EEV4 Wordpress Hardening


#1

I am running a Wordpress site on a VPS server (Ubuntu LEMP) and I am really struggling with the changes in EEV4. For example i cannot figure out which NGINX file to modify for disable wordpress XML-RPC. The same goes for NGINX HTTP Basic Authentication setup, what config file do i modify?

All the instructions even in the official EE ones for NGINX are for EEV3. It would also be helpful if anyone has the steps on moving wordpress wp-login, wp-admin and Geo IP blocking at the public facing app frontend and server backend.


#2

Can any one help or just point me to the direction of an online resource for EEV4 that covers anything in my post.


#3

+1 one this. Could someone help with access to nginx files?
From the digging around I did it’s under /var/lib/docker/volumes/yoursitenamecom_config_nginx/
But the file has root access because of which our security plugins can’t write to this file.
I think changing the rights should fix the issue but I don’t to inadvertently break things.


#4

Check out the php and nginx configs from VirtuBox https://github.com/VirtuBox/ubuntu-nginx-web-server


#5

They mentioned any custom config will get overwritten on every EE upgrade if you use the normal NGINX Conf files and i’ve noticed there is a location for custom configuration here: /var/lib/docker/volumes/***********_config_nginx/_data/custom/user.conf

I just need a mod or someone to confirm this is the location and whether we can literally just paste the following command in the user.conf file to disable wordpress XML-RPC:

server {

location /xmlrpc.php {
deny all;
}
}

I get EE and appreciate EE is free, it’s got me me this far. However the lack of information on how to configure their latest version is a big negative for me. Especially as they have taken the route of using docker contains. 70% of the VPS & Linux guides do not apply to the EEV4 environment.
Paths are different, conf files are different, standard commands don’t work because the corresponding service only responds to EEV4 limited commands. You cannot manually update PHP or other critical services unless the EE team make the update available via their service, that in itself is a security risk.

I am at the point now where i am researching Runcloud and ServerPilot and planning on switching over and paying. If i am struggling this much with a tool when my site is not even live, it will be a nightmare when it’s live and i have to manage more threats etc.
I honestly hope someone from the EE team reads this, as they have created something good here. Dropping the ball on things like documentation and information taints it.


#6

Thank you Cim, i will check this out. Much appreciated.


#7

57%20AM

Here’s my stack setup for each WP site where the config files are directly accessed from host.


#8

I just took a look at your link, Wordops is based on EEV3 the NGINX documentation here isn’t a match for EEV4. It looks like in Wordops you can modify the normal NGINX conf file, but in EEV4 you are advised not to.


#9

The screenshot I showed you is my own stack, not EE’s.


#10

Yea that’s my problem. The way EEV4 setups the LEMP stack (my setup) is different to yours and most of the other LEMP VPS setups online.
My folder structure looks nothing like yours and EE advise against directly modifying the NGINX.CONF file.


#11

Yeah that’s the problem, mine is fully flexible but EEv4 is not.


#12

Thanks for trying to help anyway


#13

If you wanna help contribute to my stack then link’s here https://github.com/demyxco/demyx


#14

searching this forum, it looks like my issue isn’t an uncommon one. The following link confirm it’s the user.conf file that needs to be modified for custom NGINX configuration.