Firewall

I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.

October 27, 2018 by Simon

I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance. Here is what I did to set up a complete Ubuntu 18.04 system (NGINX, PHP, MySQL, WordPress etc). This is not a paid review (just me documenting my steps over 2 days).

Background (CPanel hosts)

In 1999 I hosted my first domain (www.fearby.com) on a host in Seattle (for $10 USD a month), the host used CPanel and all was good. After a decade I was using the domain more for online development and the website was now too slow (I think I was on dial-up or ADSL 1 at the time). I moved my domain to an Australian host (for $25 a month).

After 8 years the domain host was sold and performance remained mediocre. After another year the new host was sold again and performance was terrible.

Page load times were near 30 seconds.

I started receiving Resource Limit Is Reached warnings (basically this was a plot by the new CPanel host to say “Pay us more and this message will go away”).

The straw that broke the camel’s back was their demand of $150/year for a dodgy SSL certificate.

I needed to move to a self-managed server where I was in control.

Buying a Domain Name

Buy a domain name from Namecheap here.

Self Managed Server

I found a good web IDE ( http://www.c9.io/ ) that allowed me to connect to a cloud VM. C9 allowed me to open many files and terminal windows and reconnect to them later. Don’t get excited, though, as AWS have purchased C9 and it’s not the same.

C9 IDE

I spun up a Digital Ocean Server at the closest data centre in Singapore. Here was my setup guide creating a Digital Ocean VM, connecting to it with C9 and configuring it. I moved my email to G Suite and moved my WordPress to Digital Ocean (other guides here and here).

I was happy since I could now send emails via CLI/code, set up free SSL certs, add second domain email to G Suite and Secure G Suite. No more usage limit errors either.

Self-managing servers requires more work but it is more rewarding (flexible, faster and cheaper). Page load times were now near 20 seconds (10-second improvement).

Latency Issue

Over 6 months, performance on Digital Ocean (in Singapore) from Australia started to drop (mentioned here). I tried upgrading the memory but that did not help (latency was king).

Moved the website to Australia

I moved my domain to Vultr in Australia (guide here and here). All was good for a year until traffic growth started to increase.

I tried upgrading the memory on Vultr and I setup PHP child workers, setup Cloudflare.

GT Metrix scores were about a “B” and Google Page Speed Scores were in the lower 40’s. Page loads were about 14 seconds (5-second improvement).

Tweaking WordPress

I set up an image compression plugin in WordPress then set up a cloud image compression and CDN Plugin from the same vendor. Page Speed info here.

GT Metrix scores were now occasionally an “A” and Page Speed Scores were in the lower 20’s. Page loads were about 3-5 seconds (10-second improvement).

Mixed bag from Vultr (more optimisation and performance improvements were needed).

Google Chrome Developer Console Audit Results on Vultr hosted website were not very good (I stopped checking as nothing helped).

The problem was the Vultr server (400km away in Sydney) was offline (my issue) and everything above (adding more memory, adding 2x CDN’s (EWWW and Cloudflare), adding PHP Child workers etc) did not seem to help???

Enter UpCloud…

Recently, a friend sent a link to a blog article about a host called “UpCloud” who promised “Faster than SSD” performance. This can’t be right: “Faster than SSD”? I was intrigued. I wanted to check it out as I thought nothing was faster than SSD (well, maybe RAM).

I signed up for a trial and ran a disk IO test (read the review here) and I was shocked. It’s fast. Very fast.

Summary: UpCloud was twice as fast (Disk IO and CPU) as Vultr (+ an optional $4/m firewall and $3/m for 1x backup).

fyi: Labels above are K Bytes per second. iozone loops through all file sizes from 4 KB to 16,348 KB and measures through the reads per second. To be honest, the meaning of the numbers doesn’t interest me, I just want to compare apples to apples.

(image snip from http://www.iozone.org/ which explains the numbers)

I might have to copy my website on UpCloud and see how fast it is.

Where to Deploy and Pricing

UpCloud Pricing: https://www.upcloud.com/pricing/

UpCloud does not have a data centre in Australia yet so why choose UpCloud?

Most of my site’s visitors are based in the US and UpCloud have disk IO twice as fast as Vultr (win-win?). I could deploy to Chicago?

My site’s traffic is growing and I need to ensure the site is fast enough in the future.

Creating an UpCloud VM

I used a friend’s referral code and signed up to create my first VM.

FYI: use my Referral code and get $25 free credit. Sign up only takes 2 minutes.

https://www.upcloud.com/register/?promo=D84793

When you click the link above you will receive 25$ to try out serves for 3 days. You can exit his trail and deposit $10 into UpCloud.

Trial Limitations

The trial mode restrictions are as following:

* Cloud servers can only be accessed using SSH, RDP, HTTP or HTTPS protocols
* Cloud servers are not allowed to send outgoing e-mails or to create outbound SSH/RDP connections
* The internet connection is restricted to 100 Mbps (compared to 500 Mbps for non-trial accounts)
* After your 72 hours free trial, your services will be deleted unless you make a one-time deposit of $10

UpCloud Links

The UpCloud support page is located here: https://www.upcloud.com/support/

More UpCloud links to read:

Signing up to UpCloud

Navigate to https://upcloud.com/signup and add your username, password and email address and click signup.

Add your address and payment details and click proceed (you don’t need to pay anything ($1 may be charged and instantly refunded to verify the card)

That’s it, check yout email.

Look for the UpCloud email and click https://my.upcloud.com/

Now login

Now I can see a dashboard 🙂

I was happy to see 24/7 support is available.

I opted in for the new dashboard

Deploy My First UpCloud Server

This is how I deployed a server.

Note: If you are going to deploy a server consider using my referral code and get $25 credit for free.

Under the “deploy a server” widget I named the server and chose a location (I think I was supposed to use an FQDN name -e.g., “fearby.com”). The deployment worked though. I clicked continue, then more options were made available:

Enter a short server description.
Choose a location (Frankfurt, Helsinki, Amsterdam, Singapore, London and Chicago)
Choose the number of CPU’s and amount of memory
Specify disk number/names and type (MaxIOPS or HDD).
Choose an Operating System
Select a Timezone
Define SSH Keys for access
Allowed login methods
Choose hardware adapter types
Where the send the login password

FYI: How to generate a new SSH Key (on OSX or Ubuntu)

ssh-keygen -t rsa

1	ssh-keygen -t rsa

Output

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): /temp/example_rsa
Enter passphrase (empty for no passphrase): *********************************
Enter same passphrase again:*********************************
Your identification has been saved in /temp/example_rsa.
Your public key has been saved in /temp/example_rsa.pub.
The key fingerprint is:
SHA256:########################### user@sever
Outputted public and private key

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa): /temp/example_rsa

Enter passphrase (empty for no passphrase): *********************************

Enter same passphrase again:*********************************

Your identification has been saved in /temp/example_rsa.

Your public key has been saved in /temp/example_rsa.pub.

The key fingerprint is:

SHA256:########################### user@sever

Outputted public and private key

Did the key export? (yes)

> /temp# ls /temp/ -al
> drwxr-xr-x 2 root root 4096 Jun 9 15:33 .
> drwxr-xr-x 27 root root 4096 Jun 8 14:25 ..
> -rw——- 1 user user 1766 Jun 9 15:33 example_rsa
> -rw-r–r– 1 user user 396 Jun 9 15:33 example_rsa.pub

“example_rsa” is the private key and “example_rsa.pub “is the public key.

The public key needs to be added to the server to allow access.
The private key needs to be added to any local ssh program used for remote access.

Initialisation script (after deployment)

I was pleased to see an initialization script section that calls actions after the server is deployed. I configured the initialisation script to pull down a few GB of backups from my Vultr website in Sydney (files now removed).

This was my Initialisation script:

#!/bin/bash
echo "Downloading the Vultr websites backups"
mkdir /backup
cd /backup
wget -o www-mysql-backup.sql https://fearby.com/.../www-mysql-backup.sql
wget -o www-blog-backup.zip https://fearby.com/.../www-blog-backup.zip

#!/bin/bash

echo "Downloading the Vultr websites backups"

mkdir /backup

cd /backup

wget -o www-mysql-backup.sql https://fearby.com/.../www-mysql-backup.sql

wget -o www-blog-backup.zip https://fearby.com/.../www-blog-backup.zip

Confirm and Deploy

I clicked “Confirm and deploy” but I had an alert that said trial mode can only deploy servers up to 1024MB of memory.

Exiting UpCloud Trial Mode

I opened the dashboard and clicked My Account then Billing, I could see the $25 referral credit but I guess I can’t use that in Trial.

I exited trial mode by depositing $10 (USD).

Make a manual 1-time deposit of $10 to exit trial mode.

FYI: Server prices are listed below (or view prices here).

Now I can go back and deploy the server with the same settings above (1x CPU, 2GB Memory, Ubuntu 18.04, MaxIOPS Storage etc)

Deployment takes a few minutes and depending on how you specified a password may be emailed to you.

UpCloud Server Deployed

The server is now deployed; now I can connect to it with my SSH program (vSSH). Simply add the server’s IP, username, password and the SSH private key (generated above) to your ssh program of choice.

fyi: The public key contents start with “ssh-rsa”.

I noticed that the initialisation script downloaded my 2+GB of files already. Nice.

UpCloud Billing Breakdown

I can now see on the UpCloud billing page in my dashboard that credit is deducted daily (68c); at this rate, I have 49 days credit left?

I can manually deposit funds or set up automatic payments at any time 🙂

UpCloud Backup Options

You do not need to setup backups but in case you want to roll back (if things stuff up), it is a good idea. Backups are an additional charge.

I have set up automatic daily backups with an auto deletion after 2 days

To view backup scheduled click on your deployed server then click backup

Note: Backups are charged at $0.056 for every GB stored – so $5.60 for every 100GB per month (half that for 50GB etc)

You can take manual backups at any time (and only be charged for the hour)

UpCloud Firewall Options

I set up a firewall at UpCloud to only allow the minimum number of ports (UpCloud DNS, HTTP, HTTPS and My IP to port 22). The firewall feature is charged at $0.0056 an hour ($4.03 a month)

I love the ability to set firewall rules on incoming, destination and outgoing ports.

To view your firewall click on your deployed server then click firewall

Update: I modified my firewall to allow inbound ICMP (IPv4/IPv6) and UDP (IPv4/IPv6) packets.

(Note: Old firewall screenshot)

Because my internet provider has a dynamic IP, I set up a VPN with a static IP and whitelisted it for backdoor access.

