14-Step Security Checklist for Apache

Posted by

Securing Apache is as important for those of you who want to really fortify your WordPress website as it is for any other program that connects to and operates your website. The speed of your website may potentially suffer if you don’t. So this is how you’re going to accomplish it:

1. Update Apache

You are aware that WordPress, along with any installed plugins and themes, require regular updates? Likewise, your web server does.

You can use the httpd -v command line to verify whether your website is using the most recent version of Apache if you’re concerned about it. You can change the version if it differs from the one that Apache is currently outputting by doing the following:

2. Turn on Logs

Working with a managed WordPress hosting company will relieve you of the burden of keeping an eye out for security flaws and other red flags on WordPress and your server. Nevertheless, you should also monitor the traffic on your server.

You can update your mod_log_config module to obtain access to this activity log using Apache. It will, in essence, report back to you what people do when they interact with your server.

3. Get an SSL Certificate

It’s critical to protect your website with an SSL certificate as your web server handles all browser/server queries to it. The good news is that free SSL certificates are now available. Since it’s more crucial than ever, any reputable hosting company can install it for you if you lack the technical know-how to handle it yourself.

4. Add a Firewall

A firewall should be erected to safeguard your web server in addition to the additional security provided by SSL encryption. This implies enabling ModSecurity for Apache.

To install it on your server, run the following commands:

Once on, the firewall will stop many harmful attempts, such as SQL injection, session hijacking, and cross-site scripting, from ever accessing your server.

5. Install mod_evasive

Make sure that the Mod_evasive module is activated as well, as it is the one that will defend your Apache server against DDoS and brute force attacks. It will monitor for malicious IPs and add unsuccessful and concurrent login attempts to a blacklist.

6. Set HTTP Limits

Blocking distributed denial of service (DDoS) attacks is quite easy if you know what kind of behaviour to look out for. Since DDoS attacks often involve flooding your server with massive requests, your objective should be to implement limits that stop this from occuring.

The following are some boundaries you should set:

  • KeepAlive=on
  • KeepAliveTimeout
  • LimitRequestBody
  • LimitRequestFields
  • LimitRequestFieldSize
  • LimitRequestLine
  • LimitXMLRequestBody
  • MaxClients
  • MaxKeepAliveRequests
  • MaxRequestWorkers
  • RequestReadTimeout
  • TimeOut

7. Delete Unused Modules

If you have modules on your Apache server that are not being utilised, maintained, or have expired, you are providing hackers with an unnecessary point of entry into your website.

Determine which modules are genuinely active as a first step. To accomplish this, use the LoadModule command. After going through the list and determining which modules you don’t require, just deactivate them by adding the “#” sign before each one, and then restart.

8. Change Default User and Group

Any software that has default settings or users left on it is generally not a good security practise. The rationale for this is straightforward: you may assume that hackers are aware of your default user or group identities if you’re using them.

To run your Apache processes, you should create a new non-privileged account instead of using the defaults. The commands #groupadd and #useradd can be used to set the new entities. Just don’t forget to add the new user and group names you made to your httpd.conf file.

9. Block Directory Access

Here’s an additional illustration of default settings that require modification. In this instance, anyone can browse anywhere they’d want because they have access to the files in your directory.

To set up a whole block, run the command below:

If you want to enable access to certain users, you can do so with this:

If you want to enable access to certain folders within the directory, you can do so with this:

10. Don’t Publish the Directory

Did you know that users can view all of the stuff you store in your root directory on your server if there isn’t an index file? That’s obviously not good, so you’ll need to do the following to disable this default setting:

11. Hide Server Details

If these settings are not turned off server-side, Apache is an open source programme, thus information about the version that was used is easily accessible. You should prevent access to this critical information because hackers may use it to learn how to compromise your system.

You should turn off the following two things:

  • ServerSignature – which is the version of Apache
  • ServerTokens – which includes the OS version, among other sensitive server details

It’s crucial to prevent other users from seeing this information by preventing an error page from appearing on your website. To accomplish this, add the following to the httpd.conf file:

12.  Hide the ETag

Unfortunately, Apache includes critical information about your server in the ETag header. Anything that disseminates that kind of information to the public ought to be kept secret, of course. In addition, to maintain PCI compliance, you must conceal this if you are operating an e-commerce website.

To do this, add the following directive to your httpd.conf:

13. Disable .htaccess Override

A crucial file for any WordPress website is the.htaccess file. For this reason, you must lock it down and make sure that nobody else can change the setup.

Add the following to the root of your httpd.conf file to disable this:

14. Disable SSI and CGI

If left unchecked, files with Server Side Includes (SSI) enabled might expose your website to several security risks. Likewise with CGI scripts. Remember to disable them or limit their functionality using the Options directive to avoid giving hackers the ability to overburden your server or insert dangerous scripts into your code.

The following options values are available for use:

  • Options All
  • Options IncludesNOEXEC
  • Options -Includes
  • Options -ExecCGI
  • Options -Includes -ExecCGI
  • Options MultiViews
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x