Category: Security

  • Setting up a Powerful WordPress L2MP Stack

    Setting up a Powerful WordPress L2MP Stack

    Introduction

    This post is about setting up a very powerful WordPress stack using the L2MP Stack. I gave a presentation on this topic during a Houston WordPress Meetup and you can see the video below and download the Presentation here.

    In addition to the L2MP stack, this post will talk about the amazing performance improvements achieved when using WordPress with a dedicated RDS database engine and REDIS Cache. Additionally, we will cover a three-layer approach to securing your website, starting from the DNS-level up the WordPress level security enhancements.

    You can view and download the complete set of slides here.

    L2MP Stack – What is it?

    If you are familiar with hosting WordPress sites, you know that the basic server requirements for your WordPress to function is commonly called the LAMP stack. This stands for (L)inux, (A)pache, (M)ySQL, and (P)HP.

    The L2MP stack is a variation on this but more specifically replacing the Apache and MySQL for better technologies.

    Linux

    Linux is an open-source Operating System (OS) commonly used to host Web Applications. It is also used by Mainframes and Servers for many types of applications. It is even used by the Mac OS as the underlying operating system.

    WordPress runs natively on Linux servers, and you can install this on almost any distro that you choose. The most common Linux distributions for WordPress development are Ubuntu (we will be using 18.04 for this post) and CentOS.

    Litespeed Web Server

    The Litespeed Web Server is a relatively new proprietary web server technology, but it was initially released in 2003. It is fully compatible with Apache commands, so it can be seamlessly integrated into sites with existing .htaccess commands.

    Some of the advantages of the Litespeed Web Server:

    • Web Server that is fully compatible with Apache commands.
    • Proprietary but has open-source version available (Open Litespeed).
    • 4th Most popular with 5.6% usage vs 41.9% Apache, 31% Nginx, 22% IIS.
    • Fastest Growing by far.
    • View all features here.

    Why it’s great

    1. Capacity – Allows for up to 84X more requests per second when using WordPress and caching vs. Apache using WordPress and caching. Allows for 10X more request/second capacity vs. NGINX.
    1. Website Loading Speed – Up to 29X Faster than Apache web server for static page loading. It is 6X faster than NGINX.
    1. Security – The Litespeed and Open Litespeed Web Servers offer a large package of security features out of the box. Some of these features include Connection Level Limits which automatically blocks IPs or servers that ask for too many connections at once, Request Checking, Brute-Force Protection for the wp-login page which protects against brute-force attacks specific to WordPress login and xmlrpc pages. Web Application Firewall offers built-in protection against XSS and SQL injection attacks. Support for OWASP and 7th Gen Firewall rules is also automatically included.

    You can read about all the security and performance characteristics in the official Litespeed Web Server Page.

    MariaDB 10.3 and above (MySQL replacement)

    MariaDB is an open-source forked variant of the MySQL Database Engine. It is fully compatible with MySQL commands, which means it can easily be integrated with WordPress installations.

    Why MariaDB?

    1. Open Source – MySQL was originally developed and supported by the Oracle Corporation. In the past, they have supported a number of open-source projects, including many Java libraries. However, in the last few years, they have brought lawsuits against users and commercial implementations of these libraries and API’s. Most notably, against Google. For this reason, the development community has decided to fork the project and make it a 100% GPL project, while actively supporting continuous improvement on the project.
    2. Speed – MariaDB is much faster than MySQL versions 5.4-5.6. This is due to the fact that it supports leading-edge database technologies like json data type (key-value pair querying and caching) and Dynamic Column support to make querying faster.

    You can read more about the advantages of MariaDB here, here and here.

    PHP (7.3 and above)

    What is PHP?

    PHP stands for Hypertext Pre Processor. It’s a scripting language that is very well suited for web applications. Some of the advantages are its ubiquitous compatibility (around 75% of all websites run PHP), WordPress, its themes and plugins are written in PHP.