Local Ubuntu ufw Firewall

I duplicated the rules in my local ufw (2nd level) firewall (and blocked mail)

sudo ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 80                         ALLOW IN    Anywhere
[ 2] 443                        ALLOW IN    Anywhere
[ 3] 25                         DENY OUT    Anywhere                   (out)
[ 4] 53                         ALLOW IN    93.237.127.9
[ 5] 53                         ALLOW IN    93.237.40.9
[ 6] 22                         ALLOW IN    REMOVED (MY WHITELISTED IP))
[ 7] 80 (v6)                    ALLOW IN    Anywhere (v6)
[ 8] 443 (v6)                   ALLOW IN    Anywhere (v6)
[ 9] 25 (v6)                    DENY OUT    Anywhere (v6)              (out)
[10] 53                         ALLOW IN    2a04:3540:53::1
[11] 53                         ALLOW IN    2a04:3544:53::1

sudo ufw status numbered

Status: active

To Action From

-- ------ ----

[ 1] 80 ALLOW IN Anywhere

[ 2] 443 ALLOW IN Anywhere

[ 3] 25 DENY OUT Anywhere (out)

[ 4] 53 ALLOW IN 93.237.127.9

[ 5] 53 ALLOW IN 93.237.40.9

[ 6] 22 ALLOW IN REMOVED (MY WHITELISTED IP))

[ 7] 80 (v6) ALLOW IN Anywhere (v6)

[ 8] 443 (v6) ALLOW IN Anywhere (v6)

[ 9] 25 (v6) DENY OUT Anywhere (v6) (out)

[10] 53 ALLOW IN 2a04:3540:53::1

[11] 53 ALLOW IN 2a04:3544:53::1

UpCloud Download Speeds

I pulled down a 1.8GB Ubuntu 18.08 Desktop ISO 3 times from gigenet.com and the file downloaded in 32 seconds (57MB/sec). Nice.

$/temp# wget http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso
--2018-06-08 18:02:04-- http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso
Resolving mirrors.gigenet.com (mirrors.gigenet.com)... 69.65.15.34
Connecting to mirrors.gigenet.com (mirrors.gigenet.com)|69.65.15.34|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1921843200 (1.8G) [application/x-iso9660-image]
Saving to: 'ubuntu-18.04-desktop-amd64.iso'

ubuntu-18.04-desktop-amd64.iso 100%[==================================================================>] 1.79G 57.0MB/s in 32s

2018-06-08 18:02:37 (56.6 MB/s) - 'ubuntu-18.04-desktop-amd64.iso' saved [1921843200/1921843200]

$/temp# wget http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso
--2018-06-08 18:02:46-- http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso
Resolving mirrors.gigenet.com (mirrors.gigenet.com)... 69.65.15.34
Connecting to mirrors.gigenet.com (mirrors.gigenet.com)|69.65.15.34|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1921843200 (1.8G) [application/x-iso9660-image]
Saving to: 'ubuntu-18.04-desktop-amd64.iso.1'

ubuntu-18.04-desktop-amd64.iso.1 100%[==================================================================>] 1.79G 57.0MB/s in 32s

2018-06-08 18:03:19 (56.6 MB/s) - 'ubuntu-18.04-desktop-amd64.iso.1' saved [1921843200/1921843200]

$/temp# wget http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso
--2018-06-08 18:03:23-- http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso
Resolving mirrors.gigenet.com (mirrors.gigenet.com)... 69.65.15.34
Connecting to mirrors.gigenet.com (mirrors.gigenet.com)|69.65.15.34|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1921843200 (1.8G) [application/x-iso9660-image]
Saving to: 'ubuntu-18.04-desktop-amd64.iso.2'

ubuntu-18.04-desktop-amd64.iso.2 100%[==================================================================>] 1.79G 57.0MB/s in 32s

2018-06-08 18:03:56 (56.8 MB/s) - 'ubuntu-18.04-desktop-amd64.iso.2' saved [1921843200/1921843200]

$/temp# wget http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso

--2018-06-08 18:02:04-- http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso

Resolving mirrors.gigenet.com (mirrors.gigenet.com)... 69.65.15.34

Connecting to mirrors.gigenet.com (mirrors.gigenet.com)|69.65.15.34|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1921843200 (1.8G) [application/x-iso9660-image]

Saving to: 'ubuntu-18.04-desktop-amd64.iso'

ubuntu-18.04-desktop-amd64.iso 100%[==================================================================>] 1.79G 57.0MB/s in 32s

2018-06-08 18:02:37 (56.6 MB/s) - 'ubuntu-18.04-desktop-amd64.iso' saved [1921843200/1921843200]

$/temp# wget http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso

--2018-06-08 18:02:46-- http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso

Resolving mirrors.gigenet.com (mirrors.gigenet.com)... 69.65.15.34

Connecting to mirrors.gigenet.com (mirrors.gigenet.com)|69.65.15.34|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1921843200 (1.8G) [application/x-iso9660-image]

Saving to: 'ubuntu-18.04-desktop-amd64.iso.1'

ubuntu-18.04-desktop-amd64.iso.1 100%[==================================================================>] 1.79G 57.0MB/s in 32s

2018-06-08 18:03:19 (56.6 MB/s) - 'ubuntu-18.04-desktop-amd64.iso.1' saved [1921843200/1921843200]

$/temp# wget http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso

--2018-06-08 18:03:23-- http://mirrors.gigenet.com/ubuntu/18.04/ubuntu-18.04-desktop-amd64.iso

Resolving mirrors.gigenet.com (mirrors.gigenet.com)... 69.65.15.34

Connecting to mirrors.gigenet.com (mirrors.gigenet.com)|69.65.15.34|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1921843200 (1.8G) [application/x-iso9660-image]

Saving to: 'ubuntu-18.04-desktop-amd64.iso.2'

ubuntu-18.04-desktop-amd64.iso.2 100%[==================================================================>] 1.79G 57.0MB/s in 32s

2018-06-08 18:03:56 (56.8 MB/s) - 'ubuntu-18.04-desktop-amd64.iso.2' saved [1921843200/1921843200]

Install Common Ubuntu Packages

I installed common Ubuntu packages.

apt-get install zip htop ifstat iftop bmon tcptrack ethstatus speedometer iozone3 bonnie++ sysbench siege tree tree unzip jq jq ncdu pydf ntp rcconf ufw iperf nmap iozone3

1	apt-get install zip htop ifstat iftop bmon tcptrack ethstatus speedometer iozone3 bonnie++ sysbench siege tree tree unzip jq jq ncdu pydf ntp rcconf ufw iperf nmap iozone3

Timezone

I checked the server’s time (I thought this was auto set before I deployed)?

$hwclock --show
2018-06-06 23:52:53.639378+0000

1 2	$hwclock --show 2018-06-06 23:52:53.639378+0000

I reset the time to Australia/Sydney.

dpkg-reconfigure tzdata
Current default time zone: 'Australia/Sydney'
Local time is now: Thu Jun 7 06:53:20 AEST 2018.
Universal Time is now: Wed Jun 6 20:53:20 UTC 2018.

dpkg-reconfigure tzdata

Current default time zone: 'Australia/Sydney'

Local time is now: Thu Jun 7 06:53:20 AEST 2018.

Universal Time is now: Wed Jun 6 20:53:20 UTC 2018.

Now the timezone is set 🙂

Shell History

I increased the shell history.

HISTSIZEH =10000
HISTCONTROL=ignoredups

1 2	HISTSIZEH =10000 HISTCONTROL=ignoredups

SSH Login

I created a ~/.ssh/authorized_keys file and added my SSH public key to allow password-less logins.

mkdir ~/.ssh
sudo nano ~/.ssh/authorized_keys

1 2	mkdir ~/.ssh sudo nano ~/.ssh/authorized_keys

I added my pubic ssh key, then exited the ssh session and logged back in. I can now log in without a password.

Install NGINX

apt-get install nginx

1	apt-get install nginx

nginx/1.14.0 is now installed.

A quick GT Metrix test.

Install MySQL

Run these commands to install and secure MySQL.

apt install mysql-server
mysql_secure_installation

1 2	apt install mysql-server mysql_secure_installation

Securing the MySQL server deployment.
> Would you like to setup VALIDATE PASSWORD plugin?: n
> New password: **********************************************
> Re-enter new password: **********************************************
> Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
> Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
> Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
> Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
> Success.

I disabled the validate password plugin because I hate it.

MySQL Ver 14.14 Distrib 5.7.22 is now installed.

Set MySQL root login password type

Set MySQL root user to authenticate via “mysql_native_password”. Run the “mysql” command.

mysql
SELECT user,authentication_string,plugin,host FROM mysql.user;
+------------------+-------------------------------------------+-----------------------+-----------+
| user | authentication_string | plugin | host |
+------------------+-------------------------------------------+-----------------------+-----------+
| root | | auth_socket | localhost |
| mysql.session | hiddden | mysql_native_password | localhost |
| mysql.sys | hiddden | mysql_native_password | localhost |
| debian-sys-maint | hiddden | mysql_native_password | localhost |
+------------------+-------------------------------------------+-----------------------+----------

mysql

SELECT user,authentication_string,plugin,host FROM mysql.user;

+------------------+-------------------------------------------+-----------------------+-----------+

+------------------+-------------------------------------------+-----------------------+-----------+

+------------------+-------------------------------------------+-----------------------+----------

Now let’s set the root password authentication method to “mysql_native_password”

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '*****************************************';
Query OK, 0 rows affected (0.00 sec)

1 2	ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '*****************************************'; Query OK, 0 rows affected (0.00 sec)

Check authentication method.

mysql> SELECT user,authentication_string,plugin,host FROM mysql.user;
+------------------+-------------------------------------------+-----------------------+-----------+
| user | authentication_string | plugin | host |
+------------------+-------------------------------------------+-----------------------+-----------+
| root | ######################################### | mysql_native_password | localhost |
| mysql.session | hiddden | mysql_native_password | localhost |
| mysql.sys | hiddden | mysql_native_password | localhost |
| debian-sys-maint | hiddden | mysql_native_password | localhost |
+------------------+-------------------------------------------+-----------------------+-----------+

mysql> SELECT user,authentication_string,plugin,host FROM mysql.user;

+------------------+-------------------------------------------+-----------------------+-----------+

+------------------+-------------------------------------------+-----------------------+-----------+

+------------------+-------------------------------------------+-----------------------+-----------+

Now we need to flush permissions.

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

1 2	mysql> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec)

Done.

