (SEO)

Your Austin SEO Company understands that when your business phone rings more, your business will make more money. That’s what they do. Their campaigns create increased visibility for your business through Google Maps rankings throughout your city and they convert that visibility into phone calls and leads through a well-honed review management and reputation marketing system. Call them today if you want to be the go-to for what you do – (512) 853-9484 today, tell them that Pride Tech Design sent you.

Curious about a vendor?

If you’re considering hiring a vendor and you are uncertain if you can trust them, send us an E-mail at info@pridetechdesign.com. One of our expert staff will be happy to perform a brief investigation of that provider and let you know if they should be avoided. We’ll perform this service free of charge.

Securing WordPress

Preface

WordPress is the most popular and possibly best software for operating a modern website. The built in tools that it provides for free are extremely valuable for any web project. WordPress is built on top of PHP which is a “Server Side” programming language. That means when WordPress performs computational tasks it is performing them on the server, rather than in the visitor’s browser. This presents significant security risks, because hackers can exploit vulnerabilities in WordPress to take over the server, which they can then add to their botnets to perform DDoS for Hire attacks, or to act as Crypto-Miners, or to grow their BotNet by infecting the machines of your visitors.

Many people have the mistaken belief that if they are a small organization such as a new business or a non-profit, that they don’t have to worry about hackers. In fact, most hackers don’t care who you are. Every website is a target, and every website connected to the internet is being scanned and attacked on a daily basis by dozens of hackers. Hacking computers has become a global organized crime racket, and your website is a target.

Essentials

Backups

The most important part of this process, while not necessarily directly related to security, is backups. Backups will not protect your website from attacks, and if your backup system is insecure they may actually increase your risk of compromise. What backups will do is significantly reduce your cost of recovery from an attack. Even the strongest and most comprehensive security policies sometimes fail to prevent attacks, and so backups are the most important piece of the puzzle.

Updates

The second most critical aspect of improving WordPress security is to keep your core WordPress software and all of your plugins updated every day. This might seem like a hassle, but malware programmers move quickly when they learn of new exploits. In very rare cases you might have issues due to upgrading your plugins but that is easy to recover from because you have backups, right?

We published a short guide on Updates and Backups that you can refer to for more detailed instructions. Click Here to Read More.

Responsible Plugin Management

Because the majority of attacks happen through vulnerable plugins you need to ensure that you are only using plugins which are being actively developed. They should be listed as compatible with the most recent version of WordPress, and if they require a license to keep them updated then you should have an active license. Deactivate or delete old plugins that you aren’t using anymore, or that you can’t update anymore.

Strong Passwords

Odds are your passwords are not good enough. In my 20 year career I’ve worked with a lot of people and most of you have weak passwords. For your WordPress administrator account your password should be a minimum of 64 random characters. Some mathematicians will tell you that is overkill, and they would be right, but in a few years it won’t be, so unless you want to frequently change your password as computers get more powerful, start at overkill.

Your Password needs to be completely unique. You should not re-use the same password anywhere.

In this day and age a password manager is an essential tool for managing passwords. You should be using a password Manager, we recommend KeePass or one of it’s cross-platform variations. We discourage the use of “Online” password managers because they are honey pots for hackers and there have been a quarter dozen compromises in recent years alone. I published a comprehensive guide on strong password habits which you can read at https://strongpass.us.

Custom Administrator Username

As long as you are using only very strong passwords, this tip is a minor one. In order to reduce the success chance of brute force attacks, your administrator accounts should never be named “Administrator” or “Webmaster” or “Admin” or anything similarly obvious. We want to emphasize that Strong passwords are more important than custom usernames, and must come first.

Filesystem Security

This subject is a bit advanced for most users but it remains an essential piece of a comprehensive security plan. You have to ensure your Website files have the appropriate security settings. Your wp-config.php file should not be readable by anyone. It only needs to be accessed by your webserver, and that is the only ‘user’ who should have access to it. If you create backups of this file, ensure that they are also equally secure.

An especially strong permission guideline for other files in your website directory tree is to set ‘660’ for files and ‘770’ for directories. This allows the owner and group-members to access them, but nobody else. You may need to add your user account to the group to access files with these permissions. If setting file permissions is too advanced for you, please E-mail us at support@pridetechdesign.com and we would love to help you.

Optional Advanced Techniques

These techniques are more advanced but they will help you to keep your website secure. If you would like help to implement these techniques please E-mail us at support@pridetechdesign.com.

Password Hashing

Passwords stored in the WordPress database are hashed so even if someone gains access to your database, they will have a difficult time cracking the passwords stored within. There is a free plugin available which can significantly increase the strength of the hashing technique. You can download the bCrypt Hashing plugin at This Github Page.

WP-Fail2Ban

Fail2Ban is a popular security program which runs on your server and monitors server logs for suspicious activity. When it sees evidence of hackers, it automatically bans their IP address. There is a free plugin that allows Fail2Ban to monitor WordPress activity. You can find the plugin By Clicking Here. This method requires that your server have Fail2Ban installed, and if you’re using a low-quality host they might not offer Fail2Ban support. If that’s the case you should consider switching hosting providers. Pride Tech Design offers high quality hosting with an emphasis on security, including Fail2Ban support.

