Host Server Hardening – Complete WordPress Hardening Guide – Part 1

Creating a WordPress site has always been pretty easy. The difficult part is putting all these things together and knowing exactly how to get from A to Z. Part 1 will be about host server hardening.

In this guide we will take several steps to harden and update our server on a regular basis. We have a brand new Ubuntu 18.04 server. Let’s configure it.

1.1 – Create new sudo user with key authentication

Set Timezone

sudo timedatectl set-timezone America/New_York

Create User

useradd -m user1
usermod -aG sudo user1
chown user1 /home/user1
chgrp user1 /home/user1

Create .SSH directory and Set Permissions

sudo -u user1 mkdir /home/user1/.ssh

Generate key and Set Permissions

sudo -u user1 ssh-keygen -f /home/user1/.ssh/id_rsa -t rsa -N ''
sudo -u user1 mv /home/user1/.ssh/id_rsa.pub /home/user1/.ssh/authorized_keys
sudo -u user1 chmod 0600 /home/user1/.ssh/authorized_keys
sudo -u user1 chmod 0700 /home/user1/.ssh

Enable Public Key Authentication

sudo sh -c "echo '' >> /etc/ssh/sshd_config"
sudo sh -c "echo '' >> /etc/ssh/sshd_config"
sudo sh -c "echo '#***********************************************************' >> /etc/ssh/sshd_config"
sudo sh -c "echo '# Enable RSA Key Authentication ' >> /etc/ssh/sshd_config"
sudo sh -c "echo '#***********************************************************' >> /etc/ssh/sshd_config"
sudo sh -c "echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config"
sudo sh -c "echo 'RSAAuthentication yes' >> /etc/ssh/sshd_config"

Create new password for user

passwd user1
su user1

note: if you see only a dollar sign when you login as user1, run the following command chsh -s /bin/bash . Then logout as user1 and log back in.

Run this from your local system to pull file from server

#scp root@server:/home/user1/.ssh/id_rsa /home/local_user/.server_keyname

Now login remotely using the key from your system

ssh -i server_keyname user1@server

1.2 – Running CIS Host Server Hardening Script

This script will automatically harden your Ubuntu 18.04 server for level 1 PCI compliance. I have run this script on various Ubuntu 18.04 installs and on a clean install it makes around 100 changes. For more detail see my blog article about this script.

note: AFTER RUNNING THIS SCRIPT YOU WILL NO LONGER BE ABLE TO USE THE ROOT ACCOUNT VIA SSH. MAKE SURE YOU COMPLETED STEP 1.1 BEFORE CONTINUING!!!!!!!!

#***********************************************************
# Apt Update
#***********************************************************

sudo apt update -y

#***********************************************************
# Install ansible
#***********************************************************

sudo apt install -y ansible


#***********************************************************
# Create or append ansible requirements file
#***********************************************************

sudo sh -c "echo '- src: https://github.com/florianutz/Ubuntu1804-CIS.git' >> /etc/ansible/requirements.yml"


#***********************************************************
# Install the role for CIS Ubuntu script from Github
#***********************************************************

cd /etc/ansible/
sudo ansible-galaxy install -p roles -r /etc/ansible/requirements.yml

#***********************************************************
# Create Ansible Playbook for CIS Ubuntu script
#***********************************************************

sudo sh -c "cat > /etc/ansible/harden.yml <<EOF
- name: Harden Server
  hosts: localhost
  connection: local
  become: yes

  roles:
    - Ubuntu1804-CIS
    
EOF
"


#***********************************************************
# Run ansible playbook file
# DO NOT RUN ON PRODUCTION!!!!
#***********************************************************

sudo ansible-playbook /etc/ansible/harden.yml


#***********************************************************
# Restart SSH. You will lose the ability to ssh as root!
#***********************************************************

sudo systemctl restart sshd

1.3 Automatic Upgrades

We dont want to be stuck constantly maintaining and doing updates on our server. Especially when we are backing up the WordPress site itself and we have VM level backups.

So we will configure updates to be automatic for the best results of host server hardening.

Change the email address and run this script to configure automatic updates with detailed email reports. When installing Postfix, just choose the defaults.

***********************************************************
# Install postfix and Unattended Upgrades
#***********************************************************

sudo apt install -y unattended-upgrades
sudo apt install -y postfix

#***********************************************************
# Edit Config file
#***********************************************************

sudo sed -i '/Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"/a\\Unattended-Upgrade::Mail "youremail@domain.com";
' /etc/apt/apt.conf.d/50unattended-upgrades

sudo sed -i '/Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"/a\\Unattended-Upgrade::Remove-Unused-Dependencies "true";' /et$

sudo sed -i '/Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"/a\\        "${distro_id}:${distro_codename}-updates";
' /etc/apt/apt.conf.d/50unattended-upgrades


#***********************************************************
# Create additonal config file
#***********************************************************

sudo sh -c "cat > /tmp/20auto-upgrades <<\EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
"

#***********************************************************
# Copy Config file
#***********************************************************


sudo sh -c "cp -f /tmp/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades"
sudo sh -c "rm -f /tmp/20auto-upgrades"


#***********************************************************
# Copy Config file
#***********************************************************

sudo apt -y install apticron
sudo sed -i '/EMAIL="root"/c\EMAIL="youremail@domain.com"' /etc/apticron/apticron.conf 

#***********************************************************
# Enable and run Unattended-Upgrades
#***********************************************************

sudo systemctl enable unattended-upgrades
sudo apt -y update
sudo unattended-upgrades








We will do some more server host hardening with fail2ban once we install niginx and wordpress. That is all for part one of the guide. See you next time in part two.

0 Points


4 thoughts on “Host Server Hardening – Complete WordPress Hardening Guide – Part 1”

  1. I?m not sure where you are getting your info, but good topic.
    I needs to spend some time learning much more or understanding
    more.
    Thanks for fantastic info I was looking for this info for my mission. https://lascootershop.ca

    1. Joel Radon says:

      Hi La Scootershop. I think I could do alot better explaining this post. I put everything togther fast and was working late on this. I am going to go back though and break it down. I just finished the final part 3 finally.

      Essentially most of this is scripted to be quickly automated not explained. The CIS hardening post is explained better in a different post which linked on here.

Leave a Reply

Your email address will not be published. Required fields are marked *