Open in app

Sign in

Write

Sign in

ENABLING WORDPRESS ON HTTPS ON AN UBUNTU SERVER

Ian Peter
6 min readFeb 7, 2022

--

This is an article dealing with:

1. Installing a free self-signed SSL certificate on your website

2. Various methods of hardening WordPress.

Prerequisites

- Installing Apache and Wordpress on your Ubuntu Server

Follow the steps provided in the article found at

Setting up Wordpress on an Ubuntu server and using Lynis auditing tool

Details for this article were provided under Assignment 1 located at:

medium.com

- Updating your Ubuntu Server. This can be done by running the command

apt get update

- Elevate privileges to root user before starting. This can be done with the command:

sudo su

Elevating user privileges to super user

Installing Self-Signed SSL Certificate

  • First, confirm if openssl is installed on your machine. This is done by executing

openssl version

Checking if openssl is installed

If you receive an output similar to the one below, then proceed by executing

sudo apt install openssl

  • Check once more if it is installed successfully by running the first command. If it is successful, then proceed with the next steps.
  • The next step involves requesting a newkey using rsa2048 algorithm and storing it in the directory /etc/ssl and the certificate will be stored at /etc/ssl/certs. There are additional flags which are appended and serve the following functions

a) req -x509 flag is to tell the system that is a local self-signed certificate using the certificate signing request (CSR) management. If -x509 is removed, the system would generate a certificate signing request instead of the certificate itself.

b) -nodes flag is to ensure a passphrase isn’t requested each time Apache wants to read the file. If ignored, then the user would be required to provide the passphrase after every restart of the server.

c) days 365 simply indicates how long the certificate will remain valid.

d) -new -newkey rsa:2048 specifies that both the certificate and new key will be generated at the same time. rsa:2048 indicates that the RSA key is 2048 bits long.

e) -keyout and -out are used to tell OpenSSL where to place the generate key file and certificate respectively.

Generating an openssl certificate

- Create an ssl-conf file in /etc/apache2/sites-available folder

sudo touch /etc/apache2/sites-available/ssl-conf

sudo vim /etc/apache2/sites-available/ssl-conf

creating and editing an ssl.conf file
  • Edit the file and put in the following configurations. Replace servername with your own hostname

<VirtualHost *443:>

SSLEngine on

SSLCertificateFile /etc/ssl/certs/my.crt

SSLCertficateKeyFile /etc/ssl/private/my.key

servername test.com

Documentroot /srv/www/wordpress

<VirtualHost>

Configurations added to ssl.conf file
  • Exit and save the file configurations by typing :wq
  • Using the a2ensite command, activate the ssl.conf file and disable the default-ssl.conf file using a2dissite.

a2ensite ssl.conf && a2dissite default-ssl.conf

  • Enable the ssl module using a2enmod command

a2enmod ssl

  • Finally, restart the apache2 service using:

systemctl restart apache2

  • Go to your browser and access the domain or IP address of the site and confirm if it is up and running through https.
  • Select the continue to <domainname>(unsafe) and proceeed
Accessing the site through https
  • The website is fully functional but we notice a strikethrough on the https sign. This is simply because the certificate is self-signed. But any communication sent through this website will now be encrypted and is not susceptible to a MITM attack.
Site is up and running now

Currently, the site is serving both http and https and depends on the user knowing which one is more secure hence for simplicity and better security, it is important to redirect all traffic to HTTPS.

  • This can be done by editing the /etc/apache2/sites-available/wordpress.conf file and adding the following line in the <VirutalHost> block.

Redirect “/” “https://test.com/"

Hardening WordPress on Ubuntu Server

There are various methods of hardening a WordPress site, the most important being the one demonstrated above by installing an SSL Certificate. Other methods can include:

1. Enabling automatic security updates for Ubuntu distribution

This is done by running the command

apt-get install unattended-upgrades

dpkg -reconfigure — priority=low unattended-upgrades

Enabling automatic security update
Accepting to enable automatic security updates

Finally, confirm activation by running:

cat /etc/apt/apt.conf.d/20autoupgrades

Output to confirm automatic updates are running

If the output is similar to the one above, then the operation was successful.

2. Enabling Automatic Wordpress Updates

  • This is done by navigating to the wp-config.php file and making a copy first of all. It can simply be named as wp-config.php.bak. After that, edit the original file and add the following lines

/** Automatically Updates the WordPress Core, Plugins and Themes. */

add_filter( ‘auto_update_core’, ‘__return_true’ );

add_filter( ‘auto_update_plugin’, ‘__return_true’ );

add_filter( ‘auto_update_theme’, ‘__return_true’ );

Configuration changes to enable automatic wordpress updates

Exit and save the file

3. Modify the Apache Default Configuration file to turn off Indexing on your site if no longer needed. This normally provides an easy way for a hacker to navigate across your system.

  • Navigate to /etc/apache2 directory
  • Make a copy of apache2.conf file before making any alterations
  • Edit apache2.conf file making the following changes
  • Restart the apache2 service using systemctl restart apache2
Configuration changes made to Apache conf file to remove indexing

4. Turn off the Server Signature. This can be very helpful to a malicious attacker to find vulnerabilities for the specific Php versions and Apache Web Server versions on your system.

  • Navigate to /etc/php/7.4/apache2. This can equally be different depending on your system version but after getting to /etc/php/ you can use ls and cd to find your way to the apache2 folder.
  • Edit the php.ini file to hide the php version by making the following changes. Ensure the expose_php value is set to Off.
Turning off the php version from php configuration file
  • Next, check the website for the server signature. This can be done from the command line using the curl command with the — head flag.
Checking website for server signature

As you can see, the Server displays the Apache version as Apache/2.4.41 (Ubuntu).

  • Navigate to /etc/apache2 and edit the apache2.conf file by adding the following lines

ServerSignature Off

ServerTokens Prod

  • Finally, restart the Apache service using systemctl restart apache2
Turning off Apache version
  • Use the curl command once more to check the site and confirm it is no longer displaying the version.

5. Remove the Info traces. These are essentially files containing information about the systems.

  • Delete the PHP info files
  • Delete the motd.tail file which shows the WordPress DB password
  • Remove WordPress Readme File containing the WordPress Versions

This can all be done by running the following command:

rm -rf /var/www/html/info.php && rm -rf /etc/motd.tail && rm-rf /var/www/html/readme.html

Removing all info traces
WordPress
Ubuntu
Https

--

--

Ian Peter
Ian Peter

Written by Ian Peter

17 Followers
7 Following

CTF player. Cybersecurity enthusiast and Computer science student

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams