Best guide for Ubuntu website setup?

[Shadow_Storm56]

Anyone know a really good guide for setting up a WordPress site on Ubuntu? I did it before but had some issues as I had to use parts of different guides as they were incomplete or confusing. Also a really good disk image software so I don't have to do this again..... As stated in my others posts I lost my site in a failed Ubuntu update. It may still be recoverable but either way I need to setup the website stuff. Also is word press the standard or is there better systems? Thanks

[PorkishPig]

45 minutes ago, Shadow_Storm56 said:

Anyone know a really good guide for setting up a WordPress site on Ubuntu? I did it before but had some issues as I had to use parts of different guides as they were incomplete or confusing. Also a really good disk image software so I don't have to do this again..... As stated in my others posts I lost my site in a failed Ubuntu update. It may still be recoverable but either way I need to setup the website stuff. Also is word press the standard or is there better systems? Thanks

2

Digital Ocean's tutorial on installing Wordpress with LAMP is very good. I would suggest that you schedule CRON to backup important databases and files to a third party file hosting service on a nightly basis.

[Shadow_Storm56]

9 hours ago, Homeless Pineapple said:

Digital Ocean's tutorial on installing Wordpress with LAMP is very good. I would suggest that you schedule CRON to backup important databases and files to a third party file hosting service on a nightly basis.

Cool thanks

[omniomi]

While the DigitalOcean guide is really good for specifically setting up Wordpress it's missing a lot of the web server specific stuff. There's an interesting anecdote in security that you're more likely to get malware form a church website than a porn site. The reason is the church website was more likely setup by a well meaning parishioner's tech inclined kid and not a professional thus is likely not hardened sufficiently. Guides like the Digital Ocean guide are precisely the types of guides followed by those well meaning folks that don't go far enough to protect the sites from attack and abuse.

 

Before you even install Apache:

• The DO guide touches on this but: Create a new non-root user and never daily drive as root.
  - adduser myuser
  - adduser myuser sudo or usermod -a -G sudo myuser depending on version.
   
• Log out of the server and log back in using your new user.
   
• Disable root login over SSH.
  - Edit /etc/ssh/sshd_config
  - Change PermitRootLogin to no
  - sudo systemctl restart sshd
   
• Ideally you should also setup Key-Pair authentication and disable PasswordAuthentication but that's up to you.
   
• Stop sshd from listening over anything other than IPv4 unless you need it to.
  - echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
  - sudo systemctl restart sshd
   
• Install and configure a firewall like iptables.
  - Once installed create a file called /etc/iptables.rules with this content:

  *filter
  
  # Allow all loopback (lo0) traffic and drop traffic to 127/8 that doesn't use lo0
  -A INPUT -i lo -j ACCEPT
  -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
  
  # Accept all established inbound connections
  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
  # Allow all outbound traffic
  -A OUTPUT -j ACCEPT
  
  # Allow HTTP and HTTPS connections
  -A INPUT -p tcp --dport 80 -j ACCEPT
  -A INPUT -p tcp --dport 443 -j ACCEPT
  
  # Allow SSH connections
  -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
  
  # Allow ping (optional)
  -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
  
  # Log iptables denied calls (optional)
  -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  
  # Reject all other inbound - default deny unless explicitly allowed policy
  -A INPUT -j REJECT
  -A FORWARD -j REJECT
  
  COMMIT

  - Activate the rules using sudo iptables-restore < /etc/iptables.rules
  - Verify using sudo iptables -L
  - Create /etc/network/if-pre-up.d/firewall and add 

  #!/bin/sh
  /sbin/iptables-restore < /etc/iptables.rules

  - sudo chmod +x /etc/network/if-pre-up.d/firewall

• Install fail2ban and configure it in /etc/fail2ban/jail.conf

After installing Wordpress:

Wordpress is the most popular CMS on the internet especially among amateur web masters so it is also the most attacked. Even web servers with no Wordpress installs will see bots probing for wordpress vulnerabilities every hour of every day... It's your job to secure it to the best of your ability:

• Enable 2FA for Wordpress https://codex.wordpress.org/Two_Step_Authentication
   
• Use the recommended permissions for Wordpress (Folders - 755, Files - 644) and never use 777.
  - find /path/to/wordpress/ -type d -exec chmod 755 {} \;
  - find /path/to/wordpress/ -type f -exec chmod 644 {} \;
   
• Add BasicAuth to the /wp-admin/ directory (.htpasswd) and/or restrict the /wp-admin/ directory to your IP addresses. Google for guides.
   
• Deny php execution in the wp-content/Uploads directory.
  - Create an .htaccess file at the root of the Uploads directory  and add

  <Files ~ "\.ph(?:p[345]?|t|tml)$">
     deny from all
  </Files>

  This can stop some themes from working ... I wouldn't use those themes.

• Turn off file editing in wp-config.php by setting define('DISALLOW_FILE_EDIT', true);

Ongoing:

• Keep the operating system, Apache, MySQL, etc up to date.
   
