Author: Surfer Chick

WordPress is far and away the most widely-used content management system on the web, but that popularity comes at a price. It’s also the most attacked CMS. Not because it’s un-secure, but because attackers know that a WordPress vulnerability is a gateway to tens of millions of websites.

As soon as a WordPress website goes online, automated bots begin to probe it for weaknesses. That’s why it’s critically important to security harden WordPress sites, ensuring that they have the smallest possible surface area for attackers to target.

Security hardening was once a long and complicated manual process, but WordPress Toolkit for cPanel  makes it a one-click affair. This article will explore some of the ways WordPress vulnerabilities are exploited and how WordPress Toolkit protects sites against many common attacks. 

Common WordPress Vulnerabilities

Every vulnerability is unique, but most attacks against WordPress sites fall into one of four categories:

• Brute force and dictionary attacks: Attackers attempt to guess security credentials such as usernames and passwords. Attacks of this type are carried out by bots that can quickly flood WordPress authentication systems with a deluge of login attempts. 
• Denial of Service (DOS) and Distributed Denial of Service (DDoS) attacks: Bad actors bombard sites and networks with requests and data, consuming resources, degrading performance, and potentially taking them offline. WordPress includes a system called XML-RPC, which is often used in denial of service attacks. 
• Core, plugin, and theme vulnerabilities: Bugs in code can be exploited to circumvent authentication systems, upload malicious code, or gain extra privileges.  Bad actors often look in a site’s files for clues about the sort of attack it is vulnerable to.  
• Code injection attacks: Running malicious code is a goal of many bad actors. They scour WordPress sites searching for vulnerabilities that will let them inject PHP, JavaScript, or SQL code. 

WordPress Toolkit for cPanel implements features and security measures that protect sites against each of these attack types. 

Security Hardening with WordPress Toolkit for cPanel

cPanel’s WordPress Toolkit is a complete WordPress management solution with an intuitive interface. You can think of it as a single dashboard for controlling all of your WordPress sites. It automates WordPress hosting tasks, including installation, updates, and backups. It also surfaces configuration tweaks that you’d otherwise have to dig around in the admin interface or edit configuration files to change. 

WordPress security hardening is one of the places where WordPress Toolkit really shines. First, it applies fixes for critical vulnerabilities during installation, so sites are secure before they go online. Second, it scans existing sites for suboptimal security settings and can fix them at the click of a button.  

We’ll have a look at some of the security fixes it applies in a moment, but first, we’ll show you just how easy it is to security harden a WordPress site with cPanel.

To use one-click hardening, you will need:

• A cPanel instance with WordPress Toolkit installed 
• A WordPress Toolkit Deluxe license. 

You can find the WordPress Toolkit in Applications on cPanel’s main page. Sites are listed on the overview page with status information and configuration switches. 

If you take a closer look at the second site, you will notice that, under the Status heading, the Security line reads Check Security. WordPress Toolkit scanned the site and noticed that several non-critical security measures have not been applied. The first site has already been hardened, so it displays View Settings. 

You might also see Fix Security here, which means that critical security measures have not been applied. 

We can click on the status message to open the Security Status panel, which displays all of the security measures the WordPress Toolkit can apply. 

You can apply each measure individually by checking the adjacent box and clicking Secure. They can be reverted, where possible, by selecting them and clicking Revert. But we want to secure our WordPress site in a single click, and to do that, we’ll select the Security Measures checkbox at the top of the column and then click the Secure button. 

One-Click Hardening for Multiple WordPress Sites

What if you host dozens of WordPress sites? It would be time-consuming to secure each one individually, so you’ll be happy to hear that you can use the WordPress Toolkit to secure any number of sites at the same time.  On the overview page, click the Security Tab. 

cPanel displays a list of sites and their security status. Use the checkbox next to each site to select those that aren’t fully hardened, and then click the Secure button at the top of the page.

You’re given a chance to specify which security measures to apply, and then cPanel automatically hardens all selected sites. You can use this method to secure dozens or even hundreds of WordPress sites simultaneously.  

Security Settings in WordPress Toolkit

WordPress Toolkit applies almost 20 security measures, but we’d like to highlight a handful of the most important here. 

