Securing Apache, MariaDB, and PHP8.1-FPM

September 7, 2024 Leave a comment

This page is part of the Beginner’s Tutorial: Learn How To Setup, Manage Your Own VPS/Cloud Server With Multiple WordPress Sites – For Beginners.

In this section, we will harden the server by securing the Apache, MariaDB, and PHP8.1-FPM services.

This is for Ubuntu 24.04 which we walked you through setting up in the Beginner’s Tutorial linked above.

This picks up at the end of the previous tutorial, so you should already be logged in to your server. Run the following commands either in Git Bash or your terminal.

Note on the difference between reload and restart the apache server
reload does not stop the apache service, re-reads the apache config files.
restart stops the apache service, reads the apache config files, starts the apache service.

So, do these 3 in order:

sudo apachectl configtest

sudo systemctl reload apache2

sudo systemctl restart apache2

Harden Apache

cd /etc/apache2/conf-available/

Make a backup of the security.conf file:

sudo cp security.conf security.conf.bak

Open the security.conf file:

sudo nano security.conf

Scroll to ServerTokens OS and change it to Prod:

ServerTokens Prod

Below that, place a # in front of this line to disable: ServerSignature On, so it should look like this:

#ServerSignature On

Then remove the # from the start of this line to enable: ServerSignature Off

Save the file: Ctrl + o, then press Enter.

Exit the file: Ctrl + x.

Prevent apache from listing directory listing:

sudo a2dismod -f autoindex

sudo a2enmod headers

Test and look for Syntax OK:

sudo apachectl configtest

Reload the apache server to enable the changes:

sudo systemctl reload apache2

Go up 1 directory:

cd ..

or just go to the apache directory:

cd /etc/apache/

Make a backup of the apache2.conf file:

sudo cp apache2.conf apache2.conf.bak

Open the apache2.conf file:

sudo nano apache2.conf

To search in nano, press Ctrl + w then type the search term and press Enter. You can these use Alt + w to find the next occurrence.

Search for: /var/www to find:

<Directory /var/www/>

In this block, do the following:

change AllowOverride None to AllowOverride All
Under the line Require all granted, add a new line, press tab once then paste:
```
<LimitExcept GET POST HEAD PUT>
```
Then add a new line, press tab twice, then paste:
```
deny from all
```
Then add a new line, press tab once, then paste:
```
</LimitExcept>
```

Save the file: Ctrl + o, then press Enter.

Exit the file: Ctrl + x.

Enable the rewrite module:

sudo a2enmod rewrite

Go to the mods-available directory:

cd mods-available/

Or using the full path:

cd /etc/apache2/mods-available

Make a backup of the dir.conf file:

sudo cp dir.conf dir.conf.bak

Open the dir.conf file:

sudo nano dir.conf

For the line DirectoryIndex, remove everything except index.php

(We leave only index.php because this tutorial is for setting up WordPress, which uses index.php, but if you have other applications, you may need to add them here. Or for a simple static site, you could add index.html)

Save the file: Ctrl + o, then press Enter.

Exit the file: Ctrl + x.

Test and look for Syntax OK:

sudo apachectl configtest

Reload the apache server to enable the changes:

sudo systemctl reload apache2

Harden MariaDB

Go back to your home directory:

cd

Run the MariaDB secure installation script:

sudo mysql_secure_installation

You will be prompted with several questions. This is how you should answer them:

Enter current password: Press Enter
Switch to unix_socket authentication [Y/n]: no
Change the root password? [Y/n]: no
Remove anonymous users? [Y/n]: y
Disallow root login remotely? [Y/n]: y
Remove test database and access to it? [Y/n]: y
Reload privilege tables now? [Y/n]: y

Harden PHP8.1-FPM

The main PHP 8.1 config file is at directory: /etc/php/8.1/fpm/php.ini.

Go to it:

cd /etc/php/8.1/fpm/

Make a backup of the php.ini file:

sudo cp php.ini php.ini.bak

Open the php.ini file:

sudo nano php.ini

Search for: cgi.fix to find this line:

;cgi.fix_pathinfo=1

Remove the ; from the start of the line to enable it, and change the 1 to 0, so it should look like this:

cgi.fix_pathinfo=0

If you will be using Elementor or WooCommerce on your WordPress site, skip the next step.

Skip the next step regarding allow_url_fopen if you will be using Elementor or WooCommerce on your WordPress site.

Search for: allow_url_f to find allow_url_fopen = On and set it to Off, so it should then look like this:

allow_url_fopen = Off

Save the file: Ctrl + o, then press Enter.

Exit the file: Ctrl + x.

Restart the PHP8.1-FPM service:

sudo systemctl restart php8.1-fpm

Coming up next

In the next tutorial, we’ll optimize the server for WordPress.

See more: LAMP

Crystal 1 month ago

Just wanted to say thank you. You explain/describe things in a way that I can actually understand. I've been blogging...

Read full comment on How To Convert WordPress Images to WebP Locally

Hans 2 months ago

I'd like this feature too. It would also be useful if we could automatically subscribe the post/page's author to comments...

Read full comment on Lightweight Subscribe To Comments

I'd be interested in having that feature too.

Jake 2 years ago

This worked perfectly. Thank you Isabel!

Read full comment on Point a Namecheap Domain To GoDaddy Hosting With These DNS Settings

Noe Longoria 3 years ago

Thank you, Isabel. This was exactly what I was looking for.

Read full comment on “Our Site Has Moved” HTML Responsive Template

Embroidery Digitizing 3 years ago

Thanks. Just what I was looking for. Really nice piece of code. I have used this code multi time.

Karl Wagner 3 years ago

Thanks so much for this! Works perfectly. I use alternate ports on my VPS and the command ssh-copy-id doesn't work...

Read full comment on Copy SSH Public Key to Server Without ssh-copy-id

Harden Apache

Harden MariaDB

Harden PHP8.1-FPM

Coming up next

Questions and Comments are Welcome Cancel reply