Before we dig into securing the website login, let see some introduction of Cloudflare.

What is Cloudflare?

As we all know, Cloudflare is one of the best CDN(Content delivery network) and DNS(Domain Name System) out there in the market.

Is Cloudflare just a DNS and CDN?

Well No! It’s also an internet reverse proxy service provider. There are many security features that come with Cloudflare.

Why cloudflare?

When the website domain is configured in Cloudflare DNS with “proxy” switched on, it acts as a reverse proxy for the website. All the traffic coming into the website and going out of it will be through the Cloudflare security infrastructure. So we can use it to inspect what type of traffic is coming in and to which URL’s. The malicious content can be filtered out thereby protecting our website. Cloudflare also do provide free SSL for our website and makes it HTTPS. Behind Cloudflare network, it connects to the real web server by different means such as HTTP or HTTPS (strict or flexible)

Need to know more, Have a look at https://www.cloudflare.com/

Benefits of using Cloudflare

• DDoS protection – As cloudflare faces the internet, it takes the initial hit, so the website is protected in case of a DDoS attack
• Firewall (3 rules in the free plan)
• Rule based page caching (3 rules in the free plan)
• Ultra fast DNS
• Has a reCaptcha feature to get rid of robots.
• Client certificate authentication
• Caching and mimify(html, css and js)
• And many more…

Securing the WordPress website login using Cloudflare and Wireguard VPN

Now let’s start the configuration

Changing the WordPress admin page url

Everyone knows, the login page of WordPress is https://domainname.com/wp-login.php, so anyone can try a random combination of credentials or even do a brute-force attack.
As a precaution, we first change the login URL using a WordPress plugin – https://wordpress.org/plugins/wps-hide-login/
The plugin should be installed which will then appear in the admin panel “Settings > WPS Hide Login”. Change the URL to something “not so common” and save the settings.

Now the URL of the WordPress login page is changed and when someone tries https://domainname.com/wp-admin they will be redirected to the 404 page or we can set it to any page as required.
This gives a certain level of protection as the URL is not a well-known phrase.

A self-hosted Wireguard VPN

By self-hosting a VPN(Virtual Private Network) in your cloud VPS, the VPN server will modify the source IP address of the traffic to the VPN server’s IP address. Connecting to the VPN changes our IP address and this IP can be whitelisted in Cloudflare’s firewall. So only we have access to the WordPress login page URL. This step is not needed if you own a static IP from your ISP which is not always the case.

Wireguard is a new and lightweight VPN solution that can be easily deployed using a docker container. There is a wireguard docker container from linuxserver.io which can be easily deployed.

Follow tekcookie.com for upcoming VPN articles.

The VPN can be configured as a split tunnel allowing only the website IP or a tunnel mode VPN tunneling the entire traffic. It’s better to use split-tunnel mode VPN as it does not take much of the network bandwidth.

For split-tunnel configuration, IPTables of the wireguard server has to be configured to allow only the website traffic

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -d tekcookie.com -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -d tekcookie.com -o eth0 -j MASQUERADE

In the VPN Client software, the AllowedIPs parameter should have the public IP address of the website.

AllowedIPs = 132.123.13.123/32, 111.222.212.123/32

If there is more than one IP to the website, it can be added as shown in the sample above. The IP address of the domain is obtained by nslookup to any DNS servers out on the internet.

By this, only the website traffic is tunneled through the VPN and other traffic takes the normal internet.

Cloudflare Firewall Rules

In the Cloudflare firewall, a rule is added to block all the traffic to the login URL except the traffic having the VPN server’s IP as the source address.

Navigate to Firewall > Firewall Rules and click the “Create a Firewall rule” button to create a new rule.

In the rule, custom login page URL is added with the VPN server’s IP address.

This is a “Block” rule which blocks all the traffic to https://domainname.com/randomurl if the source IP address does not match the VPN server’s IP address.

Means, this page is only accessible if the VPN is connected.

Along with the IP address filtering, there are many more filters available such as Country, cookie, user agent, client certificate verified, etc. Just explore it out and frame your own rules for better security.

Conclusion

This article explains how to secure the WordPress login. But this does not guarantee the overall website security from internet threats. For that, a vulnerability assessment has to be performed to identify the loopholes. The WordPress and the plugins have to be kept updated to protect from the known security issues. There are also many WordPress plugins that help to increase website security.

The sad truth of security is nothing is 100% secure.

Hope you liked this article and thank you for reading.

Let’s Encrypt is one of the CA who provide free SSL certificate for the websites. The free certificate is having 90 days validity.

In this article, we will see how to get FREE SSL certificate for the website.

