In this post we will aim at secucuring Apache and PHP on our Ubuntu Server 22.04 through various configuration directives. Let’s review what we did so far:
- We installed and set up WordPress on an AWS EC2 instance and its database on an AWS RDS MySQL instance (see this post)
- We then proceeded to enable ElastiCache for Memcached to optimize database and object cache for this installation (in this post).
- We looked at how to improve the security of the WordPress installation by changing some of its settings, as described in this other post.
- And finally, here we are, looking at how to improve our Apache and PHP configuration from a security and performance point of view.
We are going to edit some Apache configuration files and update the PHP configuration in php.ini to improve the security of the server.
Let’s start by enabling some additional Apache modules, some of configuration lines below may rely on one or more of these modules.
sudo a2enmod headers sudo a2enmod deflate sudo a2enmod expires headers sudo a2enmod http2 sudo systemctl restart apache2
Now, you can edit your security.conf Apache configuration which you should find at this location: /etc/apache2/conf-available/security.conf by modifying or adding the following lines:
ServerTokens Prod ServerSignature Off Header set X-Content-Type-Options: "nosniff" Header set X-Frame-Options: "sameorigin" LimitRequestBody 1000000000
Please note that the LimitRequestBody is set very generously above (about 1GB). You can reduce it as per your needs.
Restart Apache and check your headers with the following commands:
sudo systemctl restart apache2 curl -I http://your_domain_or_IP
It is possible that your site may not load anymore due to the configuration changes below. Let’s edit your site .conf file in Apache. Mine is located at /etc/apache2/sites-enabled/wordpress-le-ssl.conf by adding or amending as per the following. If AllowOverride exists, you can add Indexes to it after the other options.
AllowOverride Indexes # Set up caching on media files if desired (optional) <FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$"> ExpiresDefault A29030400 Header append Cache-Control "public" </FilesMatch>
In the same .conf file, add the following headers:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set Referrer-Policy "strict-origin"
Then restart Apache:
sudo systemctl restart apache2
Your site should load properly now.
You can use https://securityheaders.com/ to check the implementation above and your results should not be dissimilar from this:
At this time, I will not explain in detail these changes, in php.ini itself you will see an explanation for each of the settings below. Let’s edit the php.ini file.
sudo nano /etc/php/8.1/apache2/php.ini
We will update some of the settings therein as follows:
session.cookie_httponly = True session.use_strict_mode = 1 display_errors = Off display_startup_errors = Off allow_url_fopen = Off disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source open_basedir = /path/to/your/web/root session.gc_probability = 1 session.gc_divisor = 1000 session.save_handler = files
If you have not enabled OPCache, please see this article on the steps required (search for OPCache). Do not forget to restart Apache after making the changes above.
sudo systemctl restart apache2