•  Forbid execution of PHP files: The toolkit forbids the execution of PHP files in the wp-includes and wp-content/uploads directory. Both are common targets of bad actors and malicious users who upload PHP code and attempt to execute it. 
• Block directory browsing: The files inside WordPress’s directories contain information about plugins, themes, and other code that might reveal vulnerabilities.  The Toolkit makes it impossible for any non-authenticated user to look in directories. It also sets secure file permissions for the wp-config file and all other files and directories. 
• Enable bot protection: Allowing bots to scan your site is a security risk, as well as a waste of server resources. The WordPress Toolkit blocks bad bots to limit a site’s exposure. 
• Change default administrator’s username: When first installed, WordPress creates a user with administrative privileges called admin. Bots and other bad actors often target admin with brute force and dictionary attacks. 
• Turn off Pingbacks: When a WordPress website links to your site, it sends a ping, which results in a comment on your blog that records the link. Pingbacks rely on the insecure XML-RPC protocol, which can be abused to overwhelm a site’s resource in a denial of service attack. 
• Enable hotlink protection: Hotlinking allows external sites to embed or display images hosted on your server. You gain little benefit from hotlinking, and it can become a significant drain on server and network resources. 

Finally, the WordPress Toolkit makes it simple to quickly update WordPress Core, plugins, and themes in a unified interface, as well as to manage automatic updates. Plugin and theme vulnerabilities are the most common WordPress exploit, and regular updates are the only way to protect sites from vulnerabilities in their code.  

Restoring Backups with WordPress Toolkit

To finish, let’s look at one more security essential that cPanel simplifies: restoring backups. A recent backup is a lifeline if all else fails. It allows users to restore a compromised site to a secure and uninfected condition, and, with the WordPress Toolkit, making and restoring backups takes seconds. 

To create a backup, click the Back Up button. If you have previous backups, they are listed on the page. To restore your WordPress site and its database to an earlier state, choose a backup file and click the restore icon, as shown in the next image.

Secure WordPress Hosting with cPanel

The WordPress Toolkit makes it easier than ever to build a secure WordPress hosting platform with cPanel. Security hardening is now a one-click process, allowing hosts to protect servers, sites,  and users without a long and expensive manual hardening process. As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You’ll find us on Discord, the cPanel forums, and Reddit.

Caching is an indispensable feature of cost-effective application hosting and fast, low-latency user experiences. In-memory caching is one of the most widely used techniques, and Memcached’s in-memory caching capabilities are used by thousands of developers, hosting providers, and web services giants like Facebook®, Shopify®, and Slack®.

In this article, we explore how Memcached works and how you can integrate it with PHP apps hosted on your cPanel & WHM server.

Before we begin, a word of warning: the method outlined here should only be used on single-tenant dedicated servers, such as cPanel solo and virtual server hosting. It is not suitable for multi-tenant shared hosting environments without additional configuration to enable authentication or encryption.

What is Memcached?

Memcached is an object caching system. It is primarily used to cache the results of database queries, helping dynamic websites like WordPress® and Drupal to serve pages faster. It can also significantly decrease resource use on a busy web server by reducing calls to the database.

Like all caches, Memcached stores data generated by an expensive operation so that it can be used again without repeating the operation. For example, to build a web page, a PHP application often has to query a relational database like MySQL. Relational databases usually store data on a hard drive or SSD, both of which are slow compared to the server’s RAM. Memcached puts often-used data in RAM, allowing it to be accessed a lot faster.

Caching with Memcached works like this:

• A web browser requests a page, and the server runs PHP code to build it.
• PHP asks Memcached for the page’s data via a Memcached extension.
• If the data is cached, it is sent back to PHP.
• If it isn’t cached, Memcached sends the query to the database, returns the data to PHP, and stores it for the next request.

When its allocated storage is full, the cache discards the least recently used (LRU) data. Items in the cache also have an expiry date so that stale data is removed.

Now that we understand what Memcached does, let’s see how to install and configure it on a cPanel web server that hosts PHP apps such as WordPress, Drupal, and Magento.

