Security Recommendations

This guide explains some recommended security measures to perform after installing KUSANAGI.

1. Enhance security of wp-config.php

wp-config.php includes information about database connections and also some critical security information such as the unique authentication key. Therefore, it is important to enhance the security of the wp-config.php file.

a. Move wp-config.php file to the document root

wp-config.php file is generated under the root directory when WordPress is installed.
Move wp-config.php to the document root so that the file cannot be accessed directly from outside via URL.

1. Log in to the virtual machine

Use Poderosa or another SSH client software to log in to the virtual machine via SSH.

Username for login: kusanagi
Password is the one specified when performing “kusanagi init”.

For Microsoft Azure, use the username and password that were specified during the “Basics” screen while launching the VM.

2. Switch to root user

Enter the following to switch to root user.

$ su -

You will be asked for a password. Enter the password for root user.
* The root user password is the one defined when the virtual machine was launched on the cloud service.

For Microsoft Azure, enter the following to switch to root user.

$ sudo su -

You will be asked for a password. Enter the password used for SSH login.

3. Go to the directory where wp-config.php is located

Go to the directory where wp-config.php is located.
Enter the following.

# cd /home/kusanagi/kusanagi_html(*1)/DocumentRoot

(*1) Enter the name of the profile created in “WordPress Provisioning”.

4. Move wp-config.php up one level

Move the wp-config.php file up one level. Enter the following.

# mv wp-config.php ../

5. Go up one level from current directory

Go up one level from the current directory and confirm that wp-config.php has been moved correctly. Enter the following.

# cd ..

6. Confirm wp-config.php file is present

Check that “wp-config.php” file is in the document root.
Enter the following to show the list of files in the directory. Make sure wp-config.php is in the list.

# ll

If the file is there, then the transfer is successful.

7. Check display of the website

Access the URL of the website from your browser.
If the front page of the website displays without any problems, then WordPress is operating normally after the transfer of wp-config.php

b. Set limited permission

If you used KUSANAGI to install WordPress, the owner of wp-config.php is httpd (group is www) and the permission is 666 (rw-rw-rw-) by default.

You can increase the security by changing the owner of wp-config.php and set the permission as low as possible.

* The following procedures are based on the assumption that wp-config.php has been moved to the document root as shown in the previous step.

1. Log in to the virtual machine

Use Poderosa or another SSH client software to log in to the virtual machine via SSH.

2. Switch to root user

Enter the following to switch to root user.

$ su -

You will be asked for a password. Enter the password for root user.
* The root user password is the one defined when the virtual machine was launched on the cloud service.

For Microsoft Azure, enter the following to switch to root user.

$ sudo su -

You will be asked for a password. Enter the password used for SSH login.

3. Go to the directory wp-config.php is located

Enter the following to go to the directory where wp-config.php is located.

# cd /home/kusanagi/kusanagi_html(*1)

(*1) Enter the name of the profile created in “WordPress Provisioning”.

4. Change the owner of wp-config.php

Enter the following to change the owner from web server to kusanagi user.

# chown kusanagi.www wp-config.php

5. Change permission for wp-config.php

After changing the owner, change the permission of wp-config.php to “440 (r-- r-- ---)” to make it unwritable.
Enter the following.

# chmod 0440 wp-config.php

6. Check the permission

Make sure the permission of wp-config.php has been changed. Enter the following to show the list of files in the directory and their permissions. Check the permission of wp-config.php.

# ll

If the permission of wp-config.php is stated as “r-- r-- ---”, then the change is successful.

7. Check the display of the site

Access the URL of the website from your browser.
If the front page of the website displays without any problems, then WordPress is operating normally after the permission change.

2. Restrict access to WordPress dashboard

Prevent unauthorized login from a third party to WordPress dashboard through Basic authentication and restricted IP access.

In KUSANAGI, there are 2 web servers (Nginx and Apache) installed and you can switch to either of them. Follow the next procedures and the settings will function correctly on both servers.

a. Specify IP address allowed for access on Nginx

Enter the following to open Nginx configuration file.

# vi /etc/nginx/conf.d/[profile name(*1)]_http.conf

(*1) Name of profile created by “kusanagi provision” command.
Example: vi /etc/nginx/conf.d/kusanagi_html_http.conf

In line 43,
change “allow 0.0.0.0/0;” to the allowed IP address.
Example:allow xxx.xxx.xxx.xxx;

* If you don’t use Basic authentication, please comment out lines 46 and 47. (Add “#” to the beginning of the lines)

At the time of WordPress provisioning, a configuration file is also created for SSL. Thus, the following procedures are also needed.
Enter the following to open Nginx configuration file.

