Apache httpd configuration for WordPress


This article belongs to our video course series about WordPress security.

In this article, we will discuss how to configure Apache on a Debian-based system for use with WordPress, Let’s Encrypt and Hotlink prevention as well as protection against executing of .php files inside the wp-uploads directory tree.

First, let’s install the Apache web server. This can be done by running the following command:

sudo apt install apache2

Once Apache is installed, we’ll need to create a virtual host for our WordPress installation. This can be done by creating a new file in the /etc/apache2/sites-available/ directory with a .conf extension. For example, if our domain name is example.com, we would create a file named example.com.conf.

Make sure to replace example.com with your domain name!

In this file, we will need to include the following configuration:

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    <Directory /var/www/example.com>
        Options FollowSymLinks
        AllowOverride All
        Require all granted

This configuration tells Apache to listen on port 80 for requests to both example.com and www.example.com and to serve files from the /var/www/example.com directory. It also allows the use of .htaccess files in the DocumentRoot directory, which allows for greater flexibility in configuring the server.

Now we will enable the virtual host by running the command:

sudo a2ensite example.com.conf

Then, test the Apache configuration by running the command:

sudo apache2ctl configtest

If the configuration is correct, the output will say “Syntax OK” and you can restart Apache by running the command:

sudo systemctl restart apache2

Now, it’s time to secure our server with Let’s Encrypt. You can install the Let’s Encrypt client by running the command:

sudo apt install certbot python3-certbot-apache

Once the installation is complete, run the following command to generate and install the SSL/TLS certificate for HTTPS. Before executing the next command, please make sure that you configured the domain correctly to point to your new web server.

sudo certbot --apache -d example.com -d www.example.com

This command will automatically configure Apache to use the newly generated certificate. And also, it will set up automatic renewal of the certificate by adding a cron job.

Now, let’s prevent hotlinking of images by adding the following code in your .htaccess file inside the root directory of your WordPress installation:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

This will block all request coming from outside of example.com for jpg, jpeg, png and gif files.

Finally, to protect against executing of .php files inside the wp-uploads directory tree, you can add the following code in your .htaccess file:

<Files *.php>
deny from all

This will block all .php files inside the wp-uploads directory tree mitigating another attack vector.

And with that, your Apache server should now be fully configured for use with WordPress and Let’s Encrypt.

Related Posts