Install and Configure Memcached in cPanel

Before we begin, let’s take a look at what we’ll be doing to get Memcached up and running with PHP applications hosted on your server. The plan is to:

1. Install the Memcached daemon (a daemon is software that runs in the background).
2. Configure the daemon to work securely. The default configuration is not secure.
3. Install the EasyApache4 Memcached PHP extensions.
4. Test to make sure it’s working as expected.
5. Configure PHP apps to use the cache.

First, we’ll install the Memcached daemon, the software that caches PHP objects in memory. Log in to your server with SSH and run the following as the root user:

yum install memcached

Next, we’ll register Memcached with CentOS’s Systemd service manager so that we can control when it starts and stops.

systemctl enable memcached

Creating a Secure Memcached Configuration

Memcached lacks built-in security features, which is why it’s not a good idea to use it on shared hosting platforms. Its default configuration accepts connections from everyone on the internet, a vulnerability frequently exploited in distributed denial of service attacks. We’ll add some startup options to create a more secure configuration.

Open the config file in your preferred text editor.

nano /etc/sysconfig/memcached

Edit the last line of the file so that it reads:

OPTIONS=”-l 127.0.0.1 -U 0″

The “-l 127.0.0.1” option binds Memcached to the local network interface. The -U option disables the UDP protocol, which is commonly used in DDoS attacks.

While we have the configuration file open, we can also change the amount of memory available for caching. The default is 64 megabytes, but you can change it by editing the CACHESIZE option in this file. For example, to double the available memory, change the line to read:

CACHESIZE=”128″

Save the file, and we’re ready to start (or restart) the daemon with the secure configuration:

systemctl restart memcached

How to Install Memcached PHP Extensions in cPanel

We need to install the EasyApache4 Memcached PHP extensions. PHP doesn’t support Memcached natively, and the extensions allow them to work together. A couple of pieces of information will help you to understand what we’re about to do:

• There are two PHP Memcached extensions, confusingly called “memcached” and “memcache.” There are some differences, but they do essentially the same job. We’ll install both.
• PHP versions need a matching extension, so if you use multiple PHP versions on your server, you should install extensions for each one.

We could install the extensions on the command-line with “yum,” but it’s easier to install the right ones in WHM.

In the WHM sidebar menu, select EasyApache 4 in the Software section. Click the Customize button in Currently Installed Packages.

Select the PHP Extensions tab and search for “memcached”. cPanel shows you extensions for installed PHP versions. Click the switch on those you would like to install.

Select the Review tab, and then click the Provision button at the bottom of the page. cPanel will install the extensions and their dependencies.

With the extensions installed, return to your SSH session and restart memcached:

systemctl restart memcached

The building blocks are in place, and memcached should be ready to start caching, but let’s make sure that everything went as planned. First, we’ll verify that memcached is working with PHP.

ea-php73 -i | grep “memcached”

We’re asking the system’s EasyApache4 PHP 7.3 installation to display its internal configuration data and filtering the results with “grep” to extract the relevant lines. For different versions of PHP, replace the “73”. For example, if your apps use PHP 7.4, the command should start with “ea-php74”.

If all is well, PHP will print a lot of data, starting with lines that look like this:

To see similar information in your web browser, create a file called phpinfo.php in your domain’s public_html directory with the following contents:

<?php 
    phpinfo(); 
?>

Save the file and visit it in a browser tab.

http://example.com/phpinfo.php

Replace example.com with your domain. You should delete this file once you no longer need it. It contains information about your server that could reveal security vulnerabilities to bad actors.

If you’re curious how much information is cached and other statistics, you can find out with the command:

memcached-tool 127.0.0.1:11211 stats

However, we haven’t hooked any PHP applications up to the cache yet, so you won’t see much activity. Let’s fix that.

How to Configure PHP Apps to Work With Memcached

We have Memcached running on the server, but apps won’t use it until we tell them to. The process differs depending on the app, but Memcached extensions are available for most popular content management systems and ecommerce stores.

Follow the Memcached documentation for your PHP app or plugin. They may autodetect Memcached, and all you’ll have to do is turn caching on. However, you may need to enter the IP address and port the cache is connected to, which is 127.0.0.1:11211. The port is the part after the colon: 11211.