    The PHP we install on the server essentially takes the code from your website and translates that to visible and dynamic content on your website.

    I recommend using PHP versions 7.3 and above because they provide security and performance enhancements compared to legacy versions (PHP 5.4 – 5.6).

    So this concludes the L2MP stack. Please let me know if you have any questions regarding this powerful stack.

    RDS Database Server

    What is RDS?

    RDS, which stands for “Relational Database Service,” is a cloud service offered by Amazon Web Services that run databases on the cloud. In a traditional server, the web-server, PHP, and database are all run from the same server using the same resources and limitations. Since a large number of page requests, PHP functions, and even database queries can cause your server or allocated server space if on a shared environment, to crash. RDS offloads the database workload to a separate instance that is dedicated and optimized to execute database functions. This allows for your application to allocate more resources to run PHP scripts and web server requests.

    RDS is fully compatible with most Database engines like MySQL, MariaDB, Postgre, PerconaDB, and MongoDB. Here is a quick snapshot of some of the performance gains of a database running on an EC2 server vs. an RDS instance:

    The results of these tests show two things:

    1. Running an RDS instance show remarkable improvement in database speed, especially considering the max query time (1.3 seconds vs 6.8 seconds for EC2).
    2. In addition to the time saved by processing database queries faster, the EC2 instance also has time process additional web server and PHP requests (if necessary).

    Lastly, the last, and arguably one of the best features of RDS, is not having to deal with database maintenance and backups. AWS does this automatically which saves time and effort maintaining and troubleshooting database issues. If you were to have any fatal database errors, you can roll back the database to any point in time (8-day retention by default) with just a couple of clicks.

    REDIS

    What is Redis?

    Redis is an In-Memory database-caching software project that creates easy to read key-value pairs of the most common database queries. This allows for the system to readily call the most common database information without having to query (search through all the tables) for a piece of information.

    Due to the nature of certain web applications, like e-commerce stores or membership sites that are constantly reading to and writing from the database, using Redis caching can result in enormous performance gains.

    Below are some charts from a fantastic blog post that compares the performance of SQL vs NoSQL sites and clearly displays the performance improvements under load for each type of CRUD operations:

    You can read more about Redis caching here and here.

    Security

    Security is one of the most important topics when discussing WordPress. Unfortunately, due to mass usage and poor security practices, this CMS has gained a reputation as an unsafe framework. Due to the nature of many novice WordPress users, it is also constantly prodded for vulnerabilities and attacked through known exploits. In the next few paragraphs, I will go over some of the basic security measures by layer, that you should take to keep your WordPress site secure. You can read about the security measures I take on the sites I manage in this post.

    I like to look at Security on Four different levels: Server (or VPS) Level, Web Server Level, Application Level, and DNS Level.

    Server Level

    I like to take these security precautions as soon as I create a new installation on a VPS instance.

    How to install WordPress on your VPS

    1. First, I make sure that only the active ports absolutely needed. In most cases, this means port 22 (for ssh access), 80 (http), and 443 (https). Since it is a good security practice to keep your web application server and email server separate, you can keep ports 25, 110, 465, and 587 closed for all inbound traffic.
    2. Disable root access and password login. It is best to create a user without root-level permission and log in using an SSH private key (blog on this coming soon).
    3. Set up Iptables, which is the default Linux firewall. This is the first server-level line of defense that blocks malicious commands from being executed on your system. You can read more about the different IPTable rules in this post.
    4. In addition to IPTables, using Fail2Ban is a great addition to your security toolbox. This software runs on your server and automatically updates your IPTables to lock out any IP address that is attempting to log in unsuccessfully (brute-force). DigitalOcean provides a great article on how to set up Fail2Ban here.
    5. Lastly, as with most software packages, it is very important to keep your OS updated with the latest packages. This will ensure that the latest security patches are applied and that the OS is optimized for performance. When you log into your server, you will see a notice like the one displayed in the image below.

