The on-line hacker Jargon File, version 4.1.5, 24 SEP 1999 (catb.org)

:fscking: /fus'-king/ or /eff'-seek-ing/ adj. [Usenet; common]

Fucking, in the expletive sense (it refers to the Unix filesystem-repair command fsck(1), of which it can be said that if you have to use it at all you are having a bad day). Originated on {scary devil monastery} and the bofh.net newsgroups, but became much more widespread following the passage of {CDA}. Also occasionally seen in the variant "What the fsck?"

40 years of hacker culture in one document.

Welcome by an author (Daniel Brinneman)
The first line of defense in all of hosting and following sections I’ll write about, this being a subtle ‘zero’ or the least thought about topic of consideration, is your choice of usernames and passwords. I’ve had way too many clients always default to these two habits. The first is choosing a username that the whole of WordPress new sites used to have on install, ‘admin’ (no longer the case) and second, choosing a password that was easy for them to remember from anywhere. And then using that same combination on every single online account they had, even their personal accounts. Yikes! And even after I had generated a secure password for them, they changed it to something “easier” to remember. That always makes me feel extremely uneasy because I already can guess what’s in their site’s future. I have my clients’ best interest in mind when I generate those cumbersome passwords.

Update: Daniel moved his content to a new domain. This fixes a broken link. Let’s hope I don’t have to do this again.

Fellow, Desk.pm user, Daniel Brinneman recent wrote an article on how to harden a WordPress website. Daniel’s piece is well written and covers the basics. Please visit his site.

While Daniel and I use basically the same process I wanted to cover the personal process I used for securing my WordPress websites. For brevity, I didn’t go into detail about how to carry out each step. I may cover these steps in a later article.

Hosting Provider

Let’s start with the hosting provider. I want one that is reliable, available and secure. I use a non-shared virtual private server (VPS) hosting plan with Digital Ocean1. Digital Ocean calls these droplets. Digital Ocean has multiple data centres in multiple locations globally offering five popular Linux distributions that can be automatically pre-installed upon deployment of a server: Ubuntu, CentOS, Debian, Fedora, and CoreOS. While I can certainly build my web server stack from scratch I trust the staff at Digital Ocean. I opt to use one of their pre-packaged LAMP/WordPress stacks.

Each digital ocean SSD VPS comes with full root access, a choice of operating systems, and the ability to customise the configuration. With a shared hosting plan, I would be concerned that a compromise on another tenant’s account could lead to a compromise of the entire host. With a dedicated VPS, I can configure as much or as little security as I consider acceptable.

Operating System Hardening

On a *NIX system, the root user is the administrative user that has very broad privileges. Because of the heightened privileges of the root account, I would discourage regular use of the root account. This is because part of the power inherent with the root account is the ability to make very destructive changes, even by accident.

Since, with root, I have complete control of the system, I start my hardening process at the operating system level by immediately changing the root password after the server is created. I choose a long and complex password but something that I can also remember. I then create a new non-root account and add it to the sudoers file. Using the new account (via sudo) I change the server SSH configuration to disable root access to SSH, create 4096 bit SSH keys for remote authentication, then disabling and removing any unneeded services, and then install and configure file integrity monitoring software. Next, I harden the web server. I generate and install TLS (not SSL) certificates, configure the web server with forwarding Secrecy, OCSP stapling, Public Key Pinning (HPKP) and Strict Transport Security (HSTS).

Server Services

One I complete work on the web server it is time for MySQL and WordPress. I change the MySQL database password, run the MySQL security script to remove all defaults etc.. I then login to WordPress and create a new admin account — again with a suitably long randomly generated password — before deleting the old admin account. I then install and configure a web application firewall with specific rules around the wp-admin URL and when to alert me. I then install a WordPress security audit plugin with rules about acceptable actions and when to alert me. I then delete all default posts and pages.

Just a Bit More

Finally, I configure CloudFlare or some other content delivery network to help with any denial of services issues. Most of these also offer a web application firewall and robust analytics.

From a security operations perspective, I use the VaultPress service to do daily backups and I check to make sure backups are complete. I have a weekly reminder in my calendar to check the Linux server and the WordPress install for security patches and to check my server logs.

I also perform my vulnerability scanning using various open source tools.

I only install plugins and themes from reputable sources. I try to reduce the use of plugins as much as possible to mitigate the risk of exploitation. Plugin updates are part of my regular weekly security checks.

If you need help implementing these WordPress security tips, I am available for hire.

This post was syndicated to How to Secure a new Linux WordPress Server.


  1. Use my referral link to get a discount on Digital Ocean when signing up, and help me keep my site going. ?

> Apple is not and will not make changes *just for the sake of change*. And while some may now be clamoring for this change, the paradox is that if Apple did make some big changes, many of the same people would bitch and moan about them. Apple is smart enough to know that in this case, most people don’t really want change, they just think that they do because that’s the *easiest way to perceive value: visual newness*. ~ [MG Siegler](http://techcrunch.com/2012/09/13/the-iphone-5-event/)

I watched the event yesterday and grew more excited by the moment. None of what was announced was new or groundbreaking. Most of the hardware aspects of the new iPhone had already leaked out via various tech rumor blogs and Apple released most of the details of iOS 6 earlier in the year. So what was there to be excited about?

I’ve been a computer enthusiast since I learned to program BASIC on a Commodore VIC 20 in 1978. I upgraded to a Commodore 64 in the early 80’s then started using DOS and Windows based PC in the late 80s when I went off to engineering college. In graduate school I discovered UNIX and later Linux which came in handy for my first job at a research and development firm. I switched back to Windows when I started consulting in the 90s. I wasn’t an Apple user until I purchased my first Mac in 2005. I loved that it had my beloved UNIX but had a usable GUI. At the time, Linux did no offer that.

I started buying other Apple products when I realized how easily they integrated with my Macs. I got my first iPad and iPhone in 2010. When iCloud was introduced in iOS 5 I saw a promise of a future where I could compute from *any* Apple device. Mountain Lion solidified that for me. Now iOS 6 brings even more integration.

[Passbook](http://www.apple.com/ios/whats-new/#passbook) promises to relieve my pants pocket of the stress of carrying a phone and a wallet of cash and cards. FaceTime over cellular means I can finally use this feature where it matters to me the most — when I’m out at events but want to say good night to my kids.

The new [Maps](http://www.apple.com/ios/maps/) will make walking the streets of New York City and Philadelphia easier for me.

[SharedPhoto](http://www.apple.com/ios/whats-new/#photostream) streams means I can share photos of the kids with Grandma and GrandPa — a $99 Apple TV is easier for them to handle than sending a link to a Flickr photo-set.

The new [Phone](http://www.apple.com/ios/whats-new/#phone) app (yes, the iPhone makes calls) has my what will be my favorite feature — decline an incoming call, instantly reply with a text message or set a callback reminder. I get over 200 email messages a day and quite often I miss important messages from the people I care about. The Mail app in iOS 6 will let me set up a VIP list so I’;ll never miss an important message from my wife or my bank.

My point in writing this was to state that while the look of the hardware is important, for me it’s the software that does the trick of turning a hunk of electronics wrapped in glass and metal into something useful.