Memcached can significantly reduce the load on busy servers, helping server administrators to control hosting costs while accelerating PHP apps for an improved user experience. cPanel and WHM’s EasyApache4 PHP management tools make it easy to install and manage the extensions you need to use Memcached with PHP.

As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You’ll find us on Discord, the cPanel forums, and Reddit.

Online criminals love to target web servers, and they will exploit any security vulnerability to break into them, steal data, and misuse resources. cPanel & WHM includes many powerful security features to help server administrators keep criminals out, including a robust two-factor authentication (TFA) system.

What is Two-Factor Authentication?

Two-factor authentication enhances server security by asking users to provide a unique code, supplied by an app on their phone, when they log in.

When two-factor authentication is turned off, cPanel & WHM asks users to enter two pieces of information: a public username and a private password. If no one except the user knows the password, it proves they are who they claim to be. Password-based “one-factor” authentication is secure if the password is tough to guess and users really do keep it secret.

However, users sometimes create security vulnerabilities because they choose passwords that are easy to guess, store them insecurely, or share them with other people. TFA adds another authentication factor, a one-time code generated by an app that can’t be guessed or shared because it changes thousands of times a day. 

Entering the code proves the user has the mobile device with the app installed while logging in. They verify their identity with both “something they know,” the password, and “something they have,” the phone the app is installed on.

Two-factor authentication works because the authenticator app and cPanel & WHM share a secret key. cPanel creates the key, which is added to the app via a QR code or entered as a string of digits. With some complicated math, cPanel and the app can then simultaneously generate the same one-time code. When you log in, the codes are compared, and if they match, you’re authenticated.

Two-factor authentication is much more secure than password-based logins, but it is also less convenient. Your users will have to install an app and use it every time they log in. It’s up to the server administrator or hosting provider to decide whether the inconvenience is worth the increase in security.

What You’ll Need to Use Two-Factor Authentication with cPanel

To use two-factor authentication in cPanel, your hosting provider or server administrator must first activate and configure it in WHM. We’ll show you how to do that in the next section.

You will also need a two-factor authentication app to provide the one-time code. There are several available for mobile devices, including:

How to Activate Two-Factor Authentication in WHM

You will find the Two-Factor Authentication configuration page under Security in the WHM sidebar menu. It’s turned off by default, so first, we need to flip the switch to activate it.

The TFA page also includes management and configuration options:

• The Manage User tab is used to turn TFA on and off for cPanel users who have activated it.
• The Manage My Account tab allows you to configure TFA for your WHM user, but the process is identical in cPanel, so we’ll go into more detail in the next section.

In most cases, that’s all you have to do to make two-factor authentication available to cPanel & WHM users. However, if you previously disabled it in Feature Manager, you may need to re-enable it.

Navigate to the Feature Manager under Packages in the sidebar menu. Click edit with the Default list selected in the dropdown menu.

Search for Two-Factor Authentication, make sure the adjacent box is checked, and click the Save button.

How to Configure and Use and TFA in cPanel

When the TFA feature is activated in WHM, a new menu item is added to the Security section of cPanel’s main menu. This is where you will set up TFA for your user or turn it off if you decide you no longer need it.

Click the Set Up Two-Factor Authentication button, and you’ll be taken to a page with the information your mobile authenticator app needs, encoded as a QR code.

How you enter this information is different in each app, but you should look for a plus (+) button in the app’s interface and then select “scan barcode” or “scan QR code.“ Point your phone’s camera at the QR code, and the app will read it.

If your app can’t read the QR code, manually enter the Account and Key information displayed below the QR code.

Your app should display a six-digit code that changes every 30 seconds. To finalize the configuration, enter the code into the Security Code field at the bottom of the page and click Configure Two-Factor Authentication.

That’s it! Next time you log in to cPanel, you’ll be asked to supply a code from your app in addition to your username and password.

Two-factor authentication significantly reduces the likelihood of a server being compromised with shared or lost passwords. It also offers complete protection from password-guessing attacks, including automated brute-force and dictionary attacks. With cPanel & WHM, you can activate TFA in minutes, protecting your server’s resources and reducing the amount of time you spend supporting users with compromised hosting accounts.

As always, if you have any feedback or comments, please let us know. We are here to help in the best ways we can. You’ll find us on Discord, the cPanel forums, and Reddit.