• Keep Wordpress and any addons up to date.
   
• Do not install addons from untrusted sources. They're the most common source of vulnerabilities.
   
• Constant monitoring: If you notice weird files in your Wordpress directories, posts/content you didn't add, etc deal with it immediately. 
   
• Do not install FTP on the server, you don't need it... Use SFTP / SCP over port 22 instead. No extra installs needed... In a client like WinSCP select "SFTP" as the protocol and it will just work.

[Shadow_Storm56]

On 1/17/2018 at 1:44 PM, omniomi said:

While the DigitalOcean guide is really good for specifically setting up Wordpress it's missing a lot of the web server specific stuff. There's an interesting anecdote in security that you're more likely to get malware form a church website than a porn site. The reason is the church website was more likely setup by a well meaning parishioner's tech inclined kid and not a professional thus is likely not hardened sufficiently. Guides like the Digital Ocean guide are precisely the types of guides followed by those well meaning folks that don't go far enough to protect the sites from attack and abuse.

 

Before you even install Apache:

• The DO guide touches on this but: Create a new non-root user and never daily drive as root.
  - adduser myuser
  - adduser myuser sudo or usermod -a -G sudo myuser depending on version.
   
• Log out of the server and log back in using your new user.
   
• Disable root login over SSH.
  - Edit /etc/ssh/sshd_config
  - Change PermitRootLogin to no
  - sudo systemctl restart sshd
   
• Ideally you should also setup Key-Pair authentication and disable PasswordAuthentication but that's up to you.
   
• Stop sshd from listening over anything other than IPv4 unless you need it to.
  - echo 'AddressFamily inet' | sudo tee -a /etc/ssh/sshd_config
  - sudo systemctl restart sshd
   
• Install and configure a firewall like iptables.
  - Once installed create a file called /etc/iptables.rules with this content:

  
  *filter
  
  # Allow all loopback (lo0) traffic and drop traffic to 127/8 that doesn't use lo0
  -A INPUT -i lo -j ACCEPT
  -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
  
  # Accept all established inbound connections
  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
  # Allow all outbound traffic
  -A OUTPUT -j ACCEPT
  
  # Allow HTTP and HTTPS connections
  -A INPUT -p tcp --dport 80 -j ACCEPT
  -A INPUT -p tcp --dport 443 -j ACCEPT
  
  # Allow SSH connections
  -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
  
  # Allow ping (optional)
  -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
  
  # Log iptables denied calls (optional)
  -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
  
  # Reject all other inbound - default deny unless explicitly allowed policy
  -A INPUT -j REJECT
  -A FORWARD -j REJECT
  
  COMMIT

  - Activate the rules using sudo iptables-restore < /etc/iptables.rules
  - Verify using sudo iptables -L
  - Create /etc/network/if-pre-up.d/firewall and add 

  
  #!/bin/sh
  /sbin/iptables-restore < /etc/iptables.rules

  - sudo chmod +x /etc/network/if-pre-up.d/firewall

• Install fail2ban and configure it in /etc/fail2ban/jail.conf

After installing Wordpress:

Wordpress is the most popular CMS on the internet especially among amateur web masters so it is also the most attacked. Even web servers with no Wordpress installs will see bots probing for wordpress vulnerabilities every hour of every day... It's your job to secure it to the best of your ability:

• Enable 2FA for Wordpress https://codex.wordpress.org/Two_Step_Authentication
   
• Use the recommended permissions for Wordpress (Folders - 755, Files - 644) and never use 777.
  - find /path/to/wordpress/ -type d -exec chmod 755 {} \;
  - find /path/to/wordpress/ -type f -exec chmod 644 {} \;
   
• Add BasicAuth to the /wp-admin/ directory (.htpasswd) and/or restrict the /wp-admin/ directory to your IP addresses. Google for guides.
   
• Deny php execution in the wp-content/Uploads directory.
  - Create an .htaccess file at the root of the Uploads directory  and add

  
  <Files ~ "\.ph(?:p[345]?|t|tml)$">
     deny from all
  </Files>

  This can stop some themes from working ... I wouldn't use those themes.

• Turn off file editing in wp-config.php by setting define('DISALLOW_FILE_EDIT', true);

Ongoing:

• Keep the operating system, Apache, MySQL, etc up to date.
   
• Keep Wordpress and any addons up to date.
   
• Do not install addons from untrusted sources. They're the most common source of vulnerabilities.
   
• Constant monitoring: If you notice weird files in your Wordpress directories, posts/content you didn't add, etc deal with it immediately. 
   
• Do not install FTP on the server, you don't need it... Use SFTP / SCP over port 22 instead. No extra installs needed... In a client like WinSCP select "SFTP" as the protocol and it will just work.

What version of ubuntu is your guide meant for? I keep getting stuff like does not exsist or file not found... I went to that config manually and had to add the option to block root login as it was not there and the restart command does not work. I am on the latest version of ubuntu.