WordPress uses Linux server (pagoda) environment security and optimization strategy

Foreword: Prevent web attacks, hang up horses, make your WordPress more secure, access faster must do a good job of security strategy and optimization

Recently, the WEB theme park has received a series of problems, such as a lot of websites being hung up and attacked, leading to unsafe website access and slow access speed. When helping these users to solve these problems, it was found that many users have basically not operated on the security settings of the server environment when deploying their own websites, This has also led to the frequent occurrence of these attacks.

At present, WordPress is mainly used to establish websites in two environments, one is virtual host, the other is VPS and cloud server.

Today, we will introduce how to build an optimal server environment under various host and server environments before using WordPress, and the tutorial of server environment security policies to help you build a good website environment.

According to their own needs, how should they purchase server resources, and what configuration and environment should they choose?

Here, we will explain several popular server resources in the market: virtual host, ECS/vps.

Virtual host

Virtual hosting is a commonly used method, which is suitable for enterprise display websites. Websites with less than daily IP1000 and no high resource consumption programs are visited.

If you use WordPress to build an official website of an enterprise and only serve as a window for external display, it may provide some small Q&A communities, messages and other functions that users need to log in, then choosing a virtual host is a more economical and practical way.

The following points should be noted when selecting virtual hosts

• Virtual host environment: php and mysql are the necessary environments for WordPress. The virtual host can choose the Linux system to ensure that your host provides a rewrite module so that you can do a good job of pseudo static.
• The PHP version should be optional. The minimum requirement for WordPress is PHP 5.1, but this PHP version is not available for many themes and plug-ins. Here we recommend a virtual host that can use PHP 7.0. At least your host should support PHP 5.6
• MySQL database. At present, a large number of mysql virtual host providers only provide mysql5.2, but a higher version will bring better compatibility and higher efficiency. Here we recommend mysql5.6 (most theme import data of Web theme parks are exported using mysql5.6, which can be imported losslessly)
• File permissions can be set, which is very important. The virtual host cannot control the security policy. Therefore, the only security policy of the virtual host is to turn off folder permissions, so that trojans and other tampering cannot be carried out.

ECS/vps

ECS is also a very common way, which is suitable for websites with high traffic and high resource consumption programs such as enterprise display websites and mall websites;

ECS is used for websites with more than 1000+daily IP traffic and more than 5000+daily PV traffic. Of course, if your website has a small current traffic but is expected to have a large traffic, you can choose ECS, which can be configured at any time. You can choose a smaller configuration again, and upgrade the configuration when the traffic is high and the server load is heavy.

Ps. If you use the woocommerce mall, we recommend you to use ECS. The woocommerce mall is a program that consumes resources and needs some optimization to be fast. If you use a virtual host, it will be slow.

Select Configuration

When purchasing ECS, you can purchase it according to your current needs

If the current website has just been established and the traffic is not high, you can buy a lower Basic configuration : Recommended dual core CPU, 1G memory, 2M bandwidth, 30G system disk (included), 50G data disk (smaller or larger data disks can be purchased according to the content of your website)

Medium configuration : Quad core CPU, 4G memory, 5-6M bandwidth, 30G system disk, 100G data disk (enough for easy access to medium-sized websites: daily ip 1500+daily PV7000+)

Advanced Configuration For the moment, if your website has tens of thousands of daily IP addresses and hundreds of thousands of PV addresses, please hire a special maintenance personnel to do a good job in load balancing.

There are many ECS servers on the market at present. It is necessary to select an ECS that can set security groups. If your ECS does not provide security groups, replace it as soon as possible.

System environment

Install Linux CentOS or ubuntu

As far as WordPress is concerned, the best language for php is to choose the Linux system, which is the most suitable. At present, there is a very useful Linux panel image, so you don't need to study Linux hard.

Here we recommend Baota Linux Professional Edition, which is simple to install, convenient to configure the environment, and convenient to set security policies.

ECS/VM and other recommendations

Based on our experience in website services, we compare the advantages and disadvantages of the servers and virtual hosts of the most commonly used manufacturers for your convenience.

