We recently noticed an authenticated arbitrary file upload vulnerability in the plugin Vmax Project Manager. While writing up the details of that we were tracing back the code that would be involved in that and at first we couldn’t figure out how part of it would work. Then we figured that out and noticed that there is also an authenticated local
Apache currently remains the leading web server software in the world with a 45.8% market share. That ends up being about 80 million websites whose web servers are powered by Apache. Pretty impressive, right?
Apache is an open source web server software that has been around since 1995, so that alone speaks volumes to its reliability and longevity. Then there are the high-profile websites that run on Apache servers: Apple, Adobe, and Paypal are just a few of the major brands that entrust their websites to Apache.
Of course, that doesn’t make Apache 100% secure as no software will ever be 100% safe from hackers, especially when it’s such a well-known and trusted platform (much like WordPress). But if you’re looking for an apache security PDF eBook, module, guide, tutorial, framework or web server security checklist, you’ve come to the right place.
If you want to harden your Apache security or are having any apache security issues or trying to patch a vulnerability or two, the following checklist will provide you with 14 security best practices to add to your website’s security plan.
Free Apache Security Checklist
[4 Pages] The 21-Step Checklist to Ensure a 99.9% Secure WordPress Website
The Ultimate Apache Security Best Practices Checklist
For those of you who want to truly fortify your WordPress website, securing Apache as you would any of the other software that hooks into and powers your website is essential. Failing to do so can even affect your site’s speed. So, here’s how you will do it:
1. Update Apache
You know how WordPress and any plugins and themes you’ve installed need to be updated regularly? So too does your web server.
If you’re nervous that your site isn’t running on the most current version of Apache, you can check it with an httpd -v command line. If the version outputted doesn’t match the current one from Apache, you can update it with the following:
If you’re working with a managed WordPress hosting provider, they’ll take care of monitoring your server and WordPress for vulnerabilities and other warning signs. That said, you should keep an eye on your server traffic as well.
With Apache, you can gain access to this activity log by updating your mod_log_config module. Basically, it will tell you what users do whenever they touch your server.
3. Get an SSL Certificate
Because your web server handles all browser/server requests to your website, it’s important to secure it with an SSL certificate. The good news is that you can now get an SSL certificate for free. This is more important now than ever, so if you don’t have the technical ability to install this yourself, any quality hosting provider will be able to do it for you.
4. Add a Firewall
In addition to the added protection of the SSL’s encryption, your web server should be fortified with a firewall. For Apache, this means turning on ModSecurity.
To install it on your server, you can execute the following:
Once the firewall is live, it will prevent a number of malicious activities from reaching your server, like SQL injection, session hijacking, and cross-site scripting.
5. Install mod_evasive
Mod_evasive is the module that will protect your Apache server from brute force and DDoS attacks, so make sure this is enabled as well. It will blacklist concurrent and failed login attempts as well as monitor for malicious IPs.
6. Set HTTP Limits
Distributed denial of service (DDoS) attacks are pretty simple to block if you know what sort of actions to watch for. Since DDoS tend to happen by repeatedly hitting your server with large requests, your goal should be to set limits that prevent this from happening.
Here are some of the limits you’ll want to establish:
7. Delete Unused Modules
By leaving unused, unmaintained, or expired modules on your Apache server, you’re leaving your site open to hackers through a point of entry that doesn’t even need to be there.
The first thing you should do is find out which modules are actually active. You can do this by using a LoadModule command. Once you’ve sifted through the list and identified which modules you don’t need, simply add the “#” symbol before each module you want to deactivate and then restart.
8. Change Default User and Group
Default settings and users left on any software, in general, is a bad security practice. The reason for this is simple: if you’re using the Apache default user or group name, you can bet hackers are aware of what those default names are as well.
Rather than leave the defaults in place, you should create a new non-privileged account to run your Apache processes through. Using # groupadd and # useradd commands, you can set the new entities. Just remember to update your httpd.conf with the new user and group names you’ve created.
9. Block Directory Access
Here is another example of default settings that need to be changed. In this case, it’s the access granted to your directory’s files which allows anyone to explore wherever they’d like.
To put a total block in place, use the following command:
Require all denied
If you want to enable access to certain users, you can do so with this:
Require all granted
If you want to enable access to certain folders within the directory, you can do so with this:
Did you know that if your server doesn’t have an index file that users will be able to see all the content you have stored in your root directory? That’s obviously not good, so you’ll need to disable this default setting with the following:
11. Hide Server Details
Because Apache is an open source software, details about the version used are readily available if these settings are not disabled server-side. Since hackers can use that sensitive information to figure out how to break into your server, you’ll want to block this information out.
There are two things you’ll want to disable:
ServerSignature – which is the version of Apache
ServerTokens – which includes the OS version, among other sensitive server details
This information can be found by other users simply by viewing an error page on your website, so it’s pretty important to block this from being shown. To do this, update the httpd.conf with the following:
ServerSignature Off ServerTokens Prod
12. Hide the ETag
The ETag header in Apache, unfortunately, includes a number of sensitive details about your server. Obviously, anything that shares that sort of information with the outside world should be hidden. Additionally, if you’re running an e-commerce website, you’ll need to hide this in order to be PCI compliant.