In the previous post, we saw how to publish WordPress website in Ubuntu Linux. Using the free SSL, we will secure the website.

Step-1 : Setting Domain Name

To setup SSL for the website, the site need to have a domain name with A record pointing to the website IP address. The domain here is moneyworkforme.in and the dns is having A record pointing to wesite IP address and www as cname record referring to the domain name.

The DNS setting can be changed in the doman registrar website or in the third party DNS provider console if custom name server is configured.

Step-2 : Setup WordPress URL

Browser and login to the WordPress website admin portal. http://<ip-address>/wp-admin

Change the WordPress Address URL and Site Address URL to the domain name – www.moneyworkforme.in

After the settings are saved, the browser refresh to the wp-admin page with the domain name as suffix instead of the IP address.

Step-3 : Installing Certbot

We need to install certbot package to get certificate from the CA and python3-certbot-apache plugin which integrates Certbot with Apache to automate certificate renewal and https configuration in the web server.

sudo apt install certbot 
sudo apt install python3-certbot-apache

Step-4 : Apache Virtual Host Configuration

To obtain SSL certificate for the web server, Certbot needs to find the website domain name and the alias name within the Apache configuration files. This information will be retrieved from the ServerName and ServerAlias fields defined in the configuration file.

sudo nano /etc/apache2/sites-available/000-default.conf

In the configuration file, add the following entries –

ServerName moneyworkforme.in
ServerAlias www.moneyworkforme.in

Step-5 : Allow HTTPS Port

Enable the tcp port 443 to accept https traffic

sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -j ACCEPT

Make the firewall changes permanent

sudo netfilter-persistent save

Step-6 : Install Let’s Encrypt Certificate

sudo certbot --apache --agree-tos --email info@tekcookie.com --redirect -d moneyworkforme.in -d www.moneyworkforme.in

Parameters:
–apache: Use Apache2 Let’s Encrypt installer.
–agree-tos: Agree to Let’s Encrypt terms of service.
–redirect: Adds 301 redirect.
–email: Contact email address.
–d: add the domain name and alias name.

The “IMPORTANT NOTES” section shows the path where the certificate is downloaded.

Lets verify the same, list the items under /etc/letsencrypt/live/moneyworkforme.in to view the certificate files.

Step-7 : Setup Certificate Auto-Renewal

Automating the certificate makes the administration job easier as the certificate validity is only 90 days. Test the status of Certbot before adding the same to crontab

Check the status of the Certbot

sudo systemctl status certbot.timer

Testing the renewal process by dry run with certbot

sudo certbot renew --dry-run

Configuring Crontab for scheduling certificate auto renewal.

sudo crontab -e

Select the appropriate text editor when prompted and add the below statement.

0 1 * * * /usr/bin/certbot renew & > /dev/null

Step-8 : Fix HTTPS Redirection

When the SSL certificate is installed, the Certbot auto configures Apache2 with http to https redirection. But the auto configured redirection only works with URL having domain name (I.e http://moneyworkforme.in to https://moneyworkforme.in) but not for the IP address. To redirect http traffic with IP address in the URL to domain name, modify Apache Virtual Host Configuration.

Replace the following snippet as shown below under VirtualHost tag

Auto configured settings

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.moneyworkforme.in [OR]
RewriteCond %{SERVER_NAME} =moneyworkforme.in
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Replace the above with

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://www.moneyworkforme.in/$1 [R,L]

And the WordPress site is now secured with Let’s Encrypt SSL Certificate.

Hope this article is informative to you. Thank you for reading my post.

This article describes about how to install WordPress on Ubuntu.

WordPress is a Free and Open-Source content management system developed in php with MySQL as back-end with the capability to extent or implement functionality by using plugins and UI modifications via Themes.

Here, we will Install WordPress in a very small Instance of Linux VM. The installation is done through shell.

System Specs:
Processor - 1 vCPU
Memory - 1 Gb
OS Version - Ubuntu 20.04

Note: This is not an ideal specs for installing WordPress, but works fine for blogs and personal websites.

After the installation of Ubuntu, update and upgrade the OS

sudo apt-get update && sudo apt-get upgrade -y

Once the operating system is updated, follow below steps for installing WordPress

Step-1 : Install Apache Web Server

sudo apt install apache2 -y

Once the installation is completed, check the apache service status

systemctl status apache2

Step-2 : Enable Firewall settings to allow http traffic

sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT

To make the changes permanent even after server restart, run the following command

sudo netfilter-persistent save

Test the above by typing the server ip address in the web browser, we will be able to see the apache default page in the web browser.

