Virtual Private Server grimoire

l1 :

A VPS is a physical server, split into virtual stand alone non shared servers

using virtualization software.

therefore the service provider only takes care for
the hardware and network connection.


l2:

from a VPS provider choose minimum VPS specs :

1cpu core, 1 or 2 gigs RAM, SSD drive gb/s network connection.

server distribution ubuntu 20.04.x, deploy now to install the server,

next in the server info page are the : IP, user, pass needed to run ssh shell commands.

l3
auxilary tools :
generates random passwords


loging into the server 1st time using a terminal emulator :

ssh root@ip

prompt yes

prompt pass.

l4
auxilary tools :
generates random passwords
https://www.random.org/passwords/


l5 : software
any OS on your machine can be used

text editor
notepad++ or textmate or sublime text.

sftp client

this uploads and DLs files to your server :
fileZilla

browser

terminal emulator
this is the shell, where you type in commands using a command line interface.
SSH = secure shell, used to connect to the shell securely(encrypted)
*refer to pdf 4 config instructions.
cmd+shift+u to open terminal on mac

for windows : cmder from cmder.net and choose the full version
extract the 7z file into a cmder named folder. and create a shortcut to the
cmder.exe file.
right click its title bar to access settings:

startup, specified named tast,{bash::bash}
on startup, environment, type :
set HOME=c:\cmder
on keys & macro, allhotkeys, type ctr, click ctrl+w, and change ctrl to win
from the dropdown box at the bottom

key & macro, paste, set paste mode 1 and 2 to multilines. and save the settings.

save the directory : on the cmd : ^ mkdir .ssh
you wont see it with ^ls cause it starts with a dot so it is hidden.
use ^ ls -al to display it.

mark a text in the cmder to copy it from the cmder, right click to paste

login to your server : ^ ssh root@ipadress

l6 to l10

root@hp:~#
~ = homedir,# root user, $ non root user
user@VPSname:dir prompt

never log in as root user unless u need to run an installation script
instead creat a user with root privelages using sudo.


commands :
1 adduser add a user to the vps
2 apt-get install or remove software on the vps, update, upgrade and dist-upgrade are also used.
3 cat display and combine files
4 cd change to the current users home directory
5 cd .. Go back one directory level, can be used to go back multiple levels: cd ../../
6 cd / change to the "root directory" of the VPS
7 chmod change file and directory permissions
8 chown change file and directory ownership
9 cp copy
10 logout logout of the vps
11 ls list files and directories, use with -l for a detailed list or -a to display all, e.g. ls -l or ls -a or ls -la
12 mkdir create a directory
13 mv move or rename a file or directory
The Definitive WordPress Course - Command List
14 nano a basic editor
15 passwd change the current users password
16 pwd print working directory, display current directory path
17 rm remove or delete a file or directory
18 rmdir delete 'remove' a directory
19 service to start, stop and restart services that are running on our vps
20 sudo invoke root privileges, sudo is typed before the command
21 touch create a blank new file
22 usermod Modify groups user belongs to, must be used with the -a -G flags. Lowercase a UPPERCASE G
23 visudo edit the sudoers file

example :
john@xps ~$ ls -l

drwxr-xr-x andrew andrew date file or dir name :
d = directory or - for file
owner group user permission for file : read? write?execute ? 4,2,1
777 means all users can do anything to the file.

l12
on the first login to the server the user is prompted to save an ssh key on his local machine
if this happens again, make sure the credentials were types correctly, or this could be a man in the middle attack
or you reinstalled the server.

apt get : this command can download or install new linux packages :
apt-get update //DL update packages
apt-get upgrade //install updates
apt-get install // install packages

l13
after login change the password with :
passwd
add new user :
adduser username
give new user root priveleges :
usermod -aG sudo username //adds user to the sudo group (with root privleges)
pwd // print working directory
change to server root dir :
cd /
list files :
ls
change to etc dir :
cd etc
ls
cd ssh/
ls
you should see sshd_config

disable root user login by editing the sshd_config file:
creat a copy of the file : cp original_name backup_name
cp sshd_config sshd_config.bak

now ls will list the new .bak file


edit the file with nano : nano filepath
clear //clears the shellfrom text
nano /etc/ssh/sshd_config (absolute path)
or nano sshd_config (local path)

in the nano file change PermitRootLogin yes to no
ctrl + x to exit nano file. and yes to save.