WP-Bruiser

This free plugin WP-Bruiser offers a number of ways to improve the security of your WordPress website. It’s primary task is to block bots from submitting account registrations, logins, and comments. It does this without using any “Captchas”, which improves the user experience for your real visitors. WP-Bruiser has a 100% success rate blocking bots, so it’s actually more reliable than any existing Captcha system. When you are configuring the plugin you’ll notice it includes a number of basic security features as well, making it a great lightweight choice to improve the security of your website.

Directory Indexing

Directory Indexing is what allows a visitor to see a list of files contained in a directory when there is no index.html or index.php file in that directory. Generally this is considered a security risk as you do not want to allow random visitors to browse the file structure of your website.

This is an item that only effects misconfigured Apache based servers. Unfortunately many low quality hosting providers, some of whom are often listed as “Top 10” brand names, operate misconfigured Apache servers with Directory Indexing enabled by default. In these situations you can use .htaccess files to disable indexing.

Security Suites

There’s a number of well known security plugins for WordPress. They include a ton of features, however we recommend that these are the least important method to improve your security. Many of these plugins only support Apache based websites, their firewall features simply won’t work on Nginx based websites. That will hopefully change in time, but for now it’s an important fact. Many of their features are extreme and won’t really improve your website security, such as changing the login URL, and they can sometimes break your website. If you want to use one of these plugins, you should consult with a professional to configure them for your specific needs. You can E-mail us at support@pridetechdesign.com to help you with configuring a security suite on your website.

Conclusion

You can see there are a lot of steps you can take to improve the security of your website. A well-secured WordPress site is extremely difficult to break into and can reliably serve as the main customer portal for your business, non-profit organization, or global enterprise. If you need any further guidance on this subject, please E-mail me at support@pridetechdesign.com and I will be happy to provide you with personal support for your business. You may also want to sign up for one of my WordPress Maintenance Plans.

Updating and Backing Up WordPress

Creating Backups

The most important maintenance task for any website is keeping regular backups. You should be backing up your website at least every week. That might seem like a lot if your content remains static, but a well-maintained website is also going to be receiving regular updates to the WordPress core software as well as plugins, and if something breaks you will be thankful that your backup strategy was thorough.

BackWPUp

The easiest way to create backups of your WordPress website is using plugins. There are a lot of plugins to choose from, but the one that we recommend here at Pride Tech Design is called BackWPUp. This plugin is free, it creates backups of both your website files and your database, it allows you to schedule your backups so you can set it and forget it, and it allows you to save your backups to various cloud storage platforms, which you want to do.

Configuration

BackWPUp has a lot of configuration options, many of which you can safely ignore. If you’re really uncertain of how to configure your backups, you should consult with a professional, but we will show you a standard configuration that works for most websites.

Add New Job

The first step is to give your new backup job a name. Something like “Weekly Backup” is adequate. Beneath the name field you’ll see “Job Tasks”. You can safely check all of these items however the essential ones you want are Database Backup and File Backup. You may also want to enable the Installed Plugin List.

Add New Job: Backup File Creation

In the next section you’ll see “Archive Name”, which allows you to configure the filename of your backups, using a number of variables which you’ll see on the screen. Unless you know what you’re doing here you should probably leave the default in place. After the Archive Name you will see “Archive Format”. If you work primarily in Windows, choose .Zip if it is available. .zip, .tar.gzip, and .tar.bzip2 are all fine, but you should not use .Tar because it does not compress the data, which results in a lot of wasted storage space.

Add New Job: Destination

This section allows you to choose one or more destinations for your backup file. These are mostly self-explanatory and the most important thing to consider is the security of the location. You need to be certain that wherever your backups are stored, only authorized users will have access to them. Your database backup will contain full details of your website’s administrator accounts so this is important.

The remaining options on this page can be left as default. You may want to configure an E-mail address for error reports. The next step is to switch to the “Schedule” tab at the top of the screen.

Schedule Job

Now that you’ve created your backup job, we need to schedule it. By default it will only run when manually activated. You should select “WordPress Cron”, which will display a new section of options below, where you can schedule the time the job will run. This is the easiest method to schedule your backups.

Destination Options

Depending on what destinations you chose when creating the job, you will see additional tabs at the top. There are too many options to cover all of them in this article, but one important option is Number of Files to Keep. The best number for you is going to vary depending on the frequency of your backups. You should keep your backups for at least 90 days, so if you’re making weekly backups then you should keep at least ~15. If you’re taking daily backups then you would want ~90.

Updating WordPress

Once you have a good backup system in place, the next thing to cover is updating your website. By default your WordPress software should update itself automatically when new minor versions are released. Major versions are not updated automatically and this is for the best, so when a new major version is released you should log in to update it manually.

What are Major and Minor versions?