Install PHP

Install PHP 7.2

apt-get install software-properties-common
add-apt-repository ppa:ondrej/php
apt-get update
apt-get install -y php7.2
php -v

apt-get install software-properties-common

add-apt-repository ppa:ondrej/php

apt-get update

apt-get install -y php7.2

php -v

PHP 7.2.5, Zend Engine v3.2.0 with Zend OPcache v7.2.5-1 is now installed. Do update PHP frequently.

I made the following changes in /etc/php/7.2/fpm/php.ini

> cgi.fix_pathinfo=0
> max_input_vars = 1000
> memory_limit = 1024M
> max_file_uploads = 20M
> post_max_size = 20M

Install PHP Modules

sudo apt-get install php-pear php7.2-curl php7.2-dev php7.2-mbstring php7.2-zip php7.2-mysql php7.2-xml

Install PHP FPM

apt-get install php7.2-fpm

1	apt-get install php7.2-fpm

Configure PHP FPM config.

Edit /etc/php/7.2/fpm/php.ini

> cgi.fix_pathinfo=0
> max_input_vars = 1000
> memory_limit = 1024M
> max_file_uploads = 20M
> post_max_size = 20M

Reload php sudo service.

php7.2-fpm restart service php7.2-fpm status

1	php7.2-fpm restart service php7.2-fpm status

Install PHP Modules

sudo apt-get install php-pear php7.2-curl php7.2-dev php7.2-mbstring php7.2-zip php7.2-mysql php7.2-xml

1	sudo apt-get install php-pear php7.2-curl php7.2-dev php7.2-mbstring php7.2-zip php7.2-mysql php7.2-xml

Configuring NGINX

If you are not comfortable editing NGINX config files read here, here and here.

I made a new “www root” folder, set permissions and created a default html file.

mkdir /www-root
chown -R www-data:www-data /www-root
echo "Hello World" >> /www-root/index.html

mkdir /www-root

chown -R www-data:www-data /www-root

echo "Hello World" >> /www-root/index.html

I edited the “root” key in “/etc/nginx/sites-enabled/default” file and set the root a new location (e.g., “/www-root”)

I added these performance tweaks to /etc/nginx/nginx.conf

> worker_cpu_affinity auto;
> worker_rlimit_nofile 100000

I add the following lines to “http {” section in /etc/nginx/nginx.conf

client_max_body_size 10M;

gzip on;
gzip_disable "msie6";
gzip_comp_level 5;
gzip_min_length 256;
gzip_vary on;
gzip_types
application/atom+xml
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
font/opentype
image/bmp
image/x-icon
text/cache-manifest
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
#text/html is always compressed by gzip module

gzip_proxied any;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss te$

client_max_body_size 10M;

gzip on;

gzip_disable "msie6";

gzip_comp_level 5;

gzip_min_length 256;

gzip_vary on;

gzip_types

application/atom+xml

application/ld+json

application/manifest+json

application/rss+xml

application/vnd.geo+json

application/vnd.ms-fontobject

application/x-font-ttf

application/x-web-app-manifest+json

application/xhtml+xml

font/opentype

image/bmp

image/x-icon

text/cache-manifest

text/vcard

text/vnd.rim.location.xloc

text/vtt

text/x-component

text/x-cross-domain-policy;

#text/html is always compressed by gzip module

gzip_proxied any;

gzip_buffers 16 8k;

gzip_http_version 1.1;

gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss te$

Check NGINX Status

service nginx status
* nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-06-07 21:16:28 AEST; 30min ago
Docs: man:nginx(8)
Main PID: # (nginx)
Tasks: 2 (limit: 2322)
CGroup: /system.slice/nginx.service
|- # nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
`- # nginx: worker process

service nginx status

* nginx.service - A high performance web server and a reverse proxy server

Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)

Active: active (running) since Thu 2018-06-07 21:16:28 AEST; 30min ago

Docs: man:nginx(8)

Main PID: # (nginx)

Tasks: 2 (limit: 2322)

CGroup: /system.slice/nginx.service

|- # nginx: master process /usr/sbin/nginx -g daemon on; master_process on;

`- # nginx: worker process

Install Open SSL that supports TLS 1.3

This is a work in progress. The steps work just fine for me on Ubuntu 16.04. but not Ubuntu 18.04.?

Installing Adminer MySQL GUI

I will use the PHP based Adminer MySQL GUI to export and import my blog from one server to another. All I needed to do is install it on both servers (simple 1 file download)

cd /utils
wget -o adminer.php https://github.com/vrana/adminer/releases/download/v4.6.2/adminer-4.6.2-mysql-en.php

1 2	cd /utils wget -o adminer.php https://github.com/vrana/adminer/releases/download/v4.6.2/adminer-4.6.2-mysql-en.php

Use Adminer to Export My Blog (on Vultr)

On the original server open Adminer (http) and..

Login with the MySQL root account
Open your database
Choose “Save” as the output
Click on Export

Save the “.sql” file.

I used Adminer on the UpCloud server to Import My Blog

FYI: Depending on the size of your database backup you may need to temporarily increase your upload and post sizes limits in PHP and NGINX before you can import your database.

Edit /etc/php/7.2/fpm/php.ini
> max_file_uploads = 100M
> post_max_size =100M

And Edit: /etc/nginx/nginx.conf
> client_max_body_size 100M;

Don’t forget to reload NGINX config and restart NGINX and PHP. Take note of the maximum allowed file size in the screenshot below. I temporarily increased my upload limits to 100MB in order to restore my 87MB blog.

Now I could open Adminer on my UpCloud server.

Create a new database
Click on the database and click Import
Choose the SQL file
Click Execute to import it

Don’t forget to create a user and assign permissions (as required – check your wp-config.php file).

Tip: Don’t forget to lower the maximum upload file size and max post size after you import your database,

Cloudflare DNS

I use Cloudflare to manage DNS, so I need to tell it about my new server.

You can get your server’s IP details from the UpCloud dashboard.

At Cloudflare update your DNS details to point to the server’s new IPv4 (“A Record”) and IPv6 (“AAAA Record”).

Domain Error

I waited an hour and my website was suddenly unavailable. At first, I thought this was Cloudflare forcing the redirection of my domain to HTTP (that was not yet set up).

I chatted with UpCloud chat on their webpage and they kindly assisted me to diagnose all the common issues like DNS values, DNS replication, Cloudflare settings and the error was pinpointed to my NGINX installation. All NGINX config settings were ok from what we could see? I uninstalled NGINX and reinstalled it (and that fixed it). Thanks UpCloud Support 🙂

Reinstalled NGINX

sudo apt-get purge nginx nginx-common

1	sudo apt-get purge nginx nginx-common

I reinstalled NGINX and reconfigured /etc/nginx/nginx.conf (I downloaded my SSL cert from my old server just in case).

Here is my /etc/nginx/nginx.conf file.

user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
error_log /var/log/nginx/www-nginxcriterror.log crit;

events {
        worker_connections 768;
        multi_accept on;
}

http {

        client_max_body_size 10M;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        server_tokens off;

        server_names_hash_bucket_size 64;
        server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/www-access.log;
        error_log /var/log/nginx/www-error.log;

        gzip on;

        gzip_vary on;
        gzip_disable "msie6";
        gzip_min_length 256;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

user www-data;

worker_processes auto;

worker_cpu_affinity auto;

pid /run/nginx.pid;

include /etc/nginx/modules-enabled/*.conf;

error_log /var/log/nginx/www-nginxcriterror.log crit;

events {

worker_connections 768;

multi_accept on;

}

http {

client_max_body_size 10M;

sendfile on;

tcp_nopush on;

tcp_nodelay on;

keepalive_timeout 65;

types_hash_max_size 2048;

server_tokens off;

server_names_hash_bucket_size 64;

server_name_in_redirect off;

include /etc/nginx/mime.types;

default_type application/octet-stream;

ssl_protocols TLSv1.1 TLSv1.2;

ssl_prefer_server_ciphers on;

access_log /var/log/nginx/www-access.log;

error_log /var/log/nginx/www-error.log;

gzip on;

gzip_vary on;

gzip_disable "msie6";

gzip_min_length 256;

gzip_proxied any;

gzip_comp_level 6;

gzip_buffers 16 8k;

gzip_http_version 1.1;

gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/conf.d/*.conf;

include /etc/nginx/sites-enabled/*;

}

Here is my /etc/nginx/sites-available/default file (fyi, I have not fully re-setup TLS 1.3 yet so I commented out the settings)

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;#
server {
        root /www-root;

        # Listen Ports
        listen 80 default_server http2;
        listen [::]:80 default_server http2;
        listen 443 ssl default_server http2;
        listen [::]:443 ssl default_server http2;

        # Default File
        index index.html index.php index.htm;

        # Server Name
        server_name www.fearby.com fearby.com localhost;

        # HTTPS Cert
        ssl_certificate /etc/nginx/ssl-cert-path/fearby.crt;
        ssl_certificate_key /etc/nginx/ssl-cert-path/fearby.key;
        ssl_dhparam /etc/nginx/ssl-cert-path/dhparams4096.pem;

        # HTTPS Ciphers
        
        # TLS 1.2
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

        # TLS 1.3			#todo
        # ssl_ciphers 
        # ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DES-CBC3-SHA;
        # ssl_ecdh_curve secp384r1;

        # Force HTTPS
        if ($scheme != "https") {
                return 301 https://$host$request_uri;
        }

        # HTTPS Settings
        server_tokens off;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 30m;
        ssl_session_tickets off;
        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
	#ssl_stapling on; 						# Requires nginx >= 1.3.7

        # Cloudflare DNS
        resolver 1.1.1.1 1.0.0.1 valid=60s;
        resolver_timeout 1m;

        # PHP Memory 
        fastcgi_param PHP_VALUE "memory_limit = 1024M";

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        location ~ .php$ {
            try_files $uri =404;
            # include snippets/fastcgi-php.conf;

            fastcgi_split_path_info ^(.+.php)(/.+)$;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
            fastcgi_pass unix:/run/php/php7.2-fpm.sock;

            # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
            # fastcgi_pass 127.0.0.1:9000;
	    }

        location / {
            # try_files $uri $uri/ =404;
            try_files $uri $uri/ /index.php?q=$uri&$args;
            index index.php index.html index.htm;
            proxy_set_header Proxy "";
        }

        # Deny Rules
        location ~ /.ht {
                deny all;
        }
        location ~ ^/.user.ini {
            deny all;
        }
        location ~ (.ini) {
            return 403;
        }