    To update the server and apply the latest upgrades, you can run the following commands (In Debian/Ubuntu distros):

    sudo apt-get update && sudo apt-get upgrade

    Once the updates are applied, you may need to restart the server by running the following command:

    sudo shutdown -r now

    There are more security and tools available to harden your servers, but implementing these should be a great starting place.

    Web Server Level

    Once a request gets past the server-level firewall, it is processed by the web-server to display the content requested. This is where Litespeed Web Server has a huge advantage over other web servers. Some of the advantages include:

    • Built-in WordPress security that protects against brute-force attacks on the wp-login.php and xmlrpc.php pages.
    • Connection-Level limits.
    • Request Checking to deny file and resource exposure.
    • Web Application Firewall that prevents XSS and SQL Injection attacks.
    • External Application Firewall to protect against DOS attacks that try to overwhelm the server by caching requests and sending them only when the last request is completed.
    • CGI Consumption Limit.
    • Recaptcha support at the server level.

    You can see all the security features in detail that Litespeed Web Server offers by checking out the home page.

    Application-Level Security

    Application-level security refers to the security measures that are software-based on top of the Operating System. Since this post is about the L2MP stack for WordPress, I’ll focus on the best security practices to apply to WordPress installations.

    1. Malware scanning – alerts you if your website is compromised by phishing or malware hacks. I personally like to use Malcare and Wordfence Pro.
    2. I also recommend a free plugin called All In One WP Security and Firewall. This plugin covers a wide range of security options for your website and allows you to change the login URL.
    3. Change the login URL from mywebsite.com/wp-admin to a custom and difficult-to-guess name.
    4. Activate 2nd Factor Authentication (2FA) for your admin-level users.
    5. Daily or weekly backups offline. I like to use the Updraft Plus premium version plugin to back up my website to my off-site cloud backup server (Dropbox, S3, Onedrive, or Google Drive).
    6. Update Core WordPress, themes, and plugins daily if possible. If not possible, at least weekly.
    7. And last, but definitely not least, keep a very strong password. This is the single most important step you can take to protect your website. I recommend using a secure password manager like Bitwarden, which will sync across your devices and keep your passwords secure.

    DNS-Level Security

    There are several DNS-level security options that you can apply to your website, which helps protect your website before it even reaches your server. It works by filtering your traffic requests through the DNS system, and blocking unwanted and malicious traffic. Some of these services include Cloudflare and AWS WAF and Shield. Cloudflare has the additional benefit of providing a Content Delivery Network (CDN) service for the cached static files. Below is an image of how Cloudflare

    The advantage that these DNS-Level security features have is that you can create custom traffic rules for incoming connections, like country blocking and throttling requests that require too many resources. You can read all about how Cloudflare works on their support page here.

    Conclusion

    So this post turned out to be a lot longer than I had intended. WordPress is a CMS that is rapidly evolving and integrating new technologies into its ecosystem. For this reason, it’s important to use a stack that I have found to be very powerful, fast, easy to use, and secure. Please let me know if you have any comments or improvements on this post.

  • WordPress Security Practices

    WordPress Security Practices

    As 2019 comes to a close, one of the most important topics in the WordPress community is Security. Since WordPress powers around 25-30% of the active websites today, it presents a big target for hackers and bots looking to exploit security vulnerabilities. This article will explain the steps I take to secure my WordPress websites.

     

    SSL Certificate

    Whenever we create a website, the first step we take is to create an SSL certificate for the website. The SSL certificate will encrypt your data until it reaches the visitors’ browser, securing any information that is transferred in between, like comments, contact forms, and credit card numbers. If you need any help installing an SSL certificate, you can read more here.

     

    Forcing Secure Passwords

    One of the easiest ways for hackers to get in your WordPress site is through the use of weak passwords. While it is a huge hassle to have to remember long, complex, and random passwords, there are some tools that can help you have a very secure password.  