To do this, add the following directive to your httpd.conf:
13. Disable .htaccess Override
The .htaccess is an important file for any WordPress website. This is why you need to lock it down and ensure that no one else can override your configuration settings.
To disable this, add the following to your httpd.conf at the root:
Options -Indexes AllowOverride None
14. Disable SSI and CGI
Server Side Includes (SSI)-enabled files can open your site up to a number of security problems if left unchecked. Same goes for CGI scripts. In order to prevent either of these from empowering hackers to overload your server or inject malicious scripts into your code, remember to turn them off or restrict what they do through the Options directive.
Here are some Options values you can use:
Options -Includes -ExecCGI
Free Apache Security Checklist
[4 Pages] The 21-Step Checklist to Ensure a 99.9% Secure WordPress Website
Taking Care of Your Apache Server
In an effort to harden your website’s security, pay special attention to your Apache server. Issues like server misconfiguration and leaving default settings in place can put your site at risk just as much as an un-updated core or unsafe PHP coding practices can.
Want to give your feedback or join the conversation? Add your comments on Twitter.
Whatever kind of niche or style you can think of; there’s a WordPress theme for it. People have been using WordPress to build all kinds of websites which makes it no surprise that all sorts of themes are keep being developed, improved and purchased by web enthusiasts all over the world. In this post, we’ll specifically be sharing some cool themes that are made with WordPress. Make sure you also check out the following post containing cool websites that are made with WordPress.
The first theme we want to start our list of cool themes with, is Flow. This great WordPress theme speaks to your imagination. Flow is a perfect fit if you’re planning on starting your blog, or if you’re about to create one for a client. It offers three different ways of approaching your website with the original, creative and waterfall layouts. Each one of them looks stunning and unique in its own way. With one click, you’ll be able to import the demo layout and get started right away.
The next theme we’d like to share is Minimum. This cool theme is nothing you have seen before; it’s clean yet mysterious in a very attractive way. It offers you, among other things, AJAX animations, bonus parallax pages, two drop-down menus and a stunning catalog page. There are also over 500 Google fonts present and there are four integrated colors that allow you to do quick and easy customizations.
Moving on, we’re going to take a look at the multi-purpose Heli theme. This theme is all about knowing how to balance the white and black color to make your website look bold and cool. This theme has, among other things, advanced portfolio and blog layouts, menu variants, one-click demo site imports and WooCommerce integration. On top of that, you have tons of layouts that’ll make your next website look professional, neat and artistic.
The third cool theme in the row is Rife. The Rife theme can definitely help you take your website to the next level. It’s responsive, it includes premium plugins that’ll help you reach specific results, it has over 600 Google Fonts installed and is SEO proof. With more than 16 designs and more than 15 pages at your disposal; this theme will help you bring style and beauty to your next WordPress website in an effortless way.
Another excellent theme in our list of cool themes is Milano. What is there not to love about multi-purpose WordPress themes? This theme offers you, among other things, more than 6 monochrome demos, more than 30 stunning slider effects, 5 menu styles and beautiful hover effects that’ll help you personalize your website as much as you prefer. One the best things about this theme is how clean and user-friendly it is for both the website builder and the visitors.
Next, we have the Bateaux WordPress theme. What’s not cool about having over 25 unique homepages at your disposal? This theme also offers the drag and drop and live preview options. On top of that, the smart interface and the inline text editor will give you a great experience while creating your new website. This theme is absolutely worth checking out before building your next site.
Or what about the Air. WordPress theme? It’s probably one of the cleanest themes in this list and it’s mainly used for portfolio websites that want all the attention to go to the previous work that is shared with the visitors. With its well-thought-out layouts, different menu possibilities and customizable footer, this theme allows you to focus on the cool stuff you want to share with your visitors in an environment that screams professionalism and dedication.
Another theme that belongs on this list of cool themes is The Agency. This theme offers you all kinds of good stuff. It includes a child theme, it’s ready to be used in multiple languages and it has unlimited color schemes at your disposal so you can make your website look exactly how you want it to. And oh; one of the really cool things about this site is the endless scrolling through different sections on the homepage.
For the Elegant Themes members out there, the following two go-to themes we’ll mention in this post are included in your membership. And if you’re not an Elegant Themes member yet, you won’t only get the next two themes by becoming a member; you will also enjoy all the regular updates that’ll make designing any type of website easier.
Being the most installed theme on WordPress, Divi is the must-have (and only) theme that’ll allow you to create all kinds of websites without having to get to know a new theme everytime you design a different website. Divi provides tons of different modules, rows and sections that will help you add all sorts of content to your website and modify them to your needs. And with the Visual Builder within reach, you can see changes happen in real time. All of the built-in design options that Divi offers will make using code a nice-to-have instead of a necessity.
Are you specifically looking for a theme that offers you the power of a multi-functional theme such as Divi, but allows you to focus on blogging and online-publications at the same time? The Extra theme is the way to go. While being specifically focused on creating a magazine-friendly layout and supporting the content you provide to your audience, the Extra theme is also focused on making it easier for you to create the exact design you imagined. With multiple category modules, tons of pre-made layouts and countless design possibilities, Extra makes the experience for both you and your visitors a real pleasure.
In this post, we’ve shared some cool themes you should definitely check out before creating your next websites. Each one of them has a creative and cool side that you might have been looking for. If you have any questions or suggestions; make sure you leave a comment in the comment section below!