restart the ssh service (to enable the settings change)
systemctl restart ssh
logout of the server :
exit

l14

login as the new user :
ssh user@server_ip_adress

this cmds are to be performed regularly upon login to D server

update the package list
sudo apt-get update
upgrade the packages
sudo apt-get upgrade
if you get a packages have been held message use
sudo apt-get dist upgrade
if you get a some pakages uneeded msg use
sudo apt-get autoremove

finally
sudo reboot

configure ssh key authentication :
creat .ssh dir to store key file on server in the user home dir :
cd
mkdir .ssh/
list contents including hidden files(dot)
ls -al

finally :
exit

l15
block user pass login and use ssh key authentication instead :
generate key pair(public & private) and store on your local machine:
ssh-keygen -t rsa -b 4096
on prompt "Enter file in which to save the key (path)":
type : .ssh/1st_key
on prompt enter passphrase : choose some password
to see this key :
cd .ssh
ls -l

return to home dir :
cd
copy public key to server :
scp file_name user@host:/path
scp .ssh/1st_key.pub username@ip:/home/username/.ssh/
######################################################

configure your server to login with ssh key instead or user pass :

login as the new user :
ssh user@server_ip_adress
cd .ssh/ ls
creat authorized_keys file
mv 1st_key.pub authorized_keys
lockdown said authorized keys files, only the owner will have file permissions
chmod 400 authorized_keys
sudo chattr +i authorized_keys

go back 1 dir :
cd..
-ls -la
lockdown .ssh dir
chmod 700 .ssh/
see permissions change :
-ls -la

enable ssh key auth :
cd /etc/ssh
sudo nano sshd_config

now you opened the file in nano :
delete # on line: #pubkeyAuthentication yes
change line: #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
to :
AuthorizedKeysFile %h/.ssh/authorized_keys .ssh/authorized_keys2
change line: #PasswordAuthentication yes
to : PasswordAuthentication no

ctrl + x , prompt yes

restart the ssh service to enable the changes to the ssh config file:
sudo systemctl restart ssh
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
login using ssh key auth :
ssh -i /path/key user@ip
which is the private key:
ssh -i .ssh/key user@ip
prompt passphrase (the one you typed when created the ssh key pair)

exit
to log out/

l16 ssh config file login :
ssh config file : created on your machine , and used to login using an alias

login :
ssh -i .ssh/key user@ip
cd .ssh
nano config

Host alias
HostName server ip
User server user name
IdentityFile path to private key
// keeping login live settings :
ServerAliveInterval 60
ServerAliveCountMax 120

ctrl+x

now you can log in with :
ssh alias

if you have additional servers add them to the config file

Host alias
HostName server ip
User server user name
IdentityFile path to private key
ServerAliveInterval 60
ServerAliveCountMax 120

Host 2nd
HostName server ip2
User server user name2
IdentityFile path to private key
ServerAliveInterval 60
ServerAliveCountMax 120

l17 firewall

login to your server
ssh alias
clear
sudo ufw status
the status should say inactive
sudo ufw default deny incoming
sudo ufw defauld allow outgoing
sudo ufw defauld allow ssh
up arrow key will retype last cmd
sudo ufw allow http
sudo ufw allow https
enable the new rules :
sudo ufw enable
on prompt reply yes
sudo ufw status
port 22,80,443 are open all other ports are closed
sudo reboot

wait a few minutes 4 ur server to reboot b4 login in again

l18 fail2ban : lowering brute force attacks

sudo apt-get update
sudo apt-get install fail2ban
on prompt select y
clear

cd /etc
ls

cd fail2ban/
ls
sudo cp jail.conf jail.local

edit the jail.local :
sudo nano jail.local

scroll down to the MISCELLANEOUS OPTIONS
uncomment (delete #) and set :
bantime = 604880s
findtime = 10800s
maxretry = 2

after 2 failed login attempts the ip will be banned from login for 7 days.

