Securing WordPress: Unprivileged LXC Container on Ubuntu

Closing Thoughts

In this long tutorial, we have installed WordPress in an unprivileged container and have our existing Apache work as a reverse proxy to serve WordPress from within the container.

Security

  • We did not go through other important ways to further restrict the containers, namely setting up correct AppArmor or SELinux profiles. It is recommended that you further look into this.
  • There are other WordPress hardening techniques available online which are not mentioned here. Scripts and bots usually target your wp-admin directory, and there are methods to mask or protect this directory. It is recommended that you follow through all best practices when managing your WordPress.

Maintenance

  • It is recommended to set up automatic backups so you are not at risk of losing all your articles.
  • We did not set up automatic restart of LXC. This means that if your server restarted, you will have to manually restart LXC or your blog will be inaccessible. I looked into this a little but had trouble getting autostart to work. You can set up autostart by adding lxc.start.auto = 1 to /home/lxc/.local/share/lxc/blog.warmwolf.com/config where blog.warmwolf.com is the name of the container. Running lxc-autostart should start our container automatically, but if we are not logged in as lxc, this will not work. You need to investigate the use of a service to launch lxc-autostart as the user lxc at boot time. More readings: 1 2

Personal Circumstances

Unfortunately, as I am running the container on a shared server, the container can be slow when the server experiences high load. Reliability issues is what led me to change the architecture completely. I currently run WordPress without containerisation on a separate server. This should keep security breaches reasonably contained and not affect my primary server. However, containerising WordPress is definitely possible and feasible way of adding another layer of security to your server.

Thanks for going through this tutorial! Hope it helps. Feel free to share your thoughts and ideas in the comment box below!

References

  1. https://forum.level1techs.com/t/lxc-unprivileged-autostart-in-debian-stretch/123709/2
  2. https://serverfault.com/questions/620709/how-to-auto-start-unprivileged-lxc-containers

Leave a Reply

Your email address will not be published. Required fields are marked *