Step-3 : Install php package

Run below command to install the latest version of php and associated package

sudo apt install php libapache2-mod-php php-common php-mbstring php-xmlrpc php-soap php-gd php-xml php-intl php-mysql php-cli php php-ldap php-zip php-curl -y

Step-4 : Test php Installation

Create a test php file and browse the page in web browser

sudo vi /var/www/html/testpage.php

in the nano editor, add below snippet and save

<?php
echo "The website is working !!!";
?>

Open web browser and browse http://<ip-address>/testpage.php

Step-5 : Install Database – MariaDB

Execute the below command to install Maria DB

sudo apt install mariadb-server -y

Note: This installation will take some time to finish.

Once the installation is completed, execute below command to do the initial config.

sudo mysql_secure_installation

The shell will prompt for input when the above command is executed. Follow the input given in the screenshot to complete the setup.

Step-6 : Configure Database

Login to mysql as root and create the database for wordpress

sudo mysql -u root

Create database and assign permission using below snippet

CREATE DATABASE wordpress;
GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP,ALTER ON wordpress.* TO 'wpuser'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
exit

Step-7 : Download and Install WordPress

Navigate to home directory and download WordPress package

cd /home/ubuntu
wget https://wordpress.org/latest.tar.gz

Extract the package and copy to the root web folder

tar xf latest.tar.gz
sudo mv wordpress/ /var/www/html/

Modify WordPress folder permission and ownership

sudo chown -R www-data:www-data /var/www/html/wordpress/
sudo chmod 755 -R /var/www/html/wordpress/

Create Upload folder and change ownership

sudo mkdir /var/www/html/wordpress/wp-content/uploads
sudo chown -R www-data:www-data /var/www/html/wordpress/wp-content/uploads/

Step-8 : Make WordPress folder as default web path

Edit apache config file and add the following config details under the tag <VirtualHost *:80>

sudo vi /etc/apache2/sites-available/000-default.conf

<VirtualHost *:80>
   DocumentRoot /var/www/html/wordpress
   <Directory /var/www/html/wordpress/> 
      Options FollowSymLinks 
      AllowOverride Limit Options FileInfo 
      DirectoryIndex index.php 
      Order allow,deny 
      Allow from all 
   </Directory> 
   <Directory /var/www/html/wordpress/wp-content> 
      Options FollowSymLinks 
      Order allow,deny 
      Allow from all 
   </Directory>
</VirtualHost>

Restart apache service

sudo systemctl restart apache2

Step-9 : Final Settings in Linux

Enable url rewrite feature and restart apache

sudo a2enmod rewrite
sudo systemctl restart apache2

Finally, the linux side configuration is completed.

Step-10 : WordPress Configuration

Let’s go to web browser to configure the rest in WordPress. Open web browser and browse the server IP address

Select language and click on Continue

Click on “Let’s go!” button to configure the database details to complete WordPress configuration

Enter the database details as per we have configured in Step-6

WordPress will proceed to the above page if the DB information entered is correct. Click on “Run the installation”

Enter the required login information in WordPress and click “Install WordPress”

Finally, the installation is completed and WordPress website is ready !!!

To view the website, navigate to http://<ip-address>

To view website admin portal, navigate to http://<ip-address>/wp-admin

Enter the login credential which was set during the installation process and click on “Log In”

Now, its all your. This completes the installation of WordPress in Ubuntu.

Testing the site performance

Browse to url “https://developers.google.com/speed/pagespeed/insights/” and paste the website url. Click on “Analyze” button to get the results

The results are excellent, but this is just a plain website. Once we add more contents, plugins and themes. The analysis rating may go down.

After all, its just 1 CPU and 1GB RAM. Good for blogging and personal websites. As your traffic increases, you can find alternatives which gives more processing power.

Hope you liked the article. Thank you for reading.

Unable to remove a plugin in WordPress site?

Issue: Unable to remove a plugin from the WordPress Admin Portal.

Please follow below steps to delete the plugins from WordPress.

    Hosting Details:
    ----------------
    Environment: Bitnami WordPress
    Hosting: Google Cloud Platform

Step – 1

Login to google cloud platform console and navigate to compute engine and click on VM Instance

Step – 2

Click on SSH to connect to the Virtual Machine console

A new browser window opens with SSH shell to the Linux virtual machine

Step – 4

Navigate to the WordPress folder path

cd /var/www/html/wp-content/plugins

Step – 5

List all the items inside the plugin folder

ls -al

Delete the folder with the name of the plugin

sudo rm wp-optimize -r -f

Once the folder is deleted, exit from the console window

Now go back to the WordPress web console. Log off and Log in back again.

Navigate to plugins option. The plugin is gone.

Thank you for reading my post. Hope this is helpful to you.