ctrl + x
on prompt : y

cd jail.d/
ls
sudo nano defaults-debian.conf

ssh enable should say true

sudo systemctl restart fail2ban

cd /var/log
ls
view file contents :
sudo cat fail2ban.log
there is a login history with ip adresses
sudo less fail2ban.log
the above is used for watching large log files it has page scrolling
q to quit

L20 installing apache

sudo apt-get update
sudo apt-get uprade
if you get a message : packages no longer needed, run :
sudo apt-get distupgrade
if you get a message : packages no longer needed,run :
sudo apt-get autoremove

sudo apt-get install apache2 apache2-utils
if you open your browser to your server ip, you should see a default ubuntu site.
install mariaDB
sudo apt install mariadb-server

install various php modules that are needed by apache and WordPress

sudo apt-get install php7.2-fpm php7.2-opcache php7.2-gd php7.2-mysql
php7.2-json php7.2-mbstring php7.2-curl php7.2-cli php7.2-xml php7.2-zip
php7.2-soap php7.2-bcmath php7.2 php-imagick php-ssh2 php7.2-common

enable and disable a few apache modules:
sudo a2en // enables module apache module
sudo a2dismod // disables module
sudo a2enmod proxy_fcgi setenvif
sudo a2enconf php7.2-fpm
sudo a2dismod mpm_prefork
sudo a2enmod mpm_event
sudo service apache2 restart

##############################################################################
l21 securing apache

prevent apache from displaying a directory index in the event that no index file is present and we need
to enable the headers module - this module provides directives to control and modify HTTP request and response
headers. Headers can be merged, replaced or removed

sudo a2dismod -f autoindex
sudo a2enmod headers
sudo systemctl restart apache2
open the security,conf file, that is located in the /etc/apache2/conf-available directory
1st make a copy :
cd /etc/apache2/conf-available/
sudo cp security.conf security.conf.bak
sudo nano /etc/apache2/conf-available/security.conf

Make the following changes:
ORIGINAL VALUE MODIFIED VALUE
ServerTokens OS ServerTokens Prod
ServerSignature On ServerSignature Off
//reduce drive by DL risk :
#Header set X-Content-Type-Options: "nosniff" Header set X-Content-Type-Options: "nosniff"
#Header set X-Frame-Options: "sameorigin" Header set X-Frame-Options: "sameorigin"
ADD TO FILE Header set X-XSS-Protection: "1; mode=block"
ADD TO FILE FileETag None
ADD TO FILE Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Close, save and restart apache:
sudo apachectl configtest
sudo systemctl restart apache2

edit the dir.conf file, that is located in the /etc/apache2/mods-available directory
make a copy 1st :
cd /etc/apache2/mods-available/
sudo cp dir.conf dir.conf.bak
open the file :
sudo nano /etc/apache2/mods-available/dir.conf
Remove all values in the DirectoryIndex directive and add only index.php

ORIGINAL: DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
MODIFIED: DirectoryIndex index.php index.html

ctrl + x, y to save
sudo apachectl configtest
should say syntax ok
sudo systemctl restart apache2

l22 enable apache2

cd etc/apache2/
make a backup of file :
sudo cp apache2.conf apache2.conf.bak
ls
open the apache2.conf file, located in the /etc/apache2 directory
sudo nano /etc/apache2/apache2.conf

under IncludeOptional sites -enabled/*.conf
paste :
<IfModule mpm_event_module>
StartServers 6
ServerLimit 16
ThreadPerChild 25
MaxRequestWorkers 400
MinSpareThreads 200
MaxSpareThreads 400
MaxConnectionsPerChild 10000
</IfModule>

scroll up to
<Directory /usr/share>
and change to
<Directory /usr/share>
AllowOverride None
Require all granted
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
</Directory>

