Security Hardening

it's secure

Security part is taken very seriously now a days, but as with any other system there are potential security issues that may arise if some basic security precautions aren’t taken.

As per the security concerns; if you have specific security concerns or doubts, you should discuss them with people whom you trust to have sufficient knowledge of computer security

Knowing Security?
Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. A secure server protects the privacy, integrity, and availability of the resources under the server administrator’s control.

Qualities of a trusted web host might include:

Readily discusses your security concerns and which security features and processes they offer with their hosting.
Provides the most recent stable versions of all server software.
Provides reliable methods for backup and recovery.
Decide which security you need on your server by determining the software and data that needs to be secured. The rest of this guide will help you with this.

Security Themes
Keep in mind some general ideas while considering security for each aspect of your system:

Limiting access
Making smart choices that reduce possible entry points available to a malicious person.
Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.
Preparation and knowledge
Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.
Trusted Sources
Do not download from untrusted sources.

Vulnerabilities on Your Computer
Make sure the computers you use are free of spyware, malware, and virus infections .No amount of security on your web server will make the slightest difference if there is a keylogger on your computer.

Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities. If you are browsing untrusted sites, we also recommend using tools like no-script (or disabling JavaScript/flash/java) in your browser.

cpanel Internal Server Error 500

Recently, while working on one of the server I found following error when accessing plugins like csf.

Internal Server Error
No response from subprocess (/usr/local/cpanel/whostmgr/docroot/cgi/addon_cmq.cgi): subprocess exited with status 2

During investigation we found everything working just perfectly even a csf service was running and doing its job so the error was kind of strange for us but after little bit research we came to following conclusion.

As cPanel updated perl to 5.14 version also WHM will not use the system perl instead would use its own perl it’s own perl interpater located at /usr/local/cpanel/3rdparty/bin/perl. As a result of all these changes to both php and perl, WHM plugins will need to be updated.

Hence to upgrade all of your installed ConfigServer scripts on a cPanel server then sf have provided a simple script that can do this for you:

To use this method you must be logged into root via SSH to the server and then run:

curl -s | perl

You are done!!

How to secure your WordPress website

WordPress a number one open source CMS out there especially used by blogger to publish their content online. A wordpress is popular because of its number of rich features, many available plugins, widgets, thousands of theme, easy to manager interface. As per wikipedia, until April 2013, version 3.5 had been downloaded over 18 million times that shows how much wordpress is popular. As every coin has two sides there are some security breaches too found in wordpress blog. Its most targeted CMS by hackers.

Here I am listing some few points that would certainly enhance security of the wordpress.

1. To be started with, always keep your wordpress up to date. As wordpress developers always fix vulnerbility present in older version it is always best course of action to get wordpress updated to latest version. You can always see notifications in admin area to get updated.
2. Always disable ‘display error’ directive of php so in case any error presnt in your wordpress installation it will not be exposed to world.
3. Always change admin user name to something different. The easiest way to do this is create a new user account in WordPress (give it admin access). Then login with that username and delete your old account
4. It is often observed that hackers gain access to the wordpress by uploading a shell to the root directory. So your best bet is to set following settings in php.ini

file_uploads = Off (If you don’t want file upload, then make it off)
safe_mode = On

5. Make sure your local machine is not infected by means of sort of virus. You need to scan it periodically and remove if any threat exists. A best course of action is to install powerful antivirus.
6. Make sure you delete all unwanted themes and plugin.
7. Do not install any plugin that is new out there. Make sure a plugin has good reviews and not vulnerble.
8. Always take daily offsite backup in case of anything goes wrong.
9. Make sure you have not setup 777 permission to any files or folders.

You can read following official tutorial provided by wordpress to secure your wordpress installation.

1 2