Background on Apache and Security Issues
Apache covers more than 45.8% of the server software market share. This means that more than 34.0% of websites across the Internet are built on Apache server. Some of the best website that are using ‘Apache’ include:
- Ebay.com
- Adobe.com
- Apple.com
- Etsy.com
- Baidu.com
Technically, Apache is an open-source web server that was first released in 1995. Since then, it has progressed significantly to become ‘one-of-the-most-trusted-web-server’ due to its reliability and features. That’s why it’s being used by tech giants that we’ve mentioned above already.
Even with all best and well-engineered features, there are imperfections and loopholes as nothing can be perfect in an open-source software. These loopholes can be misused by hackers. Hackers pose a security threat to Apache server because:
- Since it is a widely used server, it also powers the most used website development platform – WordPress. When a server is hacked, the whole becomes a playing field for the hacker.
- Server is where the most secured information of the website is kept. If it is hacked, all the information becomes vulnerable causing website owners especially WordPress websites owners a loss in terms of revenue and client.
In order to protect the most important website asset – the Apache server, we’ve created a 14-Step Apache Security Practices checklist for fool-proof protection against threats. This will help you in keeping track of the security of your server and ultimately your website.
The Complete Checklist of Apache Best Security Practices
To fortify your WordPress website from potential threats, you need to keep Apache updated, the way you do with other software. Failing to update Apache can cause the site speed to slow down, leave your website open to security threats and so much more. Therefore, we have a complete checklist of Apache security practices for you. This is not a complete and exhaustive list but the best practices that we recommend.
1. Always Keep your Apache Version Updated
As keeping WordPress plugins and themes updated on a regular basis is crucial for good performance of your WordPress site, so is keeping a web server updated.
If you’re not sure about whether your site is using an updated version of Apache or not, use an httpd – v command line. If the version doesn’t match to current one released by Apache, you can update it easily using the following:
# yum update httpd
# apt-get install [add Apache version here]
2. Turn on Logs
Managed WordPress hosting providers take care of everything from monitoring a server to checking WordPress for finding vulnerabilities. In order to find out who accesses the server, you can turn on the option of maintaining the login logs. In order to do so in Apache, update your mod_log_config module to access your activity log. Turning on logs will let you know about users when they reach out to your server and you can detect any unauthorized access in this manner.
3. Get an SSL Certificate
SSL certificate is critically important to optimize website security for better performance and execution. Moreover, SSL certificates have become one of the search engine ranking factors.
Since a web server works to handle browser requests to your site, therefore, it is essential for you to secure your website with SSL certificate. And, a surprise – you can get an SSL certificate for FREE. However, installing an SSL certificate properly is another matter altogether. If you can’t install an SSL certificate yourself, get our services and we’ll do it for you.
4. Add a Firewall
SSL encryption improves the overall security of your server – no doubt about it – but, if you want added protection of your server and sites, you should add a ‘firewall’. In order to do so, install an application called ModSecurity. It is an open source web application firewall which works as a module for Apache HTTP server. Use the following method to install it on your server:
# yum install mod_security
# /etc/init.d/httpd restart
When you’ve activated the ‘firewall’ it will safeguard your system from a number of malicious and harmful activities i.e., SQL injection, cross-site scripting, session hijacking, etc.
5. Install mod_evasive
You can further strengthen security of your Apache server from DDoS and Brute force attacks through the use of mod_evasive ( An Apache Web Services Module). This module actually keeps your server running when you get most vulnerable. Therefore, you should keep it ‘enabled’ as it will blacklist suspicious and failed attempts while filtering malicious IPs to boost your web security.
6. Set HTTP Limits
DDoS (Distributed Denial of Service) attack is very easy to block if you can take actions wisely and contextually. DDoS attacks cause your server to stop responding iteratively using large requests. In order to protect the Apache server you should assign HTTP limits to prevent DDoS attacks. You can set following HTTP limits:
- KeepAlive=on
- KeepAliveTimeout
- LimitRequestBody
- LimitRequestFields
- LimitRequestFieldSize
- LimitRequestLine
- LimitXMLRequestBody
- MaxClients
- MaxKeepAliveRequests
- MaxRequestWorkers
- RequestReadTimeout
- TimeOut
7. Never Keep Unused Modules
Never keep expired, unused and unmaintained modules on your Apache server because modules work as an easy entry-point for hackers. So, a first thing you need to do is to check out which modules are active through the use of LoadModule command. When you’ve correctly filtered the list and have figured out which modules to discard, add ‘#’ symbol before any module you don’t want anymore and click ‘restart’.