ctrl+x y to save

enable the apache rewrite module to allow the use of .htaccess files
sudo a2enmod rewrite
sudo a2enmod http2
sudo apachectl configtest
if it says syntax error expected limitexept :
sudo nano apache2.conf
make sure to add the </LimitExcept> closing tags
ignore the warning.
enable the changes
sudo service apache2 restart
to prevent the reliably qualify domain name warning:
echo "ServerName localhost"
echo is a write cmd, but it needs to write somewhere else, so :
echo "ServerName localhost" | sudo tee .etc/apache2/conf-available/servername.conf
cd /etc/apache2/conf-available/
ls
display file contents :
cat username.conf
should say : ServerName localhost
sudo a2enconf servername
sudo apachectl configtest
should say Syntax OK
sudo systemctl restart apache2

l23 removing dangerous default settings
of when mariaDB was installed

sudo mysql_secure_installation
on prompt for password click enter (root user has no passwrd)
set root password ? n
remove anonymous users? y
Disallow root login remotely? y
(only access mariaDB on local host)
remove test DB and access to it? y
reload privilege tables now? y

securing php 7.2
cd /etc/php/7.2/fpm/
sudo cp php.ini php.ini.bak
sudo nano php.ini
commented lines start with ;
ctrl+w to search
ctrl+w allow_url
allow_url_fopen = off
ctrl+w cgi.fix_pathinfo
cgi.fix_pathinfo=0
ctrl+w max_input_vars
how many chars in post/get url
max_input_vars = 3000
memory_limit = 256M
ctrl+w upload_max
upload_max_filesize = 100M
post_max_size = 100M
ctrl+w opcache
opcache.enable=1
opcache.memory_consumption = 192M
opcache.interned_strings_buffer=16
opcache.max_accelerated_files=7963
opcache.validate_timestamps=0
opcache.revalidate_freq=0

ctrl+x ,y
sudo systemctl restart php7.2-fpm
to restart service and clear the opcache(do this also in cases you add plugins to your sites)

l24 pointing domain to VPS

after yout get a domain name (url), set it on your VPS,
from the VPS site, add domain
next it will show you the cname, copy it.

at the site where you got your domain, paste the VPS ip
under AName, and the CName you copied.

next you need to wait, as much time as is set in the TTL
for the changes to take effect.

least soy domain providers :
ISNIC has been okay. We haven't had problems with TransIP thus far either.
Prq.se and Njal.la sell domains also.

l25 creating site directories

mkdir example.com
ls
cd example.com
mkdir public_html/
ls
cd public_html/
cd
delete non empty directories example :
rm -rf example.com
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
mkdir -p example2.com/public_html
cd example2.com
cd
mkdir -p example3.com/public_html/extra/dir/
sudi apt-get install tree
display dir structure :
tree
delete example dirs :
rm -rf example*
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
cd /var/www
ls -l
sudo mkdir -p macwebdev.com/public_html/.well-known/
display all files and hidden files and directories :
tree -a

change the site dir ownership from root user and root group to
your nonroot user on the server and the group owner to the webserver
sudo chown -R username:www-data macwebdev.com/

l26 config apache to host multiple sites

cd /etc/apache2/sites-available/
ls
sudo cp 000-default.conf domain_name.com.conf
sudo nano domain_name.com.conf
remove all comments using ctrl+k, and
replace domain_name to your site domains, do this per site :

<VirtualHost *:80>
# However, you must set it for any further virtual host explicitly.
ServerName domain_name.com
ServerAlias www.domain_name.com
ServerAdmin webmaster@domain_name.com
DocumentRoot /var/www/domain_name/public_html
#^ dir where you store site files
ErrorLog /var/log/apache2/domain_name.com_error.log
CustomLog /var/log/apache2/domain_name.com_error.log combined
</VirtualHost>

ctrl+x

a virtual host for domain_name.com has been created
cd..
ls
ls sites-enabled/
sudo a2ensite domain_name.com.conf
sudo systemctl restart apache2
ls sites-enabled/

the site is enabled but empty at this point.