    So for example, if we were to use one of the passwords listed in the 25 Most Common Insecure Passwords of 2017 list: welcome

    Tip 1: Using the random word generator to create phrases out of random words. For example, when I go to the site and click on 5 random words, I get the following:

    trenchpoetrycompromisehesitatefrog

    If you add some symbols and numbers and you get:

    7renchPoetrycompromi$eshesitatefrog89

    Both of these are extremely strong passwords that minimize the chance of getting hacked.

    Tip 2: Use Password Managers. For the second tip, I would recommend using along with the first tip. I have used Lastpass and 1Password and they work great. They offer extensions for all major browsers and apps for Android and iOS. The passwords are completely encrypted in the cloud and you can pull them up on demand from the extension or the app whenever logging in to websites. They allow you to use your devices biometric unlocking to make password managing easier.

     

    Daily Offsite Backups

    Out of all the security measures, this is probably the most critical one. Any WordPress developer knows that even with all the most advanced security features in place, WordPress, its plugin and theme ecosystem and server security have too many moving parts to monitor everything perfectly. We work by the mentality that tomorrow we WILL BE HACKED.

    However, due to our redundant backup solutions to S3 and S3 Glacier, we can quickly see the points of failure, correct those security holes and restore a recent backup of the website quickly and safely.

     

    Daily Malware Scans

    We scan all websites daily for malware and other malicious code that may have been injected, either accidentally or maliciously. If any issues arise, we can quickly move to fix the issue before it propagates to other parts of the website and gets flagged by Google as unsafe.

     

    Server Firewall

    While this may be out of scope of most WordPress users, we take pride in setting up our servers with the latest server security practices. Some of the steps we take include:

    • Make sure the latest Linux packages and dependencies are properly installed on the server. Use autoremove command and check for updates daily
    • Make sure no accounts have empty passwords.
    • Set very high password rules.
    • Verify that all passwords are secure using John the Ripper tool.
    • Configure IP tables to block common attacks.
    • Use Tier 1 Infrastructure like AWS to provide an additional layer of security and detailed logging.
    • Configure firewall to only allow traffic through pre-designated ports.
    • Do not allow root login.
    • Only allow users with SSH keys.
    • Disable Telnet. It is an outdated tool that offers no security measures.
    • Lockout IP addresses using Fail2Ban

     

    Protect Against Brute Force Attacks

    We remove the most common points of attack for WordPress sites, including:

    • Forcing Strong Passwords
    • Changing the Login URL (never wp-admin)
    • Use software blocking to permanently block attempted logins with incorrect usernames.

     

    Other Critical Steps we take to safeguard WordPress Sites

    Block Fake Crawlers

    Many malicious crawlers disguise themselves as legitimate search engine crawlers but instead sniff around your site looking for vulnerabilities. We detect these and block them at the server level.

     

    Daily Database Optimization

    We run a tool that performs a regular Database cleaning to keep your WordPress site in optimal condition and performance.

     

    Daily Plugin, Theme, and Core Updates and Scan

    We make sure that the latest version of each update, theme, and core. These updates contain the latest security updates, so it’s important to have the most up-to-date version. We also scan the code on your website against the code in the official repository to make sure it is original and untampered.

     

    Set Correct File Permissions

    This may seem trivial, but it is extremely important to make sure that the file ownership and permissions are properly set for the Website.

     

    Two-Factor Authentication (2FA)

    As an additional layer of security, we implement 2FA for our websites, which means that in addition to your password, you also need a code that is generated by an Authentication App like Google Authenticator or input a code sent via SMS (text message).

     

    Daily Link Scanning

    We scan our websites to make sure that our websites are not redirecting or linking to broken pages or malicious content. If your pages are not redirecting correctly, we edit the links to make sure that they are pointing to the correct URL.

     

    Conclusion

    WordPress security is all about layers of security to protect your site from the most common forms of attack, including bots, SQL injections, brute-force, and plugin and theme vulnerabilities. However, no one method of protection can truly stop an entity that is determined to hack your website. For this reason, we have backups in place that we can use to quickly restore your site in a brand new, clean server or container instance.