Category Archives: Wordpress

Free Cloudflare WAF Initial Review

After messing with using .htaccess files to lock down my blog I decided to try Cloudflare’s free offering for a simple WAF to protect my blog as well as get some more detail as far as who is talking to it.

I’m still working on configuring Cloudflare and I may have more to say after I get more time to get used to the interface and make some more tweaks.

One of the most important things I wanted to do was be able to lockdown /wp-login.php, /wp-admin, and /xmlrpc.php like I was doing with .htaccess.

I was able to get the same lock down functionality done relatively quickly, using the WAF security rules.

Over on the left-hand side if you navigate to Security -> WAF

I used their template for Zone lockdown, and blocked access to those things from everyone except my IP, which can obviously be edited later if it ever changes or I’m out traveling and want to update my blog.

Of course another lesson learned is you can’t use your domain anymore to SSH to your server. Cloudflare will not allow it. So I created a SSH sub-domain on my domainname in Cloudflare and set it to DNS only.

You might say this defeats the whole purpose of cloudflare because now somebody knows your IP address, and to a certain extent that is true. However, I have apache configured so if someone tries to browse by IP address they get a 403 from .htaccess in a different web directory.

WordPress Security Tweaks (.htaccess)

As I get more familiar with WordPress I keep making tweaks to my blog to lock things down more. I thought I would share some of the things I have put in place to help others.

One of the first things I did was monitor the Apache access.log (/var/log/apache2/access.log) to see what kind of traffic was hitting my site.

Here is a summary of web calls I found interesting:

  • /xmlrpc.php
  • /wp-admin
  • /wp-login.php
  • /wp-content

With the REST API on later versions of WordPress the /xmlrpc.php is no longer needed and is therefore a security risk that can allow login attempts to the website. Please read up on it before you disable it if you don’t know what it is.

/wp-admin & /wp-login.php are of course the login page for the site and if we can limit who can access this, this would also drastically increase security

The last one was I was noticing a lot of browsing happening in the /wp-content folder which by default has directory browsing turned on, so anyone can browse any of the files there. We can add a little more security here by turning off directory browsing.

Edit Root .htaccess file

Open up your .htaccess file in the root directory of your WordPress web site. This will already have some WordPress specific items in it.

This is what I added onto the file:

...
</IfModule>
#END WordPress

# Make Sure Hidden Files Are Not Accessible (dot files)
RedirectMatch 403 /\..*$

# Block WordPress xmlrpc.php requests
<Files ~ "xmlrpc\.php">
        <RequireAll>
                Require all denied
        </RequireAll>
</Files>

# Block WordPress login page requests unless from certain IP
<Files ~ "wp-login\.php">
        <RequireAll>
                Require ip xxx.xxx.xxx.xxx #Put IPs you want to allow here can space separate them
        </RequireAll>
</Files>

#Disable Directory Browsing
Options -Indexes

This makes sense for me because I am the only one accessing the administration of this website so it does not need to be open to the world.

The last change I made was I created a .htaccess file in the /wp-admin folder.

/wp-admin .htaccess file

This is what the .htaccess file looks like that I created in the /wp-admin folder

# Block WordPress Requests to /wp-admin
<Limit GET POST PUT>
        <RequireAll>
                 Require ip xxx.xxx.xxx.xxx #Replace with your IP
        </RequireAll>
</Limit>

These security settings make sense for me as this is a simple blog with one user but they may not make sense for you. I also run no plugins on the site to lower my risk threshold.

Of course the one downside to doing things this way, is if my IP at home changes or I’m out traveling I’ll have to SSH in to the server to allow myself to login, but I’m ok with this. As far as SSH goes I would also strongly suggest key authentication instead of username/password.

Site Statistics for 2023

I had a lot of blogs that didn’t get posted that I wanted to get published this year. This was a year of relaxation. I took a lot of time for myself this year. Here’s to hoping I can spend more time to get more quirky issues posted in 2024.

I had 29,000 visitors visit my blog this year! That’s a lot of people from all over the world swinging by to say “Hi”. Hopefully you all found something useful here.

As far as days of the week go, Tuesdays are the day this site got the most hits this year.

Top Visits by Country this year:

  1. United States
  2. Germany
  3. United Kingdom
  4. Canada
  5. India
  6. France
  7. Australia
  8. Netherlands
  9. Sweden
  10. Spain

WordPress stops working after Ubuntu 20.04LTS upgrade to 22.04LTS

I just recently upgraded my blog from Ubuntu 20.04 LTS to 22.04 LTS and my main blog WordPress site would not load.

The php code was showing in the browser rather than being processed by php.

<?php
/**
* Front to the WordPress application. This file doesn’t do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
...

First, make sure that the libapache2-mod-php8.1 module is installed:

sudo apt install libapache2-mod-php8.1

Next browse to /etc/apache2/mods-enabled, and do an ls:

You will probably see two old php symlinks that don’t go anywhere anymore. If you look in the mods-available directory you will see they don’t exist.

We need to create two new symlinks for php8, do an ls in mods-available to make sure you see two php files

Create the symlinks in mods-enabled for the two in mods-available and restart apache2. This was done in the mods-enabled directory.

sudo service apache2 restart

If this works feel free to delete the old symlinks with just the “rm” command.

Happy Upgrading!