1. Virtual host

The most common virtual hosts are AliCloud virtual host Alibaba Cloud's virtual host actually belongs to Wanwang

Many users are using the WEB theme park

advantage:

• Big brands have great influence, and everyone believes that
• Provide independent IP, which can be used for ssl encryption (relatively exclusive)

Disadvantages:

• Small products of big brands. After sales service often kicks the ball. After sales experience is not particularly good
• Some virtual hosts cannot select php7.0 version, and the latest database is only 5.5
• Unable to manage files online, that is, unable to set folder permissions (80% of the hanging horse cases encountered in the WEB theme park are from Alibaba Cloud hosts)

Western Digital Virtual Host

Western Digital is the brand represented by the WEB theme park, so it has recommended many users to use it, and has a voice here

advantage:

• There are many optional configurations, including php5.2~7.1, which can be set at any time on the virtual host control panel
• MySQL database version can be 5.2 and 5.6
• The after-sales service is good, the response is prompt, and there are corresponding payment options. If you can't decide, you can quickly solve the problem by spending a little service fee
• There is online file management, and folder permissions can be set (for hosts purchased on the WEB theme park proxy platform, we will help set folder permissions after installation, and basically 90% of users have never experienced the problem of being hung up)

Disadvantages:

• The domestic host does not provide independent IP, so SSL encryption cannot be performed. If SSL encryption is required, only the port and Taiwan hosts can be selected (no filing required)

2. Server

Comparison between Alibaba Cloud ECS servers and Western Digital ECS servers

AliCloud ECS servers are widely selected, and the quality is also very good in general. The disadvantage is that the interface for purchasing configurations is too professional, and the combination of various strategies makes it difficult for novices to know how to choose. If they cannot know how to choose, they can directly purchase the home page package.

The ECS of Western Digital is also very good. The purchase interface is simple. The elastic host can be selected from any configuration. It is intuitive, cost-effective, and the total cost is slightly lower than that of Alibaba Cloud.

The ECS servers of both manufacturers are very good, and both can be configured with security groups. Alibaba Cloud also has an image market where you can configure images with one click.

3. Others

We have less contact with ECS from other manufacturers, so we will not make specific evaluation here.

This is Alibaba Cloud's light cloud application. This kind of server is also a kind of ECS, but it is smaller in configuration and cheaper than ECS, but pay attention when using it Don't select his WordPress application image ！ This image is based on Linux, but has no control panel or database panel at all. Therefore, if you choose this image without Linux expertise, it is basically impossible to change the exported data of the server.

This is to remind you not to select the WordPress application image it provides! Light cloud applications can choose pagoda linux, which is easier to operate with a panel, and does not require a linux foundation.

Security policy of ECS/VPS and virtual host

Being hung up is a very common security problem. We almost get help requests from users every month. The most common way for hung up websites is to jump to other websites to hijack traffic.

And by tampering with the file, we can obtain the background administrator authority (we often call it backdoor).

Then we should configure the security policy to avoid hanging horses and backdoors.

The virtual machine described above needs to set folder permissions, which will not be repeated here. Here we mainly talk about the security policies of ECS and VPS.

The security policies of ECS and vps are illustrated by taking Baota Linux as an example

Change password

When you have installed the pagoda linux, the first thing is to change your pagoda panel administrator and password. The default administrator account of the pagoda is admin, which is a dangerous user name. Do not use admin as the password anywhere.

Replace the default port

The login port of Baota Linux is 8888. You can change an arbitrary random port range 8888 – 65535

The FTP port of the pagoda is 21. You can also change a random port (random port within five digits)

Resolve a domain name and log in to the website instead of IP

In the panel settings of the pagoda, there is an option to bind the domain name. You can resolve a secondary domain name, such as baota.xxx.com to the server IP. After it takes effect, bind the domain name, and your pagoda login interface is baota.xxx.com: port number

This can avoid your pagoda background being easily found (secondary domain name+port, double insurance)

No ping

In Pagoda Linux, ping is disabled. It makes it impossible for people to accurately know the content of your server's IP response.

Install the firewall paid by the pagoda

Security Group Policy

The security group can release some ports that we need to use and close some risky ports, which can ensure the maximum security of our server

Ports to be released by the security group:

• TCP: 80 - default port of website (http)
• TCP: 443 - SSL encrypted website port (https)
• TCP: 888 – phpmyadmin port
• TCP: Pagoda panel port TCP (modified, 8888 by default)
• TCP: ftp port (you modified it, the default is 21)

Ports that security groups need to prohibit:

• TCP: 3306 – External connection port of database
• 135, 137, 138, 139, 445 of TCP and UDP ports that are at risk of being invaded
• TCP and UDP 111211 – Memcached listening port (if you have installed Memcached)
• All icmp ports (ping prohibited)
• TCP 22 port – the default port for SSH remote login (if you use the pagoda panel, you won't often use SSH remote services, or you don't know how to ssh at all, you can disable this port in the security group)

The above is the description of server selection and security configuration described today. If you don't know how to select a server and configure the environment, you can choose the services we provide:[ ECS configuration service ]