Knowledgebase

Introduction

The OpenLiteSpeed image includes a powerful set of tools to start a WordPress site. Before launching your site, there are a few extra steps to ensure your site and server stay secure.

Prerequisites

• Deploy an OpenLiteSpeed WordPress instance
• Follow the setup steps provided in the RCS Dashboard.
• Make a note of the phpMyAdmin location and the database password.
• Connect to the server via SSH as a root user.

1. Disable PHP Execution in Unsafe Directories

Specific directories can hold user-uploaded content or have no need for PHP execution. The directories to forbid PHP execution in are:

• wp-content/uploads
• wp-includes

Add the .htaccess Rules for the uploads Folder

1. Navigate to the WordPress uploads folder.

   # cd /var/www/html/wp-content/uploads
   

2. Edit the .htaccess file.

   # nano .htaccess
   

3. Add the following rule and save the file.

   # BEGIN Block PHP Execution
   RewriteEngine on
   RewriteRule (.*)php$ - [F]
   # END Block PHP Execution
   

4. Change ownership of the file to www-data.

   # chown www-data .htaccess && chgrp www-data .htaccess
   

Add the .htaccess Rules for the wp-includes Folder

You'll repeat the same steps as the uploads folder, except in the wp-includes folder.

1. Navigate to the wp-includes folder.

   # cd /var/www/html/wp-includes
   

2. Edit the .htaccess file.

   # nano .htaccess
   

3. Add the following rule and save the file.

   # BEGIN Block PHP Execution
   RewriteEngine on
   RewriteRule (.*)php$ - [F]
   # END Block PHP Execution
   

4. Change ownership of the file to www-data.

   # chown www-data .htaccess && chgrp www-data .htaccess
   

Restart LiteSpeed

After changing .htaccess rules, you must restart LiteSpeed.

# /usr/local/lsws/bin/lswsctrl restart

You'll also need to restart LiteSpeed whenever a WordPress plugin modifies .htaccess files. For example, many popular caching and security plugins will modify .htaccess. You can also reboot the server, which serves the same purpose.

2. Security changes for .htaccess

There are several security improvements you can make to the .htaccess file in the web root, such as:

• Disable XML-RPC: This function is normally safe to disable unless you know that you need it.
• Hide Static Files: Fingerprinting static files allows attackers to determine the WordPress version.
• Secure the wp-config.php File: Securing the wp-config.php file keeps your database credentials safe. These steps prevent unauthorized access and prevent LiteSpeed from serving the file in plain text if the server stops executing PHP.
• Disable PHP Error Reporting: By default, OpenLiteSpeed instances have display_errors disabled in the PHP configuration.
• Block User Enumeration Attempts: If you visit https://YOUR_DOMAIN/?author=1, you can see your main administrator's username. Username enumeration can make brute force attacks easier for bad actors.

To make all those changes, follow these steps.

1. Navigate to the WordPress root folder and edit the .htaccess file.

   # cd /var/www/html/
   # nano .htaccess
   

2. Before the # BEGIN WordPress line, add these rulesets and save the file.

   # BEGIN Block Sensitive Files
   RewriteCond %{REQUEST_URI} error_log|wp-config-sample.php|xmlrpc.php|readme.html|readme.txt|license.txt|wp-config.php|php.ini [NC]
   RewriteRule .* - [F,L]
   # END Block Sensitive Files
   
   # BEGIN Block Author
   RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
   RewriteCond %{QUERY_STRING} ^author=\d+ [NC,OR]
   RewriteCond %{QUERY_STRING} ^author=\{num 
   RewriteRule ^ - [L,R=403]
   # END Block Author
   

3. Set appropriate file permissions for wp-config.php.

   # cd /var/www/html && chmod 600 wp-config.php
   

3. Block XML-RPC

You've already blocked access to the PHP file, but you'll need to create a new custom plugin for your site to delete the function.

1. Create a new plugin to block XML-RPC.

   # cd /var/www/html/wp-content/plugins
   # nano example.php
   

   Replace example.php with a unique name for your plugin.

