This guide explains some recommended security measures to perform after installing KUSANAGI.
1. Enhance security of wp-config.php
wp-config.php includes information about database connections and also some critical security information such as the unique authentication key. Therefore, it is important to enhance the security of the wp-config.php file.
a. Move wp-config.php file to the document root
wp-config.php file is generated under the root directory when WordPress is installed.
Move wp-config.php to the document root so that the file cannot be accessed directly from outside via URL.
1. Log in to the virtual machine
Use Poderosa or another SSH client software to log in to the virtual machine via SSH.
Username for login: kusanagi
Password is the one specified when performing “kusanagi init”.
For Microsoft Azure, use the username and password that were specified during the “Basics” screen while launching the VM.
2. Switch to root user
Enter the following to switch to root user.
$ su -You will be asked for a password. Enter the password for root user.
* The root user password is the one defined when the virtual machine was launched on the cloud service.
For Microsoft Azure, enter the following to switch to root user.
$ sudo su -You will be asked for a password. Enter the password used for SSH login.
3. Go to the directory where wp-config.php is located
Go to the directory where wp-config.php is located.
Enter the following.
# cd /home/kusanagi/kusanagi_html(*1)/DocumentRoot(*1) Enter the name of the profile created in “WordPress Provisioning”.
4. Move wp-config.php up one level
Move the wp-config.php file up one level. Enter the following.
# mv wp-config.php ../5. Go up one level from current directory
Go up one level from the current directory and confirm that wp-config.php has been moved correctly. Enter the following.
# cd ..6. Confirm wp-config.php file is present
Check that “wp-config.php” file is in the document root.
Enter the following to show the list of files in the directory. Make sure wp-config.php is in the list.
# llIf the file is there, then the transfer is successful.
7. Check display of the website
Access the URL of the website from your browser.
If the front page of the website displays without any problems, then WordPress is operating normally after the transfer of wp-config.php
b. Set limited permission
If you used KUSANAGI to install WordPress, the owner of wp-config.php is httpd (group is www) and the permission is 666 (rw-rw-rw-) by default.
You can increase the security by changing the owner of wp-config.php and set the permission as low as possible.
* The following procedures are based on the assumption that wp-config.php has been moved to the document root as shown in the previous step.
1. Log in to the virtual machine
Use Poderosa or another SSH client software to log in to the virtual machine via SSH.
2. Switch to root user
Enter the following to switch to root user.
$ su -You will be asked for a password. Enter the password for root user.
* The root user password is the one defined when the virtual machine was launched on the cloud service.
For Microsoft Azure, enter the following to switch to root user.
$ sudo su -You will be asked for a password. Enter the password used for SSH login.
3. Go to the directory wp-config.php is located
Enter the following to go to the directory where wp-config.php is located.
# cd /home/kusanagi/kusanagi_html(*1)(*1) Enter the name of the profile created in “WordPress Provisioning”.
4. Change the owner of wp-config.php
Enter the following to change the owner from web server to kusanagi user.
# chown kusanagi.www wp-config.php5. Change permission for wp-config.php
After changing the owner, change the permission of wp-config.php to “440 (r-- r-- ---)” to make it unwritable.
Enter the following.
# chmod 0440 wp-config.php6. Check the permission
Make sure the permission of wp-config.php has been changed. Enter the following to show the list of files in the directory and their permissions. Check the permission of wp-config.php.
# llIf the permission of wp-config.php is stated as “r-- r-- ---”, then the change is successful.
7. Check the display of the site
Access the URL of the website from your browser.
If the front page of the website displays without any problems, then WordPress is operating normally after the permission change.
2. Restrict access to WordPress dashboard
Prevent unauthorized login from a third party to WordPress dashboard through Basic authentication and restricted IP access.
In KUSANAGI, there are 2 web servers (Nginx and Apache) installed and you can switch to either of them. Follow the next procedures and the settings will function correctly on both servers.
a. Specify IP address allowed for access on Nginx
Enter the following to open Nginx configuration file.
# vi /etc/nginx/conf.d/[profile name(*1)]_http.conf(*1) Name of profile created by “kusanagi provision” command.
Example: vi /etc/nginx/conf.d/kusanagi_html_http.conf
In line 43,
change “allow 0.0.0.0/0;” to the allowed IP address.
Example:allow xxx.xxx.xxx.xxx;
* If you don’t use Basic authentication, please comment out lines 46 and 47. (Add “#” to the beginning of the lines)
At the time of WordPress provisioning, a configuration file is also created for SSL. Thus, the following procedures are also needed.
