Improve security of your WordPress site

So few days ago I just set up my WordPress site, as a “hacker” or “security guy” or w/e I want to call myself xD, I want to make my website more secure/fun.  Besides boring thing like “use strong password”, here are something I did and want to share(my password is admin/password btw): 

1. Disable directory listing

2. Install WordPress Firewall

3. Enable/force HTTPS

4. Add custom page for 401/404 error

 

Step by step:

1. Disable Directory Listing

Modify /etc/apache2/apache2.conf file, change “Options Indexes FollowSymLinks” to “Options FollowSymLinks

Don’t forget to “sudo service apache2 restart” after modifying the file.

 

 

 

 

2. Install WordPress Firewall

The one I am using is “Wordfence”, you can upgrade to “Premium”  if you have $$  🙂  To install it, just search for “Wordfence” in WordPress plugin.

In Action:

 

 

 

3. Enable/Force HTTPS

Thanks to Let’s Encrypt, we can setup HTTPS for free and easy.

Go to Let’s Encrypt: https://letsencrypt.org/, click “Get started” . I use the “With Shell Access” option since I can SSH in to my VPS. Visit https://certbot.eff.org/ pick your system version and web hosting software, do the installation and “sudo certbot –apache”(I use apache2 as my web server). Enter w/e info they ask for, and you will have your HTTPS ready. 

Force HTTPS:

Modify “/etc/apache2/sites-enabled/000-default-le-ssl.conf“, add those lines to the existing”<VirtualHost *:80>” option:

ServerName “your server name”

Redirect / https://”your website URL”/

sudo service apache2 restart 

Try donate some $$ to Let’s Encrypt, because they are Great 🙂  At lease I did:

 

 

 

 

4. Add Custom Page For 401/404

Well, this one is just for fun I guess… you can also do it for 500 error, but I guess my site will never 500 🙂

Modify “/etc/apache2/sites-enabled/000-default-le-ssl.conf“, add those lines to the existing “<VirtualHost *:80> and “<VirtualHost *:443>“:

ErrorDocument 403 /custom_404.html
ErrorDocument 404 /custom_404.html

Create a “custom_404.html” at your web root, for example /var/www/html/custom_404.html, and you have it!

sudo service apache2 restart as always 🙂

Try it: http://wispwisp.com/ASDddasddasd12ed

 

Leave a Reply

Your email address will not be published. Required fields are marked *