Apache currently remains the leading web server software in the world with a 45.8% market share. That ends up being about 80 million websites whose web servers are powered by Apache. Pretty impressive, right?
Apache is an open source web server software that has been around since 1995, so that alone speaks volumes to its reliability and longevity. Then there are the high-profile websites that run on Apache servers: Apple, Adobe, and Paypal are just a few of the major brands that entrust their websites to Apache.
Of course, that doesn’t make Apache 100% secure as no software will ever be 100% safe from hackers, especially when it’s such a well-known and trusted platform (much like WordPress). But if you’re looking for an apache security PDF eBook, module, guide, tutorial, framework or web server security checklist, you’ve come to the right place.
If you want to harden your Apache security or are having any apache security issues or trying to patch a vulnerability or two, the following checklist will provide you with 14 security best practices to add to your website’s security plan.
The Ultimate Apache Security Best Practices Checklist
For those of you who want to truly fortify your WordPress website, securing Apache as you would any of the other software that hooks into and powers your website is essential. Failing to do so can even affect your site’s speed. So, here’s how you will do it:
1. Update Apache
You know how WordPress and any plugins and themes you’ve installed need to be updated regularly? So too does your web server.
If you’re nervous that your site isn’t running on the most current version of Apache, you can check it with an httpd -v command line. If the version outputted doesn’t match the current one from Apache, you can update it with the following:
# yum update httpd
# apt-get install [add Apache version here]c
2. Turn on Logs
If you’re working with a managed WordPress hosting provider, they’ll take care of monitoring your server and WordPress for vulnerabilities and other warning signs. That said, you should keep an eye on your server traffic as well.
With Apache, you can gain access to this activity log by updating your mod_log_config module. Basically, it will tell you what users do whenever they touch your server.
3. Get an SSL Certificate
Because your web server handles all browser/server requests to your website, it’s important to secure it with an SSL certificate. The good news is that you can now get an SSL certificate for free. This is more important now than ever, so if you don’t have the technical ability to install this yourself, any quality hosting provider will be able to do it for you.
4. Add a Firewall
In addition to the added protection of the SSL’s encryption, your web server should be fortified with a firewall. For Apache, this means turning on ModSecurity.
To install it on your server, you can execute the following:
# yum install mod_security
# /etc/init.d/httpd restart
Once the firewall is live, it will prevent a number of malicious activities from reaching your server, like SQL injection, session hijacking, and cross-site scripting.
5. Install mod_evasive
Mod_evasive is the module that will protect your Apache server from brute force and DDoS attacks, so make sure this is enabled as well. It will blacklist concurrent and failed login attempts as well as monitor for malicious IPs.
6. Set HTTP Limits
Distributed denial of service (DDoS) attacks are pretty simple to block if you know what sort of actions to watch for. Since DDoS tend to happen by repeatedly hitting your server with large requests, your goal should be to set limits that prevent this from happening.
Here are some of the limits you’ll want to establish:
- KeepAlive=on
- KeepAliveTimeout
- LimitRequestBody
- LimitRequestFields
- LimitRequestFieldSize
- LimitRequestLine
- LimitXMLRequestBody
- MaxClients
- MaxKeepAliveRequests
- MaxRequestWorkers
- RequestReadTimeout
- TimeOut
7. Delete Unused Modules
By leaving unused, unmaintained, or expired modules on your Apache server, you’re leaving your site open to hackers through a point of entry that doesn’t even need to be there.
The first thing you should do is find out which modules are actually active. You can do this by using a LoadModule command. Once you’ve sifted through the list and identified which modules you don’t need, simply add the “#” symbol before each module you want to deactivate and then restart.
8. Change Default User and Group
Default settings and users left on any software, in general, is a bad security practice. The reason for this is simple: if you’re using the Apache default user or group name, you can bet hackers are aware of what those default names are as well.
Rather than leave the defaults in place, you should create a new non-privileged account to run your Apache processes through. Using # groupadd and # useradd commands, you can set the new entities. Just remember to update your httpd.conf with the new user and group names you’ve created.
9. Block Directory Access
Here is another example of default settings that need to be changed. In this case, it’s the access granted to your directory’s files which allows anyone to explore wherever they’d like.
To put a total block in place, use the following command:
<Directory "/">
Require all denied
</Directory>
If you want to enable access to certain users, you can do so with this:
<Directory "/usr/users/*/public_html">
Require all granted
</Directory>
If you want to enable access to certain folders within the directory, you can do so with this:
<Directory "/usr/local/httpd">
Require all granted
</Directory>
You may also want to peruse the Apache module repository for further tweaking of user access rights.
10. Don’t Publish the Directory
Did you know that if your server doesn’t have an index file that users will be able to see all the content you have stored in your root directory? That’s obviously not good, so you’ll need to disable this default setting with the following:
<Directory /var/www/html>
Options -Indexes
</Directory>
11. Hide Server Details
Because Apache is an open source software, details about the version used are readily available if these settings are not disabled server-side. Since hackers can use that sensitive information to figure out how to break into your server, you’ll want to block this information out.
There are two things you’ll want to disable:
- ServerSignature – which is the version of Apache
- ServerTokens – which includes the OS version, among other sensitive server details
This information can be found by other users simply by viewing an error page on your website, so it’s pretty important to block this from being shown. To do this, update the httpd.conf with the following:
ServerSignature Off
ServerTokens Prod
12. Hide the ETag
The ETag header in Apache, unfortunately, includes a number of sensitive details about your server. Obviously, anything that shares that sort of information with the outside world should be hidden. Additionally, if you’re running an e-commerce website, you’ll need to hide this in order to be PCI compliant.
To do this, add the following directive to your httpd.conf:
FileETag None
13. Disable .htaccess Override
The .htaccess is an important file for any WordPress website. This is why you need to lock it down and ensure that no one else can override your configuration settings.
To disable this, add the following to your httpd.conf at the root:
<Directory />
Options -Indexes
AllowOverride None
</Directory>
14. Disable SSI and CGI
Server Side Includes (SSI)-enabled files can open your site up to a number of security problems if left unchecked. Same goes for CGI scripts. In order to prevent either of these from empowering hackers to overload your server or inject malicious scripts into your code, remember to turn them off or restrict what they do through the Options directive.
Here are some Options values you can use:
- Options All
- Options IncludesNOEXEC
- Options -Includes
- Options -ExecCGI
- Options -Includes -ExecCGI
- Options MultiViews
Taking Care of Your Apache Server
In an effort to harden your website’s security, pay special attention to your Apache server. Issues like server misconfiguration and leaving default settings in place can put your site at risk just as much as an un-updated core or unsafe PHP coding practices can.
Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.