l27 installing wordpress

sudo apt-get update
install password generator :
sudo apt-get install pwgen
pwgen password length, how many strings to generate ?
pwgen 10 10
increase random level :
pwgen 10 10 -s
gen admin, user for site :
pwgen 25 2 -s
OR
pwgen 25 2 -sy
############################################################
install WORDPRESS COMMAND LINE INTERFACE, WP-CLI on your VPS
cd
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
ls
should now show wp-cli.phar
ls -l
chmod +x wp-cli.phar
ls -l
sudo mv wp-cli.phar /usr/local/bin/wp
check if it was installed correctly :
wp --info
################################################
CREATING A DATABASE
installing the word press site : create DB, install site using wpcli,
complete installation using wp dashboard.

pwgen 10 3 -s
save into a .txt per site:
DB name: paste generated strings here
DB user: here
DB password: and here
=================
DATABASE COMMANDS
=================

CREATE DATABASE db_name;
CREATE USER 'db_user'A'localhost' identified by 'password';
GRANT ALL PRIVILEGES ON db_name.* TO 'username'@'localhost' IDENTIFIED BY 'password';
to confirm :
SHOW GRANTS FOR 'username'@'localhost';
and flush privleges :
FLUSH PRIVELEGES;

pwgen 20 2 -s :
Admin User :
Admin Pass :

//end of txt file

login to mariaDB (DB root user not root user):
sudo mysql -u root
to view DBs list :
show database;
// in the following paste the generated strings from the txt file(name,pass,user)
CREATE DATABASE db_name;
confirm :
show database;
CREATE USER 'db_user'A'localhost' identified by 'password';
GRANT ALL PRIVILEGES ON db_name.* TO 'username'@'localhost' IDENTIFIED BY 'password';
SHOW GRANTS FOR 'username'@'localhost';
FLUSH PRIVELEGES;
exit

MORE DB commands :
//show DB users :
select user from mysql.user;
//delete a DB
drop database db_name;
//delete a DB user
drop user db_user_name;

the wordpress requires sendmail installed
sudo apt-get update
sudo apt-get install sendmail
//long install wait 5 minutes


l28 installing word press pt2
change to the dir in which you want to install the wordpress site :
cd /var/www
ls
cd domain_name.com/
ls
cd public_html/
wp core download
or if you need a different language:
wp core downlad --local=
and add the local code for said language :

local codes :
https://wpastra.com/docs/complete-list-wordpress-locale-codes/

next link the DB you have created :
wp core config --dbname= --dbuser= --dbpass= --dbprefix=
DO NOT USE wp_ as the database table prefix
use a random value instead like : 5h2fX_
example :
--dbprefix=5h2fX_
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

choose if your site will display www or not

wp core install --url= --title='' --admin_user= --admin_password= --admin_email=

--url=http://example.com or http://www.example.com
title can be anything : 'corn cobs'
use random values for both admin user and admin passwrd :
pwgen 20 2 -s
--admin_email=admin@domain_name.com

this may take a few minutes cause sendmail has not been configured.
ls
now the url should show a default wordpress site.

l29 installing wordpress site pt3

creat .htaccess file and set permissions on it :
cd /var/www/example.com/public_html/
touch .htaccess
ls -la
sudo chown $USER:www-data .htaccess
ls -la
user = non root user name (sudo user)
sudo chmod 664 .htaccess
go to example.com/wp-admin
to log in paste the admin user then pass
next configure permalinks and delete default posts and pages:
settings->permalinks->set to post name->save changes
posts->all posts->trash hello world (trash all pages)->no comments in commets tab
set admin nickname :
Users tab->all users->edit->type nickname at its field->display name
publicly as : set to the new nick name->update profile
dashboard->home

config wp-config.php file to allow plugins install and update from the dashboard
cd /var/www/example.com/public_html/
nano wp-config.php

paste above the line : /*that's all, stop editing!
/** Allow Direct Updating Without FTP */
define('FS_METHOD', 'direct');
/** Disable Editing of Themes and Plugins Using the Built In Editor */
define('DISALLOW_FILE_EDIT', 'true');
/** Allow Automatic Core Updates */
define('WP_AUTO_UPDATE_CORE', 'true');

exit and save.
you will notice a msg : you have new mail
change to the mail dir :
cd /var/mail
cat user_name
this will display the mail contents
remove the mail
rm file_name
which is the user_name in this case
restart php7.2-fpm
you can use the above also when a recently installed plugin doesn't wort correctly


sudo chmod 664 .htaccess

l30 securing wordpress
the non root user is the owner of all the sites and directories.
the web server is the group owner.

