This article belongs to our video course series about WordPress security.
In this article, we will discuss how to configure Apache on a Debian-based system for use with WordPress, Let’s Encrypt and Hotlink prevention as well as protection against executing of .php
files inside the wp-uploads
directory tree.
First, let’s install the Apache web server. This can be done by running the following command:
sudo apt install apache2
Once Apache is installed, we’ll need to create a virtual host for our WordPress installation. This can be done by creating a new file in the /etc/apache2/sites-available/
directory with a .conf
extension. For example, if our domain name is example.com, we would create a file named example.com.conf
.
Make sure to replace example.com with your domain name!
In this file, we will need to include the following configuration:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com
<Directory /var/www/example.com>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
This configuration tells Apache to listen on port 80 for requests to both example.com and www.example.com and to serve files from the /var/www/example.com
directory. It also allows the use of .htaccess
files in the DocumentRoot directory, which allows for greater flexibility in configuring the server.
Now we will enable the virtual host by running the command:
sudo a2ensite example.com.conf
Then, test the Apache configuration by running the command:
sudo apache2ctl configtest
If the configuration is correct, the output will say “Syntax OK” and you can restart Apache by running the command:
sudo systemctl restart apache2
Now, it’s time to secure our server with Let’s Encrypt. You can install the Let’s Encrypt client by running the command:
sudo apt install certbot python3-certbot-apache
Once the installation is complete, run the following command to generate and install the SSL/TLS certificate for HTTPS. Before executing the next command, please make sure that you configured the domain correctly to point to your new web server.
sudo certbot --apache -d example.com -d www.example.com
This command will automatically configure Apache to use the newly generated certificate. And also, it will set up automatic renewal of the certificate by adding a cron job.
Now, let’s prevent hotlinking of images by adding the following code in your .htaccess
file inside the root directory of your WordPress installation:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
This will block all request coming from outside of example.com for jpg, jpeg, png and gif files.
Finally, to protect against executing of .php
files inside the wp-uploads
directory tree, you can add the following code in your .htaccess
file:
<Files *.php>
deny from all
</Files>
This will block all .php
files inside the wp-uploads
directory tree mitigating another attack vector.
And with that, your Apache server should now be fully configured for use with WordPress and Let’s Encrypt.