        # Headers
        location ~* .(?:ico|css|js|gif|jpe?g|png|js)$ {
            expires 30d;
            add_header Pragma public;
            add_header Cache-Control "public";
        }

}

proxy_cache_path /tmp/nginx-cache keys_zone=one:10m;#

server {

root /www-root;

# Listen Ports

listen 80 default_server http2;

listen [::]:80 default_server http2;

listen 443 ssl default_server http2;

listen [::]:443 ssl default_server http2;

# Default File

index index.html index.php index.htm;

# Server Name

server_name www.fearby.com fearby.com localhost;

# HTTPS Cert

ssl_certificate /etc/nginx/ssl-cert-path/fearby.crt;

ssl_certificate_key /etc/nginx/ssl-cert-path/fearby.key;

ssl_dhparam /etc/nginx/ssl-cert-path/dhparams4096.pem;

# HTTPS Ciphers

# TLS 1.2

ssl_protocols TLSv1.2;

ssl_prefer_server_ciphers on;

ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

# TLS 1.3 #todo

# ssl_ciphers

# ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DES-CBC3-SHA;

# ssl_ecdh_curve secp384r1;

# Force HTTPS

if ($scheme != "https") {

return 301 https://$host$request_uri;

}

# HTTPS Settings

server_tokens off;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 30m;

ssl_session_tickets off;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

add_header X-Frame-Options DENY;

add_header X-Content-Type-Options nosniff;

add_header X-XSS-Protection "1; mode=block";

#ssl_stapling on; # Requires nginx >= 1.3.7

# Cloudflare DNS

resolver 1.1.1.1 1.0.0.1 valid=60s;

resolver_timeout 1m;

# PHP Memory

fastcgi_param PHP_VALUE "memory_limit = 1024M";

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

location ~ .php$ {

try_files $uri =404;

# include snippets/fastcgi-php.conf;

fastcgi_split_path_info ^(.+.php)(/.+)$;

fastcgi_index index.php;

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

include fastcgi_params;

fastcgi_pass unix:/run/php/php7.2-fpm.sock;

# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

# fastcgi_pass 127.0.0.1:9000;

}

location / {

# try_files $uri $uri/ =404;

try_files $uri $uri/ /index.php?q=$uri&$args;

index index.php index.html index.htm;

proxy_set_header Proxy "";

}

# Deny Rules

location ~ /.ht {

deny all;

}

location ~ ^/.user.ini {

deny all;

}

location ~ (.ini) {

return 403;

}

# Headers

location ~* .(?:ico|css|js|gif|jpe?g|png|js)$ {

expires 30d;

add_header Pragma public;

add_header Cache-Control "public";

}

SSL Labs SSL Certificate Check

All good thanks to the config above.

Install WP-CLI

I don’t like setting up FTP to auto-update WordPress plugins. I use the WP-CLI tool to manage WordPress installations by the command line. Read my blog here on using WP-CLI.

Download WP-CLI

mkdir /utils
cd /utils
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar

mkdir /utils

cd /utils

curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar

Move WP-CLI to the bin folder as “wp”

chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp

1 2	chmod +x wp-cli.phar sudo mv wp-cli.phar /usr/local/bin/wp

Test wp

wp --info
OS: Linux 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64
Shell: /bin/bash
PHP binary: /usr/bin/php7.2
PHP version: 7.2.5-1+ubuntu18.04.1+deb.sury.org+1
php.ini used: /etc/php/7.2/cli/php.ini
WP-CLI root dir: phar://wp-cli.phar
WP-CLI vendor dir: phar://wp-cli.phar/vendor
WP_CLI phar path: /www-root
WP-CLI packages dir:
WP-CLI global config:
WP-CLI project config:
WP-CLI version: 1.5.1

wp --info

OS: Linux 4.15.0-22-generic #24-Ubuntu SMP Wed May 16 12:15:17 UTC 2018 x86_64

Shell: /bin/bash

PHP binary: /usr/bin/php7.2

PHP version: 7.2.5-1+ubuntu18.04.1+deb.sury.org+1

php.ini used: /etc/php/7.2/cli/php.ini

WP-CLI root dir: phar://wp-cli.phar

WP-CLI vendor dir: phar://wp-cli.phar/vendor

WP_CLI phar path: /www-root

WP-CLI packages dir:

WP-CLI global config:

WP-CLI project config:

WP-CLI version: 1.5.1

Update WordPress Plugins

Now I can run “wp plugin update” to update all WordPress plugins

wp plugin update
Enabling Maintenance mode...
Downloading update from https://downloads.wordpress.org/plugin/wordfence.7.1.7.zip...
Unpacking the update...
Installing the latest version...
Removing the old version of the plugin...
Plugin updated successfully.
Downloading update from https://downloads.wordpress.org/plugin/wp-meta-seo.3.7.1.zip...
Unpacking the update...
Installing the latest version...
Removing the old version of the plugin...
Plugin updated successfully.
Downloading update from https://downloads.wordpress.org/plugin/wordpress-seo.7.6.1.zip...
Unpacking the update...
Installing the latest version...
Removing the old version of the plugin...
Plugin updated successfully.
Disabling Maintenance mode...
Success: Updated 3 of 3 plugins.
+---------------+-------------+-------------+---------+
| name | old_version | new_version | status |
+---------------+-------------+-------------+---------+
| wordfence | 7.1.6 | 7.1.7 | Updated |
| wp-meta-seo | 3.7.0 | 3.7.1 | Updated |
| wordpress-seo | 7.5.3 | 7.6.1 | Updated |
+---------------+-------------+-------------+---------+

wp plugin update

Enabling Maintenance mode...

Downloading update from https://downloads.wordpress.org/plugin/wordfence.7.1.7.zip...

Unpacking the update...

Installing the latest version...

Removing the old version of the plugin...

Plugin updated successfully.

Downloading update from https://downloads.wordpress.org/plugin/wp-meta-seo.3.7.1.zip...

Unpacking the update...

Installing the latest version...

Removing the old version of the plugin...

Plugin updated successfully.

Downloading update from https://downloads.wordpress.org/plugin/wordpress-seo.7.6.1.zip...

Unpacking the update...

Installing the latest version...

Removing the old version of the plugin...

Plugin updated successfully.

Disabling Maintenance mode...

Success: Updated 3 of 3 plugins.

+---------------+-------------+-------------+---------+

+---------------+-------------+-------------+---------+

| wordfence | 7.1.6 | 7.1.7 | Updated |

| wp-meta-seo | 3.7.0 | 3.7.1 | Updated |

| wordpress-seo | 7.5.3 | 7.6.1 | Updated |

+---------------+-------------+-------------+---------+

Update WordPress Core

WordPress core file can be updated with “wp core update”

wp core update
Success: WordPress is up to date.

1 2	wp core update Success: WordPress is up to date.

Troubleshooting: Use the flag “–allow-root “if wp needs higher access (unsafe action though).

Install PHP Child Workers

I edited the following file to setup PHP child workers /etc/php/7.2/fpm/pool.d/www.conf

Changes

> pm = dynamic
> pm.max_children = 40
> pm.start_servers = 15
> pm.min_spare_servers = 5
> pm.max_spare_servers = 15
> pm.process_idle_timeout = 30s;
> pm.max_requests = 500;
> php_admin_value[error_log] = /var/log/www-fpm-php.www.log
> php_admin_value[memory_limit] = 512M

Restart PHP

sudo service php7.2-fpm restart

1	sudo service php7.2-fpm restart

Test NGINX config, reload NGINX config and restart NGINX

nginx -t
nginx -s reload
/etc/init.d/nginx restart

nginx -t

nginx -s reload

/etc/init.d/nginx restart

Output (14 workers are ready)

Check PHP Child Worker Status

sudo service php7.2-fpm status
* php7.2-fpm.service - The PHP 7.2 FastCGI Process Manager
Loaded: loaded (/lib/systemd/system/php7.2-fpm.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2018-06-07 19:32:47 AEST; 20s ago
Docs: man:php-fpm7.2(8)
Main PID: # (php-fpm7.2)
Status: "Processes active: 0, idle: 15, Requests: 2, slow: 0, Traffic: 0.1req/sec"
Tasks: 16 (limit: 2322)
CGroup: /system.slice/php7.2-fpm.service
|- # php-fpm: master process (/etc/php/7.2/fpm/php-fpm.conf)
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
|- # php-fpm: pool www
- # php-fpm: pool www

Check PHP Child Worker Status

sudo service php7.2-fpm status

* php7.2-fpm.service - The PHP 7.2 FastCGI Process Manager

Loaded: loaded (/lib/systemd/system/php7.2-fpm.service; enabled; vendor preset: enabled)

Active: active (running) since Thu 2018-06-07 19:32:47 AEST; 20s ago

Docs: man:php-fpm7.2(8)

Main PID: # (php-fpm7.2)

Status: "Processes active: 0, idle: 15, Requests: 2, slow: 0, Traffic: 0.1req/sec"

Tasks: 16 (limit: 2322)

CGroup: /system.slice/php7.2-fpm.service

|- # php-fpm: master process (/etc/php/7.2/fpm/php-fpm.conf)

|- # php-fpm: pool www

- # php-fpm: pool www

Memory Tweak (set at your own risk)

sudo nano /etc/sysctl.conf

1	sudo nano /etc/sysctl.conf

vm.swappiness = 1

Setting swappiness to a value of 1 all but disables the swap file and tells the Operating System to aggressively use ram, a value of 10 is safer. Only set this if you have enough memory available (and free).

Possible swappiness settings:

> vm.swappiness = 0 Swap is disabled. In earlier versions, this meant that the kernel would swap only to avoid an out of memory condition when free memory will be below vm.min_free_kbytes limit, but in later versions, this is achieved by setting to 1.[2]> vm.swappiness = 1 Kernel version 3.5 and over, as well as Red Hat kernel version 2.6.32-303 and over: Minimum amount of swapping without disabling it entirely.
> vm.swappiness = 10 This value is sometimes recommended to improve performance when sufficient memory exists in a system.[3]
> vm.swappiness = 60 The default value.
> vm.swappiness = 100 The kernel will swap aggressively.

The “htop” tool is a handy memory monitoring tool to “top”

Also you can use good old “watch” command to show near-live memory usage (auto-refreshes every 2 seconds)

watch -n 2 free -m

1	watch -n 2 free -m

Script to auto-clear the memory/cache

As a habit, I am setting up a cronjob to check when free memory falls below 100MB, then cache is automatically cleared (freeing memory).