cd /var/www/example.com/public_html/
ls -l
change group owner :
sudo chown -R rootuser:www-data /var/www/example.com
ls -l
sudo chown -R www-data:www-data /var/www/example.com/public_html/wp-contents
ls -l
sudo find /var/www/example.com/public_html/ -type d -exec chmod 755 {} \;
ls -l
sudo find /var/www/example.com/public_html/ -type f -exec chmod 644 {} \;
ls -l
sudo chmod 664 .htaccess wp-config.php
ls -l

deny access to wp-config.php and xmlrpc.php
disable hotlinking of images
block author scans, deny access to certain file extensions


deny php execusion, uploads, plugins and themes
unless a plugin need it, in which case you comment the disable php in plugins
rule, in the wp-config.php file.

deny access to important wordpress files
filter suspicious query strings in the url
filter non-english characters

clear
nano .htaccess
under # END WordPress
paste :

#Deny Access to WP-config and xmlrpc
<FilesMatch "(wp-config|xmlrpc)\.php$">
   Deny from all
</FilesMatch>

#Disable Hotlinking of Images - change site.com
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?site.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

#DENY ACCESS TO FILES
<FilesMatch "\.(?:txt|htm|html)$">
Order allow,deny
Deny from all
</FilesMatch>

# General WordPress Protection

RewriteRule ^wp-admin/install\.php$ - [F]
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule (^|.*/)\.(git|svn)/.* - [F]


# Disable PHP in Uploads
RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Disable PHP in Plugins - check for issues with installed plugins
# RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Disable PHP in Themes - check for issues with selected theme
# RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Filter Request Methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
RewriteRule ^.* - [F]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
RewriteRule ^.* - [F]

# Filter Suspicious Query Strings in the URL
RewriteCond %{QUERY_STRING} \.\.\/ [OR]
RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} https?: [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
RewriteCond %{QUERY_STRING} %24&x [NC,OR]
RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR]
RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR]
RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=jetpack-sso
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
RewriteRule ^.* - [F]

# Filter Non-English Characters
RewriteCond %{QUERY_STRING} %[A-F][0-9A-F] [NC]
RewriteRule ^.* - [F]

l31 SSL certificate

sudo apt-get install software-properties-common
sudo apt-get-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
continue? y
clear
install free ssl certificates :
sudo certbot --apache -d example.com -d www.example.com
email prompt : admin@example.com
agree? a
share email? n
redirect trafic to https ? 2
go to ssllabs.com, test your server, it should rank A


l32 configure ssl cert to obtain A+ rating

cd etc/apache2/sites-available/
cd ../mods-available/
ls
sudo cp ssl.conf.bak
(/etc/apache2):
cd..
clear
sudo mkdir ssl/
ls
cd ssl/
sudo openssl dhparam -out dhparam.pem 2048
wait a few minutes
ls
you should see dhparam.pem
cd ../mods-available/
ls
sudo nano ssl.conf
edit SSLProtocol +TLSv1.2
ADD to the bottom of the ssl.conf file above </Ifmodule>:
#SSL Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
# DHE (Diffie-Hellman key exchange)
SSLOpenSSLConfCmd Curves secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/apache2/ssl/dhparam.pem"

exit and save
sudo apachectl configtest
Syntax OK


Change to the /etc/letsencrypt/ directory and open the file: options-ssl-apache.conf file
cd /etc/letsencrypt/
sudo nano options-ssl-apache.conf
Change SSLProtocol to:
SSLProtocol -all +TLSv1.2