WordPress uses a versioning scheme like #.#.#, where the first digit is the “Major” version, the second and third digits are “Minor” updates. Major updates, that is, the first digit, will include significant changes to the software’s code, and the introduction of new features. Minor updates are usually bug fixes, or security patches. Some minor updates will include new features which were not ready in time for the Major update.

Plugin Updates, Automatic vs Manual

Updating the core WordPress software is important but equally important is updating your plugins. By default, WordPress plugins do not automatically update at all. There are a couple of ways that you can change this, the most easy being a free plugin Automatic Plugin Updates. It is important that you have a backup system in place before setting up automatic updates, so if you haven’t done that yet please scroll up and do that first.

If you prefer to update your plugins manually that is fine, but you need to ensure that you are doing it at least every week. New vulnerabilities are found in plugins every day, and hackers use these vulnerabilities to attack sites like yours, without concern for the content of your site or your global visibility. You can deploy manual plugin updates from the Plugins screen of your WordPress dashboard, or from the Updates screen.

Let Pride Tech Design help you

We understand some people do not have the time or confidence to perform these tasks. Your website is important and you need to have the peace of mind that it is being protected. We offer very low cost maintenance plans which will provide you with daily backups and updates of your WordPress website and plugins, with free restorations in case of problems. You can read more about these programs and sign up at our Maintenance Page.

Reasons to Choose WordPress

So Many Choices

WordPress Logo

In the early days of the web there were not many considerations when planning a new site. You would simply write your content in HTML, style your site in CSS, and publish. These days we want more from a website. Complex capabilities such as secure logins, rotating graphics, shopping carts and database handling. To handle all of these requirements, we’ve created a new class of software called “Content Management Systems” or CMS for short. When you’re planning a new website there’s many different CMS available and it can be challenging to know which one you should use for your project. Developer opinions on this subject vary, however I am going to tell you that for most web projects, especially hobby blogs, business and non-profit websites, WordPress is the best choice. Here are the top 5 reasons.

User Friendly

Compared to other popular and free Content Management Systems available, WordPress is by far the simplest to use. The dashboard is uncluttered and smartly organized. Content is divided into Pages and Posts, which is simple to understand. Changing your theme is extremely simple. Installing, removing, or updating plugins is just a few clicks. It’s so easy that even people with zero experience operating a website can grasp the essential controls within a few hours of practice and tutorials.

Don’t Repeat Yourself

An old fashioned wagon wheel

A key rule of programming is known as ‘DRY’ or “Don’t Repeat Yourself”. Another way to say that is Don’t Reinvent the Wheel. WordPress has been in development for several years and includes many common features that you want in a modern website, such as login capability, user role control, many built in PHP functions to handle database interaction and other important capabilities, and plugin support which brings us to the next item on the list:

Extensibility

Possibly the most powerful feature of WordPress is the ability to expand it’s capabilities through the use of plugins. There are plugins to do every popular thing you might want to do with a website, and even many of the odds and ends you may imagine. Best of all, many of those plugins are completely free. Through the use of plugins you can build a WordPress site for practically any purpose.

Mature Security

An important consideration of any PHP based website is security. WordPress receives security updates swiftly when new vulnerabilities are discovered, and updates for the core software are deployed automatically by default. There are built in PHP functions to handle things like database interaction which have already been written in a secure manner, making it easier for new developers to Do It Right.

A Large Community

People holding hands

Because WordPress is the most popular software for powering modern websites, it has an extremely large community of supportive developers and users. Many of the questions you might have are answered already and solutions can be found with a simple web search. Developers can be found very affordably to fix just about any problem you might experience on your website, and hiring a developer to build a simple website can be done for hundreds of dollars. Compare that to 10 years ago when you would have to pay thousands of dollars to have the same level of capabilities.

Conclusion

When you’re planning your next web project, whether it’s a development for a customer, a website for your business or non-profit organization, or just a personal blog, use WordPress. In the long run you will save money, effort and frustration.

If you would like help with website hosting or maintenance, we can help you. We offer the best managed VPS hosting service in the world, with more built in features, the best support and quality of service, and the lowest prices. Visit our hosting page to read more and sign up. For website maintenance we offer several packages to keep your website updated and backed up, with prices to fit any budget. Visit our maintenance page to see what options are available. We will craft affordable solutions for any person or organization. If you have questions we haven’t already answered, simply E-mail us at info@pridetechdesign.com.

Redirect all HTTP traffic to HTTPS

There are lots of “plugins” and “applications” being sold to people these days which perform this step but they are not necessary. All you need is a small configuration edit. This works for both Apache and Nginx.

Apache

Place this inside your virtual-host configuration

RewriteEngine On 
RewriteCond %{SERVER_PORT} 80 
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]

Nginx

Here is a block of code that goes into your per-server configuration for Nginx

server {
        listen 80;
        server_name example.com;
        rewrite ^ https://$server_name$request_uri? permanent;
}

That’s it! If you have any questions please send us an E-mail and we’ll be happy to help you!