Script Contents: clearcache.sh

#!/bin/bash

# Script help inspired by https://unix.stackexchange.com/questions/119126/command-to-display-memory-usage-disk-usage-and-cpu-load
ram_use=$(free -m)
IFS=$'n' read -rd '' -a ram_use_arr <<< "$ram_use"
ram_use="${ram_use_arr[1]}"
ram_use=$(echo "$ram_use" | tr -s " ")
IFS=' ' read -ra ram_use_arr <<< "$ram_use"

ram_total="${ram_use_arr[1]}"
ram_used="${ram_use_arr[2]}"
ram_free="${ram_use_arr[3]}"

d=`date '+%Y-%m-%d %H:%M:%S'`

if ! [[ "$ram_free" =~ ^[0-9]+$ ]]; then
        echo "Sorry ram_free is not an integer"
else

        if [ "$ram_free" -lt "100" ]; then
                echo "$d RAM LOW (Total: $ram_total MB, Used: $ram_used MB, Free: $ram_free MB) - Clearing Cache..."
                sync; echo 1 > /proc/sys/vm/drop_caches
                sync; echo 2 > /proc/sys/vm/drop_caches
                #sync; echo 3 > /proc/sys/vm/drop_caches    #Not advised in production
                # Read for more info https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/
                exit 1
        else
                if [ "$ram_free" -lt "256" ]; then
                        echo "$d RAM ALMOST LOW (Total: $ram_total MB, Used: $ram_used MB, Free: $ram_free MB)"
                        exit 1
                else
                        if [ "$ram_free" -lt "512" ]; then
                                echo "$d RAM OK (Total: $ram_total MB, Used: $ram_used MB, Free: $ram_free MB)"
                                exit 1
                        else
                                echo "$d RAM LOW (Total: $ram_total MB, Used: $ram_used MB, Free: $ram_free MB)"
                                exit 1
                        fi
                fi
        fi
fi

#!/bin/bash

# Script help inspired by https://unix.stackexchange.com/questions/119126/command-to-display-memory-usage-disk-usage-and-cpu-load

ram_use=$(free -m)

IFS=$'n' read -rd '' -a ram_use_arr <<< "$ram_use"

ram_use="${ram_use_arr[1]}"

ram_use=$(echo "$ram_use" | tr -s " ")

IFS=' ' read -ra ram_use_arr <<< "$ram_use"

ram_total="${ram_use_arr[1]}"

ram_used="${ram_use_arr[2]}"

ram_free="${ram_use_arr[3]}"

d=`date '+%Y-%m-%d %H:%M:%S'`

if ! [[ "$ram_free" =~ ^[0-9]+$ ]]; then

echo "Sorry ram_free is not an integer"

else

if [ "$ram_free" -lt "100" ]; then

echo "$d RAM LOW (Total: $ram_total MB, Used: $ram_used MB, Free: $ram_free MB) - Clearing Cache..."

sync; echo 1 > /proc/sys/vm/drop_caches

sync; echo 2 > /proc/sys/vm/drop_caches

#sync; echo 3 > /proc/sys/vm/drop_caches #Not advised in production

# Read for more info https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/

exit 1

else

if [ "$ram_free" -lt "256" ]; then

echo "$d RAM ALMOST LOW (Total: $ram_total MB, Used: $ram_used MB, Free: $ram_free MB)"

exit 1

else

if [ "$ram_free" -lt "512" ]; then

echo "$d RAM OK (Total: $ram_total MB, Used: $ram_used MB, Free: $ram_free MB)"

exit 1

else

echo "$d RAM LOW (Total: $ram_total MB, Used: $ram_used MB, Free: $ram_free MB)"

exit 1

I set the cronjob to run every 15 mins, I added this to my cronjob.

SHELL=/bin/bash
*/15  *  *  *  *  root /bin/bash /scripts/clearcache.sh >> /scripts/clearcache.log

1 2	SHELL=/bin/bash /15 * * * root /bin/bash /scripts/clearcache.sh >> /scripts/clearcache.log

Sample log output

2018-06-10 01:13:22 RAM OK (Total: 1993 MB, Used: 981 MB, Free: 387 MB)
2018-06-10 01:15:01 RAM OK (Total: 1993 MB, Used: 974 MB, Free: 394 MB)
2018-06-10 01:20:01 RAM OK (Total: 1993 MB, Used: 955 MB, Free: 412 MB)
2018-06-10 01:25:01 RAM OK (Total: 1993 MB, Used: 1002 MB, Free: 363 MB)
2018-06-10 01:30:01 RAM OK (Total: 1993 MB, Used: 970 MB, Free: 394 MB)
2018-06-10 01:35:01 RAM OK (Total: 1993 MB, Used: 963 MB, Free: 400 MB)
2018-06-10 01:40:01 RAM OK (Total: 1993 MB, Used: 976 MB, Free: 387 MB)
2018-06-10 01:45:01 RAM OK (Total: 1993 MB, Used: 985 MB, Free: 377 MB)
2018-06-10 01:50:01 RAM OK (Total: 1993 MB, Used: 983 MB, Free: 379 MB)
2018-06-10 01:55:01 RAM OK (Total: 1993 MB, Used: 979 MB, Free: 382 MB)
2018-06-10 02:00:01 RAM OK (Total: 1993 MB, Used: 980 MB, Free: 380 MB)
2018-06-10 02:05:01 RAM OK (Total: 1993 MB, Used: 971 MB, Free: 389 MB)
2018-06-10 02:10:01 RAM OK (Total: 1993 MB, Used: 983 MB, Free: 376 MB)
2018-06-10 02:15:01 RAM OK (Total: 1993 MB, Used: 967 MB, Free: 392 MB)

2018-06-10 01:13:22 RAM OK (Total: 1993 MB, Used: 981 MB, Free: 387 MB)

2018-06-10 01:15:01 RAM OK (Total: 1993 MB, Used: 974 MB, Free: 394 MB)

2018-06-10 01:20:01 RAM OK (Total: 1993 MB, Used: 955 MB, Free: 412 MB)

2018-06-10 01:25:01 RAM OK (Total: 1993 MB, Used: 1002 MB, Free: 363 MB)

2018-06-10 01:30:01 RAM OK (Total: 1993 MB, Used: 970 MB, Free: 394 MB)

2018-06-10 01:35:01 RAM OK (Total: 1993 MB, Used: 963 MB, Free: 400 MB)

2018-06-10 01:40:01 RAM OK (Total: 1993 MB, Used: 976 MB, Free: 387 MB)

2018-06-10 01:45:01 RAM OK (Total: 1993 MB, Used: 985 MB, Free: 377 MB)

2018-06-10 01:50:01 RAM OK (Total: 1993 MB, Used: 983 MB, Free: 379 MB)

2018-06-10 01:55:01 RAM OK (Total: 1993 MB, Used: 979 MB, Free: 382 MB)

2018-06-10 02:00:01 RAM OK (Total: 1993 MB, Used: 980 MB, Free: 380 MB)

2018-06-10 02:05:01 RAM OK (Total: 1993 MB, Used: 971 MB, Free: 389 MB)

2018-06-10 02:10:01 RAM OK (Total: 1993 MB, Used: 983 MB, Free: 376 MB)

2018-06-10 02:15:01 RAM OK (Total: 1993 MB, Used: 967 MB, Free: 392 MB)

I will check the log (/scripts/clearcache.log) in a few days and view the memory trends.

After 1/2 a day Ubuntu 18.04 is handling memory just fine, no externally triggered cache clears have happened 🙂

I used https://crontab.guru/every-hour to set the right schedule in crontab.

I rebooted the VM.

Update: I now use Nixstats monitoring

Swap File

FYI: Here is a handy guide on viewing swap file usage here. I’m not using swap files so it is only an aside.

After the system rebooted I checked if the swappiness setting was active.

sudo cat /proc/sys/vm/swappiness
1

1 2	sudo cat /proc/sys/vm/swappiness 1

Yes, swappiness is set.

File System Tweaks – Write Back Cache (set at your own risk)

First, check your disk name and file system

sudo lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL

1	sudo lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL

Take note of your disk name (e.g vda1)

I used TuneFS to enable writing data to the disk before writing to the journal. tunefs is a great tool for setting file system parameters.

Warning (snip from here): “I set the mode to journal_data_writeback. This basically means that data may be written to the disk before the journal. The data consistency guarantees are the same as the ext3 file system. The downside is that if your system crashes before the journal gets written then you may loose new data — the old data may magically reappear.”

Warning this can corrupt your data. More information here.

I ran this command.

tune2fs -o journal_data_writeback /dev/vda1

1	tune2fs -o journal_data_writeback /dev/vda1

I edited my fstab to append the “writeback,noatime,nodiratime” flags for my volume after a reboot.

Edit FS Tab:

sudo nano /etc/fstab

1	sudo nano /etc/fstab

I added “writeback,noatime,nodiratime” flags to my disk options.

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options> <dump>  <pass>
# / was on /dev/vda1 during installation
#                <device>                 <dir>           <fs>    <options>                                             <dump>  <fsck>
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /               ext4    errors=remount-ro,data=writeback,noatime,nodiratime   0       1

# /etc/fstab: static file system information.

# Use 'blkid' to print the universally unique identifier for a

# device; this may be used with UUID= as a more robust way to name devices

# that works even if disks are added and removed. See fstab(5).

# <file system> <mount point> <type> <options> <dump> <pass>

# / was on /dev/vda1 during installation

# <device> <dir> <fs> <options> <dump> <fsck>

UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx / ext4 errors=remount-ro,data=writeback,noatime,nodiratime 0 1

Updating Ubuntu Packages

Show updatable packages.

apt-get -s dist-upgrade | grep "^Inst"

1	apt-get -s dist-upgrade \| grep "^Inst"

Update Packages.

sudo apt-get update && sudo apt-get upgrade

1	sudo apt-get update && sudo apt-get upgrade

Unattended Security Updates

Read more on Ubuntu 18.04 Unattended upgrades here, here and here.

Install Unattended Upgrades

sudo apt-get install unattended-upgrades

1	sudo apt-get install unattended-upgrades

Enable Unattended Upgrades.

sudo dpkg-reconfigure --priority=low unattended-upgrades

1	sudo dpkg-reconfigure --priority=low unattended-upgrades

Now I configure what packages not to auto update.

Edit /etc/apt/apt.conf.d/50unattended-upgrades

Find “Unattended-Upgrade::Package-Blacklist” and add packages that you don’t want automatically updated, you may want to manually update these (and monitor updates).

I prefer not to auto-update critical system apps (I will do this myself).