Enter the following to open Nginx configuration file.
# vi /etc/nginx/conf.d/[profile name (*1)]_ssl.conf(*1) Name of profile created by “kusanagi provision” command.
Example: vi /etc/nginx/conf.d/kusanagi_html_ssl.conf
In line 54
change “allow 0.0.0.0/0;” to the allowed IP address.
Example: allow xxx.xxx.xxx.xxx;
* If you don’t use Basic authentication, please comment out lines 57 and 58. (Add “#” to the beginning of the lines)
If you are using Nginx and want to reflect the change immediately, please run “kusanagi nginx” command.
The next time Nginx is launched as the web server, only the specified IP address is allowed to directly access WordPress dashboard.
* Refer to “c. .htpasswd settings” for how to set up username and password for Basic authentication.
b. Specify IP address permitted for access to Apache
Enter the following to open “.htaccess” file under the document root.
# vi /home/kusanagi/[profile name (*1)]/DocumentRoot/.htaccess(*1) Name of profile created by “kusanagi provision” command.
Example: vi /home/kusanagi/kusanagi_html/DocumentRoot/.htaccess
In line 8
Change “Allow from all” to the allowed IP address
Example: Allow from xxx.xxx.xxx.xxx
* If you don’t use Basic authentication, please comment out lines 10, 11 and 12. (Add “#” at the beginning of the lines)
The next time Apache is launched as the web server, only the specified IP address is allowed to directly access WordPress dashboard.
* Refer to “c. .htpasswd settings” for how to set up username and password for Basic authentication.
c. .htpasswd” settings
Follow the procedures to create .htpasswd file and set up username and password for Basic authentication.
1. Create .htpasswd file
Both in Nginx and Apache, the “.htpasswd” file is set to refer to a common path by default.
Create “.htpasswd” file in the specified path.
Enter the following.
# htpasswd -c /home/kusanagi/.htpasswd [username]Then enter a password.
Re-enter the same password to confirm.
Enter the username and password for the Basic authentication. If the dashboard is displayed with no problem, then the configuration is successful.
3. Restrict IP access to the server
You can specify the IP and host that are allowed to connect to hosts.allow file and hosts.deny file. This will deny access to the server from other IP addresses and hosts except the allowed ones.
- hosts.allow
Specify conditions for access permission. - hosts.deny
Specify conditions for access denial.
The settings will be applied in the following order.
- If the access matches the conditions set in hosts.allow file, then the access is allowed.
- If the access matches the conditions set in hosts.deny file, then the access is denied.
- If the access does not match either condition set in hosts.allow or hosts.deny files, then the access is allowed.
Use the following format for both hosts.allow file and hosts.deny file.
Service Name: host name or IP address
Example) ssh:192.168.1.0a. Allow access by hosts.allow
Specify the IP addresses or host names that are allowed access.
1. Go to directory where hosts.allow is located
Enter the following.
# cd /etc/2. Open hosts.allow file
Go to “/etc/” directory and open hosts.allow file.
Enter the following.
# vi hosts.allow3. Describe conditions for allowed access
Describe the conditions for allowed access to the server.
Example
all:192.168.1.10
all:192.168.10.
all:.ucom.ne.jpAdd conditions and then save the file.
Please pay close attention when entering numbers, because if you enter a wrong number in the conditions, you won’t be allowed access.
b. Deny access by hosts.deny
Deny all access.
The hosts.deny file is in the same layer of hosts.allow file.
1. Open hosts.deny file
Open hosts.deny file.
Enter the following.
# vi hosts.deny2. Description to deny any access
Add the following description to deny all access.
all:allNow, only access from the IP address and host name specified in “a. Allow access by hosts.allow” are allowed.
Save the file after making changes.
4. Other directory permission settings
In KUSANAGI, permission of the following directories is 777 (rwx rwx rwx). Change the permission to 755 (rwx rw- rw-).
・Document root (/home/kusanagi/[profile name]/DocumentRoot)
・wp-content directory (/home/kusanagi[profile name]/DocumentRoot/wp-content)
a. Change permission for DocumentRoot
Enter the following and go to the directory where DocumentRoot is located.
# cd /home/kusanagi/kusanagi_html(*1)(*1) Enter the name of the profile created by “kusanagi provision” command.
Then, enter the following.
# chmod 0755 DocumentRootb. Change permission for wp-content directory
Next, change the permission for wp-content directory.
Enter the following and go to the directory where wp-content directory is located.
# cd DocumentRootThen, enter the following.
# chmod 0755 wp-contentThe directory permission is now successfully changed.