Like most good hosting support folks, security tops the list of my priorities. While a good firewall, and true Web Application Firewall are the best means for helping with this, sometimes shared hosting services will not change the configurations they have in place to support the necessary security for a WordPress website.
In steps the iThemes Security plugin.
iThemes acts like a WAF, in that it can detect (via a vast network) bad bots, known hackers, and most known vulnerabilities in WordPress. I will lay out what I use on all of the sites I manage hosting for (note, this number as of today, is in the thousands), as well as enabling the necessary configuration needed to allow iThemes to do it’s thing when you have a nGinx Only Web Application on RunCloud controlled servers.
First and foremost, login to your WordPress admin, then click Add New, under Plugins in the left hand navigation. ( screenshot: https://prnt.sc/q8v5y1 )
In the search box, type in ithemes, when it shows in the returned plugins, click Install then Activate. As you can see here, I already have it installed and activated: https://prnt.sc/q8v6ej
Once it is activated, you will need to browse to it’s settings, the link is in the left hand navigation under Security ( screenshot: https://prnt.sc/q8v79h ). You can safelly ignore the “Wizard” that will popup the first time you browse to it.
Click on Global Settings, check the box to allow writing to wp-config and .htaccess: https://prnt.sc/q8vdqj
This is necessary to allow iThemes to write the necessary rules for your web application. These rules will end up including blocks for known blacklists, as well, as disallowing php in plugins, themes, uploads, etc…
You can input what you wish in the Message fields, you can also use basic HTML if you would like some formatting for the messages. These messages will show to browsers who have had their access blocked.
Scroll down to “Blacklist repeat offender” and check it. I am a tad strict when it comes to my websites, so I only allow 3 Lockouts before being blocked, as a safe bet, I would not go over 5 for this. The defaults for the rest are fine, but make sure to add your pubic IP address to the whitelist field. ( screenshot: https://prnt.sc/q8vi6p )
Configure your logging how you see fit, please note that on high traffic websites, your log can get very large, so do be careful what you select.
Scroll down to “NGINX conf file” and type in your applications root path. I make it a “dot file” so it is hidden. If you do not know your applications path, please check with your hosting provider. As an example, my website’s path on RunCloud looks similar to:
I set “Automatic” proxy detection. Your usage may vary for this, if you have questions, please consult your hosting provider.
I also set “No” error messages. For me I have not seen a reason to display them to the end users of the site, so I have set mine to No.
Once you have this section configured, hit “Save Settings” at the bottom: https://prnt.sc/q8xi1z
At this point, you will need to get into shell on your server. We need to make sure that the file exists in the location we specified in “NGINX conf file” above. So once you are shelled into your server, run this command swapping out the caps for your web apps specific account and application:
sudo touch /home/YOUR_USER/webapps/YOURWEBAPPLICATION/.nginx.conf
This will create a blank file for the iThemes nginx configuration to be written to. You will also need to change the ownership of the file to match your web application, you can do this with:
sudo chown YOUR_USER:YOUR_GROUP /home/YOUR_USER/webapps/YOURWEBAPPLICATION/.nginx.conf
Once that is done we will need our nginx install to properly pull the configuration in. iThemes rules need to go in the web applications main “location” block, so let’s write a single line into the RunCloud specific location nginx config by running this:
echo "include /home/YOUR_USER/webapps/YOURWEBAPPLICATION/.nginx.conf;" > /etc/nginx-rc/extra.d/YOURWEBAPPLICATION.location.main-before.ithemes.conf
Now, we can go back to iThemes and finish configuring it, leave shell open for now, once we are done configuring iThemes, you will need to reload nginx.
Click “Configure Settings” under “404 Detection” ( screenshot: https://prnt.sc/q8yyu8 )… if it is not enabled, please click the ‘Enable’ button to do so. In the settings page, make sure “Minutes to remember” is set to 5, and “Error Threshold” is set to 10. ( screenshot: https://prnt.sc/q8yzyb ) These are safe values for a standard WordPress install. Don’t forget to hit Save Settings at the bottom of that popup.
Under Banned Users, click Configure Settings, and check the “Default Blacklist” and “Ban Lists” then hit “Save Settings” at the bottom of the popup. Screenshot: https://prnt.sc/q8z13t
This will give your site a good starting point and block access to it from a list of bad bots.
Click “Configure Settings” under “Local Brute Force Protection”, and set Max Login Attempts Per Host to 5, Max Login Attempts per User to 10, Minutes to Remember to 5, and check the box to automatically ban the “admin” username. Once done, click the Save Settings button. ( screenshot: https://prnt.sc/q8z4jb )
Click “Configure Settings” under “Network Brute Force Protection”, check the Ban Reported IPs checkbox (screenshot: https://prnt.sc/q8zeuv ), then click Save Settings
Click “Configure Settings” under “Password Requirements”, and make sure to check the “Enabled” checkbox. I would select “Subscriber” from the drop down in any site that requires any non-administrator user to login to it. Once done, click “Save Settings”
Click “Configure Settings” under “System Tweaks” and check every checkbox, then click “Save Settings”.
Click “Configure Settings” under “WordPress Tweaks”, and check the following checkboxes: Windows live Writer Header, EditURI Header, Comment Spam, and File Editor. Select “Disable XML-RPC” under XML-RPC section, select “Block” for the Multiple Auth attempts by XML-RPC, and select “Restricted Access” for the “REST API”. Check “Force Unique Nickname”, “Disable Extra User Archives”, and “Mitigate Attachment File Traversal Attack”. Click “Save Settings” once you are finished.
This concludes the iTheme Security Plugin configuration, now you can get back into your shelled server, and run:
sudo service nginx-rc reload to fully apply the rules, and welcome to your highly secured WordPress website!