Modify your sites LE generated ssl virtual host file
sudo nano /etc/apache2/sites-available/example.com-le-ssl.conf
Add underneath SSL Certificate paths above </VirtualHost>:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;"
ctrl+x and save

sudo apachectl configtest
Syntax OK
sudo systemctl restart apache2

l33 certificates pt3

display certificates :
sudo certbot certificates
to delete a cert from D server :
sudo certbot delete
c to cancel

test renewl process :
sudo certbot renew --dry-run
########################################################
ensure all contents on the site uses https
by search and replace http to https for the wordpress DB:
cd /var/www/example.com/public_html/
ls
test the command 1st :
wp search-replace http://example.com https://example.com --dry-run
run :
wp search-replace http://example.com https://example.com
clear php opcache
sudo systemctl restart php7.2-fpm

l34 page caching using w3 total cache

cd /var/example.com/public_html/
ls -l
ls -la
cd ..
ls -l
when you install plugins(security and caching) that need to write to the wp config file or
htaccess file, you should give the webserver write permissions in the html dir
afterwords change the dir back to 755
sudo chmod 775 public_html/
ls -l
the group has write permissions in that directory
https://example.com/wp-admin/index.php
plugins->Add New
search w3
install : w3 total cache, clck activate, settings(of w3)
page cache: enable
disk cache methode disk Enhanced
minify: enable
minify mode : manual
opcode cache opcode: zend opcache
browser cache enabled
save all settings->save all settings and purge caches
on the left side bar : page cache->
cache preload, check: automatically prime
preload the post cache
save all settings, select empty the page cache

l35 installing additional wordpress sites

get domain name,l24

cd /var/www
ls
sudo mkdir -p example2.com/public_html/.well-known/
ls -l
sudo chown -R non_root_user:www-data example2.com/
ls -l
cd example2.com/
ls -l
CREATE APACHE VIRTUAL HOST
cd public_html/
cd /etc/apache2/sites-available/
sudo cp example.com.conf example2.com.conf
sudo nano example.com.conf
delete all rewright rules at the buttom
replace example.com to example2.com
ctrl + x, save
sudo a2ensite example2.com.conf
sudo systemctl restart apache2
sudo mysql -u root
see l20 to create a DB
cd /var/www/example2.com/public_html/
wp core download
wp core config --dbname= --dbuser= --dbpass= --dbprefix=
wp core install --url= --title='' --admin_user= --admin_password= --admin_email=
touch .htaccess
ls -al
sudo chown nonrootuser:www-data .htaccess

go to example.com/wp-admin
to log in paste the admin user then pass
next configure permalinks and delete default posts and pages:
settings->permalinks->set to post name->save changes
posts->all posts->trash hello world (trash all pages)->no comments in commets tab
set admin nickname :
Users tab->all users->edit->type nickname at its field->display name
publicly as : set to the new nick name->update profile
dashboard->home

l36 installing additional wordpress sites pt2: securing wordpress
from /var/www/example2.com/public_html :
cd ../../
sudo chown -R nonrootuser:www-data example2.com/
cd example2.com/public_html/
ls -la
sudo chown -R www-data:www-data wp-content/
ls -l
sudo find /var/www/example2.com/public_html/ -type d -exec chmod 755 {}\;
sudo find /var/www/example2.com/public_html/ -type f -exec chmod 644 {}\;
sudo chmod 664 .htaccess wp-config.php
sudo nano wp-config.php

paste above the line : /*that's all, stop editing!
/** Allow Direct Updating Without FTP */
define('FS_METHOD', 'direct');
/** Disable Editing of Themes and Plugins Using the Built In Editor */
define('DISALLOW_FILE_EDIT', 'true');
/** Allow Automatic Core Updates */
define('WP_AUTO_UPDATE_CORE', 'true');

exit and save.

sudo nano .htaccess

under # END WordPress
paste :

#Deny Access to WP-config and xmlrpc
<FilesMatch "(wp-config|xmlrpc)\.php$">
   Deny from all
</FilesMatch>

#Disable Hotlinking of Images - change site.com
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?site.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]

#DENY ACCESS TO FILES
<FilesMatch "\.(?:txt|htm|html)$">
Order allow,deny
Deny from all
</FilesMatch>

