PLASTIC SEA comes to land
Posted on by Robbert

Harden apache on debian and wordpress

I checked out

https://securityheaders.com/

# set security headers in apache

# test with https://www.keycdn.com/blog/http-security-headers



and added in cat /etc/apache2/conf-enabled/security.conf 

Header set X-XSS-Protection “1; mode=block”

Header set X-Frame-Options “SAMEORIGIN”

Header set X-Content-Type-Options “nosniff”

Header set Feature-Policy “autoplay ‘none’; camera ‘none'”

Header always set Referrer-Policy “same-origin”

Header set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”

Header always set Permissions-Policy “geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()”

Then I went to the the WordPress installed directory

See: https://blog.sucuri.net/2012/07/wordpress-and-server-hardening-taking-security-to-another-level.html

# adduser wordpressuser
# cd /var/www/pathtoyoursite
# chown -R wordpressuser:apache .
# chmod -R 750 .
# find . -type f -exec chmod 440 {} \;
#find . -name “*.php” -exec chmod 440 {} \;
#find . -type d -exec chmod 750 {} \;

update WordPress I do with the wp.cli commands:

since I use root I run it with –allow-root:

#wp plugin install wordfence –activate –allow-root
#wp plugin install cookie-law-info –activate –allow-root
#wp core update –skip-plugins –skip-themes –allow-root
#wp theme update –all –allow-root
#wp plugin update –all –allow-root