Unattended-Upgrade::Package-Blacklist {
"nginx";
"nginx-common";
"nginx-core";
"php7.2";
"php7.2-fpm";
"mysql-server";
"mysql-server-5.7";
"mysql-server-core-5.7";
"libssl1.0.0";
"libssl1.1";
};

Unattended-Upgrade::Package-Blacklist {

"nginx";

"nginx-common";

"nginx-core";

"php7.2";

"php7.2-fpm";

"mysql-server";

"mysql-server-5.7";

"mysql-server-core-5.7";

"libssl1.0.0";

"libssl1.1";

};

FYI: You can find installed packages by running this command:

apt list --installed

1	apt list --installed

Enable automatic updates by editing /etc/apt/apt.conf.d/20auto-upgrades

Edit the number at the end (the number is how many days to wait before updating) of each line.

> APT::Periodic::Update-Package-Lists “1”;
> APT::Periodic::Download-Upgradeable-Packages “1”;
> APT::Periodic::AutocleanInterval “7”;
> APT::Periodic::Unattended-Upgrade “1”;

Set to “0” to disable automatic updates.

The results of unattended-upgrades will be logged to /var/log/unattended-upgrades

Update packages now.

unattended-upgrade -d

1	unattended-upgrade -d

Almost done.

I Rebooted

GT Metrix Score

I almost fell off my chair. It’s an amazing feeling hitting refresh in GT Metrix and getting sub-2-second score consistently (and that is with 17 assets loading and 361KB of HTML content)

WebPageTest.org Test Score

Nice. I am not sure why the effective use of CDN has an X rating as I have the EWWW CDN and Cloudflare. First Byte time is now a respectable “B”, This was always bad.

Update: I found out the longer you set cache delays in Cloudflare the higher the score.

GT Metrix has a nice historical breakdown of load times (night and day).

Google Page Speed Insight Desktop Score

I benchmarked with https://developers.google.com/speed/pagespeed/insights/

This will help with future SEO rankings. It is well known that Google is pushing fast servers.

Google Chrome 70 Dev Console Audit (Desktop)

This is amazing, I never expected to get this high score. I know Google like (and are pushing) sub-1-second scores.

My site is loading so well it is time I restored some old features that were too slow on other servers

I disabled Lazy loading of images (this was not working on some Android devices)
I re-added the News Widget and news images.

GTMetrix and WebpageTest sores are still good (even after adding bloat)

My WordPress site is not really that small either

FYI: WordPress Plugins I use.

These are the plugins I use.

Autoptimize – Optimises your website, concatenating the CSS and JavaScript code, and compressing it.
BJ Lazy Load (Now Disabled) – Lazy image loading makes your site load faster and saves bandwidth.
Cloudflare – Cloudflare speeds up and protects your WordPress site.
Contact Form 7 – Just another contact form plugin. Simple but flexible.
Contact Form 7 Honeypot – Add honeypot anti-spam functionality to the popular Contact Form 7 plugin.
Crayon Syntax Highlighter – Supports multiple languages, themes, highlighting from a URL, local file or post text.
Democracy Poll – Allows to create democratic polls. Visitors can vote for more than one answer & add their own answers.
Display Posts Shortcode – Display a listing of posts using the
- How to backup and restore a MySQL database on Windows and Linux
- Setting up the free MySQL database server on Windows 10
- Using the WinSCP Client on Windows to transfer files to and from a Linux server over SFTP
- Connecting to a server via SSH with Putty
- How to code PHP on your localhost and deploy to the cloud via SFTP with PHPStorm by Jet Brains
- Setting web push notifications in WordPress with OneSignal
- Setup a Certification Authority Authorization (CAA) DNS record(s) to prevent https cert issue/misuse
- I am moving away from Apple hardware
- Updating NGINX to the development branch to get more frequent updates and features over the stable branch
- Replacing Google Analytics with Piwik/Matomo for a locally hosted privacy focused open source analytics solution
shortcode
EWWW Image Optimizer – Reduce file sizes for images within WordPress including NextGEN Gallery and GRAND FlAGallery. Uses jpegtran, optipng/pngout, and gifsicle.
GDPR Cookie Consent – A simple way to show that your website complies with the EU Cookie Law / GDPR.
GTmetrix for WordPress – GTmetrix can help you develop a faster, more efficient, and all-around improved website experience for your users. Your users will love you for it.
TinyMCE Advanced – Enables advanced features and plugins in TinyMCE, the visual editor in WordPress.
Wordfence Security – Anti-virus, Firewall and Malware Scan
WP Meta SEO – WP Meta SEO is a plugin for WordPress to fill meta for content, images and main SEO info in a single view.
WP Performance Score Booster – Speed-up page load times and improve website scores in services like PageSpeed, YSlow, Pingdom and GTmetrix.
WP SEO HTML Sitemap – A responsive HTML sitemap that uses all of the settings for your XML sitemap in the WordPress SEO by Yoast Plugin.
WP-Optimize – WP-Optimize is WordPress’s #1 most installed optimisation plugin. With it, you can clean up your database easily and safely, without manual queries.
WP News and Scrolling Widgets Pro – WP News Pro plugin with six different types of shortcode and seven different types of widgets. Display News posts with various designs.
Yoast SEO – The first true all-in-one SEO solution for WordPress, including on-page content analysis, XML sitemaps and much more.
YouTube – YouTube Embed and YouTube Gallery WordPress Plugin. Embed a responsive video, YouTube channel, playlist gallery, or live stream

How I use these plugins to speed up my site.

I use EWWW Image Optimizer plugin to auto-compress my images and to provide a CDN for media asset deliver (pre-Cloudflare). Learn more about ExactDN and EWWW.io here.
I use Autoptimize plugin to optimise HTML/CSS/JS and ensure select assets are on my EWWW CDN. This plugin also removes WordPress Emojis, removed the use of Google Fonts, allows you to define pre-configured domains, Async Javascript-files etc.
I use BJ Lazy Load to prevent all images in a post from loading on load (and only as the user scrolls down the page).
GTmetrix for WordPress and Cloudflare plugins are for information only?
I use WP-Optimize to ensure my database is healthy and to disable comments/trackbacks and pingbacks.

Let’s Test UpCloud’s Disk IO in Chicago

Looks good to me, Read IO is a little bit lower than UpCloud’s Singapore data centre but still, it’s faster than Vultr. I can’t wait for more data centres to become available around the world.

Why is UpCloud Disk IO so good?

I asked UpCloud on Twitter why the Disk IO was so good.

“MaxIOPS is UpCloud’s proprietary block-storage technology. MaxIOPS is physically redundant storage technology where all customer’s data is located in two separate physical devices at all times. UpCloud uses InfiniBand (!) network to connect storage backends to compute nodes, where customers’ cloud servers are running. All disks are enterprise-grade SSD’s. And using separate storage backends, it allows us to live migrate our customers’ cloud servers freely inside our infrastructure between compute nodes – whether it be due to hardware malfunction (compute node) or backend software updates (example CPU vulnerability and immediate patching).“

My Answers to Questions to support

Q1) What’s the difference between backups and snapshots (a Twitter user said Snapshots were a thing)

A1) Backups and snapshots are the same things with our infrastructure.

Q2) What are charges for backup of a 50GB drive?

A2) We charge $0.06 / GB of the disk being captured. But capture the whole disk, not just what was used. So for a 50GB drive, we charge $0.06 * 50 = $3/month. Even if 1GB were only used.

Support confirmed that each backup is charged (so 5 times manual backups are charged 5 times). Setting up a daily auto backup schedule for 2 weeks would create 14 billable backup charges.
I guess a 25GB server will be $1.50 a month

Q3) What are data charges if I go over my 2TB quota?

A3) Outgoing data charges are $0.056/GB after the pre-configured allowance.

Q4) What happens if my balance hits $0?

A4) You will get notification of low account balance 2 weeks in advance based on your current daily spend. When your balance reaches zero, your servers will be shut down. But they will still be charged for. You can automatically top-up if you want to assign a payment type from your Control Panel. You deposit into your balance when you want. We use a prepay model of payment, so you need to top up before using, not billing you after usage. We give you lots of chances to top-up.

Support Tips

One thing to note, when deleting servers (CPU, RAM) instances, you get the option to delete the storages separately via a pop-up window. Choose to delete permanently to delete the disk, to save credit. Any disk storage lying around even unattached to servers will be billed.
Charges are in USD.

I think it’s time to delete my domain from Vultr in Sydney.

Deleted my Vultr domain

I deleted my Vultr domain.

Done.

More Reading on UpCloud

https://www.upcloud.com/documentation/faq/

UpCloud Server Status

http://status.upcloud.com

Check out my new guide on Nixstats for awesome monitoring

What I would like

Ability to name individual manual backups (tag with why I backed up).
Ability to push user defined data from my VM to the dashboard
Cheaper scheduled backups
Sydney data centres (one day)

Update: Post UpCloud Launch Tweaks (Awesome)

I had a look at https://www.webpagetest.org/ results to see where else I can optimise webpage delivery.

Disable dasjhicons.min.css (for unauthenticated WordPress users).

Find functions.php in the www root

sudo find . -print |grep  functions.php

1	sudo find . -print \|grep functions.php

Edit functions.php

sudo nano ./wp-includes/functions.php

1	sudo nano ./wp-includes/functions.php

Add the following

// Remove dashicons in frontend for unauthenticated users
add_action( 'wp_enqueue_scripts', 'bs_dequeue_dashicons' );
function bs_dequeue_dashicons() {
    if ( ! is_user_logged_in() ) {
        wp_deregister_style( 'dashicons' );
    }
}

// Remove dashicons in frontend for unauthenticated users

add_action( 'wp_enqueue_scripts', 'bs_dequeue_dashicons' );

function bs_dequeue_dashicons() {

if ( ! is_user_logged_in() ) {

wp_deregister_style( 'dashicons' );

}

HTTP2 Push

I added http2 to my listening servers

server {
        root /www;

        ...
        listen 80 default_server http2;
        listen [::]:80 default_server http2;
        listen 443 ssl default_server http2;
        listen [::]:443 ssl default_server http2;
        ...

server {

root /www;

...

listen 80 default_server http2;

listen [::]:80 default_server http2;

listen 443 ssl default_server http2;

listen [::]:443 ssl default_server http2;

...