# vi /etc/nginx/conf.d/[profile name (*1)]_ssl.conf

(*1) Name of profile created by “kusanagi provision” command.
Example: vi /etc/nginx/conf.d/kusanagi_html_ssl.conf

In line 54
change “allow 0.0.0.0/0;” to the allowed IP address.
Example: allow xxx.xxx.xxx.xxx;

* If you don’t use Basic authentication, please comment out lines 57 and 58. (Add “#” to the beginning of the lines)

If you are using Nginx and want to reflect the change immediately, please run “kusanagi nginx” command.
The next time Nginx is launched as the web server, only the specified IP address is allowed to directly access WordPress dashboard.

* Refer to “c. .htpasswd settings” for how to set up username and password for Basic authentication.

b. Specify IP address permitted for access to Apache

Enter the following to open “.htaccess” file under the document root.

# vi /home/kusanagi/[profile name (*1)]/DocumentRoot/.htaccess

(*1) Name of profile created by “kusanagi provision” command.
Example: vi /home/kusanagi/kusanagi_html/DocumentRoot/.htaccess

In line 8
Change “Allow from all” to the allowed IP address
Example: Allow from xxx.xxx.xxx.xxx

* If you don’t use Basic authentication, please comment out lines 10, 11 and 12. (Add “#” at the beginning of the lines)

The next time Apache is launched as the web server, only the specified IP address is allowed to directly access WordPress dashboard.

* Refer to “c.  .htpasswd settings” for how to set up username and password for Basic authentication.

c. .htpasswd” settings

Follow the procedures to create .htpasswd file and set up username and password for Basic authentication.

1. Create .htpasswd file

Both in Nginx and Apache, the “.htpasswd” file is set to refer to a common path by default.
Create “.htpasswd” file in the specified path.

Enter the following.

# htpasswd -c /home/kusanagi/.htpasswd [username]

Then enter a password.
Re-enter the same password to confirm.

Enter the username and password for the Basic authentication. If the dashboard is displayed with no problem, then the configuration is successful.

3. Restrict IP access to the server

You can specify the IP and host that are allowed to connect to hosts.allow file and hosts.deny file. This will deny access to the server from other IP addresses and hosts except the allowed ones.

  • hosts.allow
    Specify conditions for access permission.
  • hosts.deny
    Specify conditions for access denial.

The settings will be applied in the following order.

  1. If the access matches the conditions set in hosts.allow file, then the access is allowed.
  2. If the access matches the conditions set in hosts.deny file, then the access is denied.
  3. If the access does not match either condition set in hosts.allow or hosts.deny files, then the access is allowed.

Use the following format for both hosts.allow file and hosts.deny file.

Service Name: host name or IP address
Example) ssh:192.168.1.0

a. Allow access by hosts.allow

Specify the IP addresses or host names that are allowed access.

1. Go to directory where hosts.allow is located

Enter the following.

# cd /etc/
2. Open hosts.allow file

Go to “/etc/” directory and open hosts.allow file.
Enter the following.

# vi hosts.allow
3. Describe conditions for allowed access

Describe the conditions for allowed access to the server.

Example
all:192.168.1.10
all:192.168.10.
all:.ucom.ne.jp

Add conditions and then save the file.
Please pay close attention when entering numbers, because if you enter a wrong number in the conditions, you won’t be allowed access.

b. Deny access by hosts.deny

Deny all access.
The hosts.deny file is in the same layer of hosts.allow file.

1. Open hosts.deny file

Open hosts.deny file.
Enter the following.

# vi hosts.deny
2. Description to deny any access

Add the following description to deny all access.

all:all

Now, only access from the IP address and host name specified in “a. Allow access by hosts.allow” are allowed.
Save the file after making changes.

4. Other directory permission settings

In KUSANAGI, permission of the following directories is 777 (rwx rwx rwx). Change the permission to 755 (rwx rw- rw-).

・Document root (/home/kusanagi/[profile name]/DocumentRoot)
・wp-content directory (/home/kusanagi[profile name]/DocumentRoot/wp-content)

a. Change permission for DocumentRoot

Enter the following and go to the directory where DocumentRoot is located.

# cd /home/kusanagi/kusanagi_html(*1)

(*1) Enter the name of the profile created by “kusanagi provision” command.
Then, enter the following.

# chmod 0755 DocumentRoot

b. Change permission for wp-content directory

Next, change the permission for wp-content directory.
Enter the following and go to the directory where wp-content directory is located.

# cd DocumentRoot

Then, enter the following.

# chmod 0755 wp-content

The directory permission is now successfully changed.