Hardening VPS/Ded Server for WordPress w/o security Plugins

brandshouter

New Member
I've been a Knownhost customer for a while and just now found the forums (thanks to searching for this subject). I only handle WordPress sites on my server for my clients. I'm looking for a way to not have security plugins installed on the application level and, instead, harden my VPS with Wordpress in mind. I'm wondering if anyone has any resources they can share on ways to accomplish this or if I'm looking to do something that doesn't exist.
 
Welcome to the forum!

The best things you're going to find will be Modsec and the likes (I'm including things like Imunify360 and BitNinja here), or services like Cloudflare. Going straight with Modsec can be a hoss, the rules must be tailored to your site. Imunify360 and BitNinja make it a bit easier by having good starting rulesets.

Cloudflare, cWatch, I think google has a similar service, etc. filter things before it hits your server basically using the aforementioned methods as well as some other advanced filtering methods at the packet level.
 
Thanks Jonathan. I'm trying out BitNinja. It looks a lot like what I'm looking for. I also made a tweak to modsec recommended in another thread on these forums. I appreciate the help!
 
Oh, you're my hero! It was your thread I referenced in my previous response and I'm using your script now as well. I just watch the "hit list" grow more and more. I actually modified it to block 10+ attempts for 24 hours to cut back on the attempts some of the sites were having. If a client gets locked out, I'll be able to remove them regain access (and reset their password so they have it). Also, I developed a standard set of .htaccess rules that I've added to all my client sites to help beef up security.
 
If you take look at Cloudflare you really should take the time to fully utilize it as it presents some unique opportunities. DDOS protection is one of the primary services they provide and to utilize it fully you need to hide the IP of the server. I've experienced two of them, the second occurred about a week after the first one and it was behind Cloudflare's network at that point on newly issued IP. Server logs indicate they fingerprinted the IP with XXX.XXX.XXX.XXX/unique_image.jpg I'm assuming they ran a bot across my old hosts network range. Once the IP is known Cloudflare becomes useless. As side note one other benefit is no wait for DNS propagation, you only need to change the IP in their control pane and it's done deal.

Today if I gave you one of my domains and the IP, if you edited your hosts file to point to it.... server not found. :) You firewall off all traffic to and from ports 80 and 443 except Cloudflare IP's .

CSF also works with Cloudflares API.... there is an endless amount of ways to utilize their service. As far as Wordpress they have specific ruleset for that.

I know knownhost offers DDOS protection but I'm not one to put all my eggs in one basket.
 
I know knownhost offers DDOS protection but I'm not one to put all my eggs in one basket.

KnownHost DDoS protection does not protect against Layer 7 attacks(Application Level Attacks); which CloudFlare does protect against.

One more reason to have CloudFlare as a front-end to your website.
 
It's one of those things you don't know you need it until you need it. Hard lesson learned but I've done what I can to mitigate it. The only exposure I'm aware of is the IP for the email is exposed and to the best of knowledge can't be hidden. Cloudflare will not proxy email. The domain I'm concerned about is on another IP but same VPS. My assumption is worse case the IP for the email can be null routed and the website could continue to function without any issues other than loss of email service. If that assumption is wrong let me know.
 
If I'm understanding what I'm reading, a lot of hosting providers are starting to partner with CLoudflare to offer their service and easier setup via cPanel. Is this something KH is looking into? If not, why? You seem to refer to Cloudflare, wouldn't a partnership be good for everyone(them, you, your customers, and our customers' websites)?
 
yes DDOS protection is one of the primary services which they provide and to utilize it fully you need to hide the IP of the server. I've experienced one of them,
 
Top