8. Change Default User Group
We tend to use default settings and leave software unused for the long haul making our online security highly vulnerable. It is simple to understand because if you use the Apache default group or user name, hackers can easily outwit you and your security will be compromised. Therefore, you should keep changing the default user group to keep your WordPress website protected.
Instead of leaving the default settings, it’s good to make a non-privileged account for running Apache processes. You could use a couple of commands, a) #groupadd, b) #useradd for setting new entities and don’t forget to update httpd.conf with newly created user and group names.
9. Block Directory Access
As part of the default setting changes, you should also block directory access otherwise it can allow hackers to infiltrate in your sites. Use the following command for blocking directory access completely:
<Directory "/">
Require all denied
</Directory>
Want to enable access to authorized users, use the following command:
<Directory "/usr/users/*/public_html">
Require all granted
</Directory>
Likewise, you can enable access to folders within the directory through the use of the following command:
<Directory "/usr/local/httpd">
Require all granted
</Directory>
10. Disable the Root Directory
Do you know that not making an index file for your server can allow users to see everything in your root directory. Plus, it puts you in the red-zone from a cyber security perspective (which is alarming.) Therefore, you should disable this default setting using the command provided below:
<Directory /var/www/html>
Options -Indexes
</Directory>
11. Hide Server Details
Since Apache is an open-source cross-platform web server software, it has all details about the version being used (if your settings on the server-side is not disabled). Using the basic versions and default settings, hackers can manipulate sensitive information to get access into your server. Therefore, you must block information leakage for infallible Apache security. You will need following two things for hiding server details:
- ServerSignature – a version of Apache
- ServerTokens – it comprises OS versions along with confidential server details.
You will be surprised to know that this information is easily visible to users, so it’s important that you block this information from hackers’ approach. To do so, update httpd.conf with the following command:
ServerSignature Off
ServerTokens Prod
12. Hide the ETag
The ETag (Entity Tag) header in Apache comes with a number of sensitive details about your server. Therefore, you should hide this sort of information for full protection of your website. Especially, if you’re running an ecommerce website, you’ll have to hide this information to become PCI compliant.
In order to do so add the following directive to httpd.conf to hide the ETag
FileETag None
13. Disable .htaccess Override
The .htaccess works as an important file especially for WordPress sites. This is why, you should lock this file and disable .htaccess from overriding your configuration settings. Add the following to your httpd.conf for disabling .htaccess override:
<Directory />
Options -Indexes
AllowOverride None
</Directory>
14. Disable SSI and CGI
SSI or Server Side Includes enabled files can expose your site to various security issues (if they go unchecked). You will have to disable CGI to keep hackers at bay from overloading your server and/or injecting harmful scripts into your code, turn them off with the help of options directive.
Following are some of the options value you can use at the time of disabling CGI and SSI:
- Options All
- Options IncludesNOEXEC
- Options -Includes
- Options -ExecCGI
- Options -Includes -ExecCGI
- Options MultiViews
Have you Optimized the Security of your Apache Server?
We talked about securing your Apache server in this article. During this process, we came to know how essential it is to pay special attention to Apache servers for flawless security. However, there are technical issues i.e, server misconfiguration and using default setting, that can make your site vulnerable and will put you at risk because. But if you are able to config your server properly, you will have a safe and secure Apache server.
Every method or check list item that we discussed is tried-and-tested and will help you. However, if you can’t fix this issue, contact us and our experts will help you in improving your Apache security.
Removing Malware and Hacks
No one can predict when a hack or a malware might attack the website or how powerful that attack might be. This unpredictability makes it difficult to analyze what damage it may cause to the WordPress website even after having all the security protocols in place. For instance, an attack might cause the WordPress website to redirect to completely different URL or cause the website to go down altogether.
That is why, as part of our WordPress emergency support services, our experts are ready to clean up any damage that an attack might cause no matter the time. With such service, you can be assured that your website is in good hands.