2. Insert the following code and save the file. Replace Example Security Features and example_remove_xmlrpc with a unique name for your plugin.

   <?php
   /**
    * Plugin Name: Example Security Features
    */
   
   // -- Disable XML-RPC
   // Return nothing for XML-RPC methods
   function example_remove_xmlrpc( $methods ) {
     return array();
   }
   add_filter( 'xmlrpc_methods', 'example_remove_xmlrpc' );
   

3. Set appropriate file ownership.

   # chown www-data example.php
   # chgrp www-data example.php
   

   Replace example.php with the filename you created earlier.

4. Restart LiteSpeed.

   # /usr/local/lsws/bin/lswsctrl restart
   

5. Activate the plugin in the WordPress Admin area.

4. Add Hotlink Protection

"Hotlinking" is linking directly to a file or image instead of the blog page that contains it. Internet users often do not understand the implications of hotlinking or even what it is. For site owners, it can be costly for a site to have unwanted HTTP requests and bandwidth usage. LiteSpeed offers a hotlink protection module.

1. Edit the vhconf.conf file.

   # nano /usr/local/lsws/conf/vhosts/wordpress/vhconf.conf
   

2. Add the following configuration to the bottom of the file, replacing YOUR_DOMAIN with your website's domain

   hotlinkCtrl {
       allowedHosts YOUR_DOMAIN www.YOUR_DOMAIN google.com yahoo.com bing.com facebook.com twitter.com
       enableHotlinkCtrl 1
       suffixes bmp, bpg, css, eot, gif, ico, jpeg, jpg, js, otf, png, svg, tiff, ttc, ttf, webp, woff, woff2
       allowDirectAccess 1
       redirectUri
       onlySelf 0
   }
   

   These settings allow only specified domains to serve files from your server. You can add additional hosts seperated by spaces in the allowedHosts line. By adding the social media and search engine domains, you allow those services to hotlink to your images. The suffixes line allows you to set the blocked file extensions for hotlinking. The redirectUri allows you to redirect to a specified path, such as a hotlinking warning image.

3. Restart LiteSpeed

   # /usr/local/lsws/bin/lswsctrl restart
   

5. Change Login Page URL

To keep your login page hidden and not located at the predictable /wp-admin/ directory, install a plugin to hide your login page unless you already use a comprehensive security login that offers that functionality.

The OpenLiteSpeed image includes the DoLogin Security plugin for another layer of security. Activate this plugin to limit login attempts.

6. Hide WordPress Version On the Frontend (Optional)

Keeping the WordPress version hidden makes it harder for attackers to perform version-specific attacks on your site. Security plugins such as Wordfence or Sucuri allow you to hide your WordPress version.

If you use Wordfence, navigate to Wordfence > All Options. Under the General Wordfence Options tab, toggle the Hide WordPress version option.

If you use the Sucuri plugin, it hides the WordPress version by default after activation.

7. Restrict Access to phpMyAdmin

By default, the phpMyAdmin interface is publicly accessible. To block outside access, edit the virtual host configuration.

1. Edit the vhconf.conf file.

   # nano /usr/local/lsws/conf/vhosts/wordpress/vhconf.conf
   

2. Locate the following lines.

   accessControl  {
       allow                 *
   }
   

3. Replace them with these.

   accessControl  {
       deny                  *
       allow                 127.0.0.1
   }
   

4. Save the file and restart LiteSpeed.

   # /usr/local/lsws/bin/lswsctrl restart
   

If you browse to https://YOUR_DOMAIN/phpmyadmin/, you should now see a 403 error. To access phpMyAdmin again, either connect to the server with an SSH Tunnel (Port Forward) or add a trusted IP for the allow value.

Next Steps

If you have not already installed a security plugin, consider installing one to ensure the highest level of protection ongoing. Some widely-supported plugins include:

• Wordfence
• Sucuri
• Defender by WPMU DEV