This article belongs to our video course series about WordPress security.
In this article, we will discuss how to configure Apache on a Debian-based system for use with WordPress, Let’s Encrypt and Hotlink prevention as well as protection against executing of .php files inside the wp-uploads directory tree.
First, let’s install the Apache web server. This can be done by running the following command:
sudo apt install apache2Once Apache is installed, we’ll need to create a virtual host for our WordPress installation. This can be done by creating a new file in the /etc/apache2/sites-available/ directory with a .conf extension. For example, if our domain name is example.com, we would create a file named example.com.conf.
Make sure to replace example.com with your domain name!
In this file, we will need to include the following configuration:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com
<Directory /var/www/example.com>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>This configuration tells Apache to listen on port 80 for requests to both example.com and www.example.com and to serve files from the /var/www/example.com directory. It also allows the use of .htaccess files in the DocumentRoot directory, which allows for greater flexibility in configuring the server.
Now we will enable the virtual host by running the command:
sudo a2ensite example.com.confThen, test the Apache configuration by running the command:
sudo apache2ctl configtestIf the configuration is correct, the output will say “Syntax OK” and you can restart Apache by running the command:
sudo systemctl restart apache2Now, it’s time to secure our server with Let’s Encrypt. You can install the Let’s Encrypt client by running the command:
sudo apt install certbot python3-certbot-apacheOnce the installation is complete, run the following command to generate and install the SSL/TLS certificate for HTTPS. Before executing the next command, please make sure that you configured the domain correctly to point to your new web server.
sudo certbot --apache -d example.com -d www.example.comThis command will automatically configure Apache to use the newly generated certificate. And also, it will set up automatic renewal of the certificate by adding a cron job.
Now, let’s prevent hotlinking of images by adding the following code in your .htaccess file inside the root directory of your WordPress installation:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]This will block all request coming from outside of example.com for jpg, jpeg, png and gif files.
Finally, to protect against executing of .php files inside the wp-uploads directory tree, you can add the following code in your .htaccess file:
<Files *.php>
deny from all
</Files>This will block all .php files inside the wp-uploads directory tree mitigating another attack vector.
And with that, your Apache server should now be fully configured for use with WordPress and Let’s Encrypt.
