The best methods to secure your WordPress site: Configure server security to prevent and limit attacks as well as protect your website.
Bulletproof Your WordPress Site: Nginx Configuration for Optimal Security
Install and Configure SSL for WordPress Security
Installing SSL (HTTPS) for your website or Wordpress site will help secure data between users and the server. Websites installed with SSL will increase the level of credibility for visitors. Google also announced that the ranking of websites will improve when using HTTPS.
If you’re unfamiliar with the process, you can seek assistance from your hosting provider or VPS server. Alternatively, you can install a free Let’s Encrypt SSL certificate independently. After installation, assess your domain’s security level at SSL Labs.
Turn off outdated SSL/TLS protocols
After installing SSL, if your website remains insecure, it’s crucial to configure to secure a WordPress further. TLS versions such as TLS 1.0, TLS 1.1, and SSL 3 are deemed weak and outdated, posing vulnerabilities like POODLE, BEAST, and CRIME, which hackers can exploit, potentially compromising your web server.
In fact, the most popular and widely used web browsers have announced to stop supporting TLS 1.0 and TLS 1.1 like Chrome, Firefox, Safari/Webkit, and Microsoft Edge. To remove outdated SSL/TLS protocols in Nginx, do the following:
Log in to the server and find the file nginx.conf
in your Nginx configuration directory. For example, we can log in via SSH and edit the file as follows:
sudo nano /etc/nginx/nginx.conf
In SSL/TLS protocol simply remove the old TLSv1 and TLSv1.1 protocols and add TLSv1.2 & TLSv1.3 in the “ssl_protocols” config line.
ssl_protocols TLSv1.2 TLSv1.3 ; # Dropping SSLv3, ref: POODLE
Then save the config and restart
Nginx.
sudo systemctl restart nginx
Prevent server information disclosure
Turn off the display of the Nginx server information via HTTP headers. Please try to check the domain name on the website Server Signature Site. If it shows a green check mark, your site is secure. If it has a yellow warning X icon, you can follow the steps below and check again.
sudo nano /etc/nginx/nginx.conf
In the http { }
configuration block, uncomment the line server_tokens off;
. Or if that line is not present, add server_tokens off;
inside the http { }
block. Then restart Nginx.
server_tokens off;
Block HTTP methods via API
Another way to configure WordPress site security with Nginx is to disable unwanted HTTP methods that will not be served by Nginx. The following line will allow only the GET
, POST
, and HEAD
methods and exclude all other methods, including TRACE
and DELETE
. To do this, find your domain’s configuration file and add the following content.
location / {
# ...
limit_except GET HEAD POST { deny all; }
}
Avoid Nginx Running Out of Memory
In memory management, a buffer is a temporary storage area that holds data as it is being moved from one memory location to another.
When the data volume exceeds the capacity of the memory buffer, then a buffer overflow occurs. In other words, a buffer overflow happens when a program attempts to write more data to a memory buffer than it can hold or process. An attacker could exploit this vulnerability to send malicious code that could compromise the system. So you need to configure Nginx to protect your WordPress site from running out of memory and potential buffer overflow attacks.
As a standard security practice, you should make a few tweaks to the web server to minimize such problems. Continue by opening the file nginx.conf
and add the following content inside the http { }
block:
sudo nano /etc/nginx/nginx.conf
##buffer policy
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
##end buffer policy
Prevent XSS Attacks
XSS (Cross-Site Scripting) is an attack where hackers inject malicious scripts
into a website. When a visitor accesses the website, the script is downloaded and can access various browser resources such as cookies
and session tokens.
One of the mitigations against such type of attack is to add the following line in the nginx.conf
file to secure the WordPress site with Nginx.
add_header X-XSS-Protection "1; mode=block";
Protecting Against Clickjacking Attacks
To mitigate clickjacking attacks, add the X-Frame-Options
HTTP header in the nginx.conf
file as shown in the following line, then restart Nginx.
add_header X-Frame-Options "SAMEORIGIN";
Restricting Malicious User Agent Access
You can block any malicious HTTP user agent that sends GET/POST requests to access your content or attempts to exploit software vulnerabilities. To do this, continue by opening and editing the nginx.conf
file, and add the following content.
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
Prevent Image hotlinking
Hotlinking is a method where users link images to your website instead of directly uploading the images to their site. When this happens, your images appear on their website, and the consequence is that you will have to pay more for Nginx server bandwidth.
To prevent this, open your domain configuration file and add the content below, then restart Nginx. (Replace arriveddev.com with your domain name)
# Stop deep linking or hot linking
location /images/ {
valid_referers none blocked www.arriveddev.com arriveddev.com;
if ($invalid_referer) {
return 403;
}
}
You can also specify image extensions as shown to configure WordPress site security with Nginx:
valid_referers blocked arriveddev.com www.arriveddev.com;
if ($invalid_referer) {
rewrite ^/images/uploads.*\.(gif|jpg|jpeg|png)$ https://arriveddev.com/banned.jpg last
}
Website DDoS Prevention and Mitigation
You can limit the number of connections that a user IP address can open to a reasonable limit for actual usage. For example, you can allow each user IP address to open up to 10 connections to your website’s geographic region or online store.
limit_conn_zone $binary_remote_addr zone=addr:10m;
server {
# ...
location /store/ {
limit_conn addr 10;
# ...
}
}
This article provided a summary of some instructions on how to configure website security with your Nginx and secure it from common exploit techniques. Following these steps will greatly enhance the security of your site files and the people visiting your WordPress site. Therefore, it’s crucial to implement these security measures to safeguard your website’s integrity.