# General WordPress Protection

RewriteRule ^wp-admin/install\.php$ - [F]
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule (^|.*/)\.(git|svn)/.* - [F]


# Disable PHP in Uploads
RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Disable PHP in Plugins - check for issues with installed plugins
# RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Disable PHP in Themes - check for issues with selected theme
# RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)\.?$ - [NC,F]

# Filter Request Methods
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
RewriteRule ^.* - [F]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) [NC]
RewriteRule ^.* - [F]

# Filter Suspicious Query Strings in the URL
RewriteCond %{QUERY_STRING} \.\.\/ [OR]
RewriteCond %{QUERY_STRING} \.(bash|git|hg|log|svn|swp|cvs) [NC,OR]
RewriteCond %{QUERY_STRING} etc/passwd [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} https?: [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
RewriteCond %{QUERY_STRING} %24&x [NC,OR]
RewriteCond %{QUERY_STRING} 127\.0 [NC,OR]
RewriteCond %{QUERY_STRING} (^|\W)(globals|encode|localhost|loopback)($|\W) [NC,OR]
RewriteCond %{QUERY_STRING} (^|\W)(concat|insert|union|declare)($|\W) [NC,OR]
RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=jetpack-sso
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
RewriteRule ^.* - [F]

# Filter Non-English Characters
RewriteCond %{QUERY_STRING} %[A-F][0-9A-F] [NC]
RewriteRule ^.* - [F]

************************************
*and change site.com to your domain*
************************************

gen SSL cert :
cd
sudo certbot --apache -d example2.com -d www.example2.com
redirect trafic to https ? 2
cd /etc/apache2/sites_available/
ls -l
sudo nano /etc/apache2/sites-available/example2.com-le-ssl.conf
Add underneath SSL Certificate paths above </VirtualHost>:
Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;"
ctrl+x and save

sudo apachectl configtest
Syntax OK
sudo systemctl restart apache2
ssllabs.com your site should rank A+
cd /var/www/example2.com/pulic_html/
wp search-replace http://example2.com https://example2.com
clear php opcache
sudo systemctl restart php7.2-fpm
see l34

l37 essential plugins :

plugins->add new-> autoptimize, async
plugins: delete hello dolly, akismet
activate autoptimize, javascript options, check optimize javascript codes, select :
optimize css codes, optimize html code, save changes
pluggind-> installed plugins, activate the above plugins
async settings :
enable javascript : this depends on your site

install plugin : post SMTP, activate plugin.
and discus plugin to manage spam.

l78 filezilla
used to DL or UL files between the server and a local machine
on the extreme left, open site manager
new site, call it vps1, protocol: SFTP, host: server ip
port : leave blank or 22, logon type : key file
user: nonrootuser
key file : browse to : cmder (dir you made when you installer commander), .ssh
set to all files, select ct (the private server key), open
on prompt: yes, provide your private key pass phrase
on save as prompt : ct_fz (filename_fz), save, ok
go back to site manager, select vps1, connect
check always trust this host, type private key pass phrase to unlock, ok

l64 server updates

login to the server
ssh 1st
upon message : n packages can be updated :
***system restart required***
sudo apt-get update && sudo apt-get upgrade
sudo apt-get autoremove
sudo reboot
site updates : because of the permissions we set, updates are not possible from the wordpress
dashboard. when the dashboard notifies of needed updates, instead use the cmd line :

wp core version
wp core update
wp core update-db
sudo systemctl restart php7.2-fpm
wp core version

depending on your WP ver you could end up with "cannot create dir err" on wp core update
the web server is the owner and group owner of the upgrade dir with permission 755
while the user is the other user withour permissions.
so the non root user needs to be the owner, and the webserver the group owner :
cd /var/example2.com/public_html/
cd wp-content/
ls -l
sudo chown -R nonrootusername:www-data upgrade/
cd ..
wp core update
wp core version
cd wp-content/
ls -l
sudo chown -R www-data:www-data upgrade/
ls -l
sudo systemctl restart php7.2-fpm

wpcli updates :
cd
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
give wpcli executable permissions :
chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp

giving a site an onion URL for tor browser :