I tested a http2 push page by defining this in /etc/nginx/sites-available/default

location = /http2/push_demo.html {
        http2_push /http2/pushed.css;
        http2_push /http2/pushedimage1.jpg;
        http2_push /http2/pushedimage2.jpg;
        http2_push /http2/pushedimage3.jpg;
}

location = /http2/push_demo.html {

http2_push /http2/pushed.css;

http2_push /http2/pushedimage1.jpg;

http2_push /http2/pushedimage2.jpg;

http2_push /http2/pushedimage3.jpg;

}

Once I tested that push (demo here) was working I then defined two files to push that were being sent from my server

location / {
        ...
        http2_push /https://fearby.com/wp-includes/js/jquery/jquery.js;
        http2_push /wp-content/themes/news-pro/images/favicon.ico;
        ...
}

location / {

...

http2_push /https://fearby.com/wp-includes/js/jquery/jquery.js;

http2_push /wp-content/themes/news-pro/images/favicon.ico;

...

}

I used the WordPress Plugin Autoptimize to remove Google font usage (this removed a number of files being loaded when my page loads).

I used the WordPress Plugin WP-Optimize plugin into to remove comments and disable pingbacks and trackbacks.

WordPress wp-config.php tweaks

# Memory
define('WP_MEMORY_LIMIT','1024M');
define('WP_MAX_MEMORY_LIMIT','1024M');
set_time_limit (60);

# Security
define( 'FORCE_SSL_ADMIN', true);

# Disable Updates
define( 'WP_AUTO_UPDATE_CORE', false );
define( 'AUTOMATIC_UPDATER_DISABLED', true );

# ewww.io
define( 'WP_AUTO_UPDATE_CORE', false );

# Memory

define('WP_MEMORY_LIMIT','1024M');

define('WP_MAX_MEMORY_LIMIT','1024M');

set_time_limit (60);

# Security

define( 'FORCE_SSL_ADMIN', true);

# Disable Updates

define( 'WP_AUTO_UPDATE_CORE', false );

define( 'AUTOMATIC_UPDATER_DISABLED', true );

# ewww.io

define( 'WP_AUTO_UPDATE_CORE', false );

Add 2FA Authentication to server logins.

I recently checked out YubiCo YubiKeys and I have secured my Linux servers with 2FA prompts at login. Read the guide here. I secured my WordPress too.

Tweaks Todo

Compress placeholder BJ Lazy Load Image (plugin is broken)
Solve 2x Google Analytics tracker redirects (done, switched to Matomo)

Conclusion

I love UpCloud’s fast servers, give them a go (use my link and get $25 free credit).

I love Cloudflare for providing a fast CDN.

I love ewww.io’s automatic Image Compression and Resizing plugin that automatically handles image optimisations and pre Cloudflare/first hit CDN caching.

Read my post about server monitoring with Nixstats here.

Let the results speak for themselves (sub <1 second load times).

I hope this guide helps someone.

Please consider using my referral code and get $25 credit for free.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

Revision History

v2.1 Newer GTMetrix scores

v2.0 New UpCloud UI Update and links to new guides.

v1.9 Spelling and grammar

v1.8 Trial mode gotcha (deposit money ASAP)

v1.7 Added RSA Private key info

v1.7 – Added new firewall rules info.

v1.6 – Added more bloat to the site, still good.

v1.5 Improving Accessibility

v1.4 Added Firewall Price

v1.3 Added wp-config and plugin usage descriptions.

v1.2 Added GTMetrix historical chart.

v1.1 Fixed free typos and added final conclusion images.

v1.0 Added final results

v0.9 added more tweaks (http2 push, removing unwanted files etc)

v0.81 Draft – Added memory usage chart and added MaxIOPS info from UpCloud.

v0.8 Draft post.

Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins

July 23, 2018 by Simon

This is a quick post that shows how I upgraded to Wordfence Premium to get real-time defence feeds, malware scanner and two-factor authentication for WordPress logins

Aside

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

Buy a domain name here

Now on with the post.

What is Wordfence

WordFence is a free WordPress plugin (install guide here) that helps protect your WordPress site by logging and blocking bad events. I was a big fan of the Wordfence sister program called GravityScan (before it was retired)

Read my review of the free Wordfence plugin here.

I was using Wordfence free to

Whitelist logins for known IP’s (read my guide on whitelisting IPs here)
Block known bad IPs from the Wordfence global network (but with a 30-day delay)
Create a firewall
Rate limiting page requests
Scan my site for malware
Ability to see past failed logins (and ban them)
Ability to block/ban users who try and login form new IP’s
Force strong WordPress account passwords
Set ban thresholds
Have I Been Pwned breached password checks
Much more

Install and set up Wordfence (Free)

Read my guide here to learn how to setup Wordfence (Free).

Malware Infections

Your website is often scanned and ranked for safety by sites like Norton Safe Web, Google, Trend Micro, Kaspersky Virus Desk, SiteGuarding etc along with search engines. Having malicious files on your site will affect your site Search EnginOptimizationio (SEO).

I had a 5-year-old scan of a subdomain (that was hosted on a CPanel Host). The subdomain had false positives for malware.

Working to remove the false positive was a lengthy process.

You should aim to stay off the radar or many site scanning, check VirusTotal often to keep your self-updated as to the status of your website. Wordfence will hopefully detect real malware issues automatically in the future.

https://sitecheck.sucuri.net/ is a good site that can aggregate your sites safety ratings.

WordfFence Free v Premium

Wordfence Premium

Prices (USD)

WordFence Premium

Read about some benefits of Wordfence Premium here.

Real-time firewall rules and malware signatures
Global Wordfence premium IP blacklist
Priority server processing for premium customers
Two Factor Authentication (only if you don’t use whitelisting I found out)

Buying a Wordfence Premium API Key

Login to https://www.wordfence.com/dashboard/
Click Buy More API Keys
Enter your Payment Details

>Thanks, your card information has been updated. You can now go to your API Key Manager and create and manage your Wordfence API keys.

Now you can buy an API key and copy and paste the API ey o to your Wordfence plugin.

Wordfence Firewall

Wordfence does a great job at showing failed/successful, top blocked IP’s

Wordfence Malware Scanner

Wordfence premium has schedulable scans with real-time malware signatures

Scan Progress

Testing the scanner

Wordfence says “A Wordfence scan examines all files on your WordPress website looking for malicious code, backdoors, shells that hackers have installed, known malicious URLs and known patterns of infections.”

I created an eicar.txt test file (information on eicar here (slightly modified so I don’t get tagged again b virus scanners)) to test the Wordfence malware scanner

echo 'X5O!P#removed#X54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /www-root/eicar.txt
sudo chown www-data:www-data eicar.txt

1 2	echo 'X5O!P#removed#X54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /www-root/eicar.txt sudo chown www-data:www-data eicar.txt

I enable scanning of files outside of WordPress

I rescanned my site with Wordfence

Result: Nothing??

I logged a support ticket to see if this is right?

Update: Wordfence support replied and said “Thanks for writing in. We do detect the EICAR test file, but scans don’t scan file types that aren’t dangerous on a site by default, since scans would waste a lot of time on files that aren’t exploitable.“

I disagree a virus is a virus.

Wordfence says “A Wordfence scan examines all files on your WordPress website looking for malicious code, backdoors, shells that hackers have installed, known malicious URLs and known patterns of infections.”

I guess “all” does not mean “all”?

Wordfence support said EICAR files are detected if I rename the file to php. I renamed the file and to enabled “Scan images, binary, and other files as if they were executable“.

I started a new scan

> Scan Failed
>The scan has failed because we received an unexpected response from the Wordfence servers. This may be a temporary error, though some sites may need adjustments to run scans reliably

🙁

I scanned my system with ClamAV and it found the EICAR file.

clamscan -r --bell -i /www-root

1	clamscan -r --bell -i /www-root

Result:

/www-root/eicar.txt: Eicar-Test-Signature FOUND

1	/www-root/eicar.txt: Eicar-Test-Signature FOUND

ClamAV found the virus.

Setting up Two Factor Authentication (work in progress)

Add your desired user and number

Click Enable User

Wait for the text message and activation code (on your phone)

Enter the activation code and press Activate

The two-factor authentication should be activated

List of two-factor authorization enabled users.

I logged out of WordPress and logged back in but the two-factor auth did not work, I logged a support Ticket with my theme maker and WordFence.

Update: Wordfence Support “Wordfence > Tools > Two Factor Authentication options there is an option for Enable Separate Prompt for Two Factor Code which you could disable and try.“

This fix did not work. I sent a 2nd diagnostics report to Wordfence.

Wordfence support said

>When our two-factor authentication feature allows you to login bypassing the need to enter the authentication code it is typically because of these possible reasons:

> 1) The user has whitelisted their IP address in the advanced firewall option “Whitelisted IP addresses that bypass all rules“.

>2) Another plugin, or possibly a theme, that creates non-standard WordPress behaviour such as user role and capabilities modification, or that modifies the login flow process in some way.

It appears my IP whitelist was disabling the two-factor auth feature 🙁

I’d rather keep the two-factor auth along with keeping the whitelist (just in case my whitelist IP is known and used).

Refund

I asked Wordfence for a refund (given)

Conclusion

Pros

Protects and blocks bad logins
Real-time blocked IP and malware feeds

Cons

Almost $140 Australian dollars a year
A scan does not detect eicar.txt test virus files (ticked logged), renamed to eicar.php and still no luck.
Two-factor auth (authenticator and SMS) does not work (ticket logged)
Wordfence support resolve/close support tickets with no confirmation from the user.
Two Factor Auth is disabled if you whitelist IPs 🙁

Is Premium worth it? Yes if you want “Real-time firewall rules and malware signatures” (and don’t whitelist your IP).

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit if you need to create a server online.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

Revision History

v1.4 Updated conclusion and Wordfence refund

v1.3 added whitelist 2FA info

v1.2 added replied from Wordfence support re EICAR and Two Factor Auth.

v1.1 Added Pros and Cons section

v1.0 Initial Post

Set up a whitelisted IP on an UpCloud VM and WordPress using a VPN to get a static IP address

July 5, 2018 by Simon

This is how I set up a whitelisted IP on an UpCloud VM and WordPress using a VPN to get a static IP address

Buy a domain name from Namecheap here.

Before you begin

Take a backup of WordPress files + database and take a snapshot of your VM (see my UpCloud VM guide here).

Having a ready backup IS a good idea.

Why Whitelist

Whitelisting is not bulletproof but it is an important link in the security chain. Security is only as good or bad as the strength of your weakest link.

Using updated software, applying patches, using HTTPS, using a reliable host in a reliable location, using good passwords are equally important as IP filtering. Whitelisting IP’s goes a long way to ensuring you have least access privileges on connections.

