In this long tutorial, we have installed WordPress in an unprivileged container and have our existing Apache work as a reverse proxy to serve WordPress from within the container.
- We did not go through other important ways to further restrict the containers, namely setting up correct AppArmor or SELinux profiles. It is recommended that you further look into this.
- There are other WordPress hardening techniques available online which are not mentioned here. Scripts and bots usually target your
wp-admindirectory, and there are methods to mask or protect this directory. It is recommended that you follow through all best practices when managing your WordPress.
- It is recommended to set up automatic backups so you are not at risk of losing all your articles.
- We did not set up automatic restart of LXC. This means that if your server restarted, you will have to manually restart LXC or your blog will be inaccessible. I looked into this a little but had trouble getting autostart to work. You can set up autostart by adding
lxc.start.auto = 1to
blog.warmwolf.comis the name of the container. Running
lxc-autostartshould start our container automatically, but if we are not logged in as
lxc, this will not work. You need to investigate the use of a service to launch
lxc-autostartas the user
lxcat boot time. More readings: 1 2
Unfortunately, as I am running the container on a shared server, the container can be slow when the server experiences high load. Reliability issues is what led me to change the architecture completely. I currently run WordPress without containerisation on a separate server. This should keep security breaches reasonably contained and not affect my primary server. However, containerising WordPress is definitely possible and feasible way of adding another layer of security to your server.
Thanks for going through this tutorial! Hope it helps. Feel free to share your thoughts and ideas in the comment box below!