Remember to scan your site with OWASP Zap, Qualys and Kali Linux too.

What IP’s are you going to Whitelist?

Q1) Does your ISP offer a static IP address (or a dynamic IP)?

My ISP does NOT provide a static IP by default (I can pay $20 a month for one (that’s too expensive)).

You can check your public IP by loading http://icanhazip.com/ (this will return your public IPV4 address).

Load https://ipv6.icanhazip.com/ to view your IPV6 IP (if you have one)

Q2) Do you need to whitelist IP addresses while on the go (Mobile)? If so I would recommend you whitelist a VPN’s IP or IP range.

Recently I had Apache web server auto install and knock out my NGINX web server and I needed to login on a mobile device to investigate, Luckily I whitelist my VPN’s IP and logged in from my mobile device and resolved the issue.

Use a VPN to get a static IP

If you don’t have a static IP or you want to connect to your site on the go (Mobile) you can setup a VPN and use their static IP

I was using http://cyberghostvpn.com/ to have a static IP but a server failure in Sydney caused my defined whitelisted IP to disappear so I change to https://protonvpn.com/ (as Cybergost were unable to provide known IP’s of VPN servers).

TIP: Don’t just whitelist one server, whitelist a few as you never know when a server will go down.

Here is a screenshot of the 1st VPN I tried (Cyberghost), Cyberghost VPN is connected to a specified server (Dallas).

I swithced to ProtonVPN.

Here is a screenshot of ProtonVPN connected to a Switzerland server. Read more about Proton VPN here.

I set Proton VPN to auto start and connect to my desired server

Proton VPN offered me a 7-day PLUS trial (All Countries, 5 devices, highest speed, secure core etc) after I started using the free version (3 countries, 1 device, speed low). I assume everyone gets the same PLUS trail offer.

You can view Proton plans and pricing here.

Ok, now that we know how to get a static IP, let’s configure some firewalls.

Network Firewall at UpCloud

I use the awesome UpCloud to hold my domains (read more about UpCloud performance here). You can log in to your UpCloud Dashboard and load the server list, click your server and then click Firewall and define firewalls.

Firewall: Open IPv4/IPv6 ports for:

ICMP
53 (DNS)
80 (HTTP)
443 (HTTPS)

Only allow access to port 22 from whitelisted IP’s (or IP ranges)

I like to set separate firewall rules for IPV4 and IPV6, for TCP or UDP and I limit rules to certain IP range and port.

Ubuntu Firewall

I also like to run a ufw firewall (more information on ufw) on my Ubuntu server (read this guide on securing Ubuntu in the cloud and running a Lynis audit).

Manually setup firewall rules in ufw.

sudo ufw allow from 1.2.3.4 to any port 22
sudo ufw allow from 1.2.3.5 to any port 22
sudo ufw allow from 1.2.3.6 to any port 22

sudo ufw allow from 1.2.3.4 to any port 22

sudo ufw allow from 1.2.3.5 to any port 22

sudo ufw allow from 1.2.3.6 to any port 22

Don’t forget t restart your firewall

sudo ufw disable
sudo ufw enable

1 2	sudo ufw disable sudo ufw enable

Run a local nmap scan to find open ports

nmap -v -sT localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-04 22:30 AEST
Initiating Connect Scan at 22:30
Scanning localhost (127.0.0.1) [1000 ports]
Discovered open port 25/tcp on 127.0.0.1
Discovered open port 22/tcp on 127.0.0.1
Discovered open port 80/tcp on 127.0.0.1
Discovered open port 443/tcp on 127.0.0.1
Discovered open port 3306/tcp on 127.0.0.1
Completed Connect Scan at 22:30, 0.02s elapsed (1000 total ports)
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000086s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
443/tcp  open  https

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
           Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

nmap -v -sT localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2018-07-04 22:30 AEST

Initiating Connect Scan at 22:30

Scanning localhost (127.0.0.1) [1000 ports]

Discovered open port 25/tcp on 127.0.0.1

Discovered open port 22/tcp on 127.0.0.1

Discovered open port 80/tcp on 127.0.0.1

Discovered open port 443/tcp on 127.0.0.1

Discovered open port 3306/tcp on 127.0.0.1

Completed Connect Scan at 22:30, 0.02s elapsed (1000 total ports)

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000086s latency).

Not shown: 995 closed ports

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

80/tcp open http

443/tcp open https

Read data files from: /usr/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

Raw packets sent: 0 (0B) | Rcvd: 0 (0B)

Don’t be concerned if you see open ports from a local nmap scan (e.g port 22 or 3306), these are locally open. We need to scan externally to see if these ports are opened.

Scan your site with an external nmap tool like pen-test-tools or here.

You should not have non-web based service ports freely open externally (web-based ports e.g 80 and 443 are ok)

Port 22 access should be whitelisted to select IP’s only. You should not have any database ports open externally.

Whitelisting WordPress Access

Download WordFence plugin for WordPress from https://www.wordfence.com/

Read more on downloading WordPress plugins from the command line here. Read my past Wordfence post here.

Once Wordfence is installed open the WordFence All Options screen (/wp-admin/admin.php?page=WordfenceOptions).

Now you can add your static IP (or IP ranges) to the WordFence whitelist.

Setup auto block for any non whitelisted Itryingng to login to /wp-login.php

I permanently ban any IP accessing my login page (there are many).

What to do with rejected IP connections?

Wordfence will block connections to WordPress. I’d suggest you setup fail2ban to block other unwanted connections at network level too.

Conclusion

You should now have a VM that will allow port 22 access by whitelisted IP’s and a WordPress that only allows logins from whitelisted IP’s.

Cons

If you forget to start your VPN you can’t log in to your VM via port 22 or log in to WordPress (excellent, this is by design).

Pros

Secure (need I say more)

I hope this guide helps someone.

Please consider using my UpCloud referral code and get $25 UpCloud VM credit for free when you signup to create a new VM.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

Revision History

v1.2 Added Proton plans link

v1.1 Added auto block WordFence option

v1.0 Initial Post

Using the Qualys FreeScan Scanner to test your website for online vulnerabilities

March 23, 2018 by Simon

It is possible to deploy a server in minutes to hours but it can take days to secure. What tools can you use to help identify what to secure on your website?

I have a number of guides on moving hasting away form CPanel, Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line, installing a Free SSL certificate and setting up SSL security.

Security Tools

https://asafaweb.com/ is a good tool for quick scanning
Kali Linux has a number of security tools you can use.
You can run a system audit Lynis Audit.
Checking your site for vulnerabilities with Zap.
Run a Gravity Scan malware and supply chain scan
Use Qualys SSL scan to test your SSL certificate: https://www.ssllabs.com/ssltest/

Qualys SSL Labs SSL Tester is the best tool for checking an SSL certificate strength

Most people don’t know Qualys also has another free (limited to 10 scans) vulnerability scanner for websites.

Goto https://freescan.qualys.com/ and click Start your free account.

Complete the signup form

Now check your email to login and confirm your email account

Login now from the email.

Create a password (why the 25 char max Qualys?)

Enter your website URL and click Scan

The scan can take hours

While the scan was being performed I noticed that Qualys offers alerts (I’ll check this out later): https://www.qualys.com/research/security-alerts/

Yes, the scan can take hours, take a walk or read other posts here.

The scan is almost complete

Yay, my latest scan revealed 0 High, 0 Medium and 0 Low-risk vulnerabilities.

It did report 23 informational alerts like “Firewall Detected“.

Threat Report Results

Patch Report Results

This report was empty (probably because I don’t run Windows)

Threat Report Results

The OWASP report contained partial scan results (maybe the full report is available to pro users)

Previous Scan Results

The Qualys dashboard will show all past scans.

My first scan showed a Low priority issue with the /wp-login.php page as the input fields did not have “autocomplete=”off””, I fixed this by adding “autocomplete=”off”” the removing the page (safer).

The second scan found two issues with cookies (possibly ad banner cookies) and 2 subfolders that I created in past development exercises. I deleted the two sub-folders that were not needed.

The third scan was clean.

Here is a scan of a static website of a friends server (static can be less secure if the server underneath is old or unpatched).

Happy scanning. I hope this guide helps someone.

Ask a question or recommend an article

Revision History

v1.1 Static Web Server Scan

v1.0 Initial post

Using OWASP ZAP GUI to scan your Applications for security issues

March 17, 2018 by Simon

OWASP is a non-profit that lists the Top Ten Most Critical Web Application Security Risks, they also have a GUI Java tool called OWASP Zap that you can use to check your apps for security issue.

I have a number of guides on moving hosting away form CPanel , Setting up VM’s on AWS, Vultr or Digital Ocean along with installing and managing WordPress from the command line. It is important that you always update your site and software and test your sites and software for vulnerabilities. Zap is free and completely open source.

Disclaimer, I am not an expert (this Zap post and my past Kali Linux guide will be updated as I learn more).

OWASP Top 10

OWASP has a top 10 list of things to review.

Download the OWASP 10 10 Application security risks PDF here form here.

Using the free OWASP Zap Tool

Snip from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

“The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.”

Zap Overview

Here is a quick demo of Zap in action.

Do check out the official Zap videos on youtube: https://www.youtube.com/user/OWASPGLOBAL/videos if you want to learn more.

Installing Zap

Download Zap from here.

Download Options

Download contents

Copy to the app to the OSX Application folder

App Installed

Open OSX’s Privacy and Security screen and click Open Anyway

OWASP Zap is now Installed

Ready for a Scan

But before we do let’s check out the Options

OWASP Zap allows you to label reports to ad from anyone you want.

Now let’s update the program and plugins, Click Manage Add-ons

Click Update All to Update addons

I clicked Update All

Installed some plugins

Zap is Ready

Add a site and right click on the site and you can perform an active scan or port scan.

First Scan (https failed)

I enabled unsafe SSL/TLS Renegotiation.

This did not work and this guide said I needed to install the “Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files” from here.

The extract files to /Library/Java/JavaVirtualMachines/%your_jdk%/Contents/Home/jre/lib/security

I restarted OWASP Zap and tried to scan my site buy it appears Cloudflare (that I recently set up) was blocking my scans and reported error 403. I decided to scan another site of mine that was not on Cloudflare but had the same Lets Encrypt style SSL cert.

fyi: I own and set up the site I queried below.

OWASP Zap scan performed over 800 requests and tried traversal exploits and many other checks. Do repair any major failures you find.

Generating a Report

To generate a report click Report then the appropriate generation menu of choice.

FYI: The High Priority Alert is a false positive with an HTML item being mistaken for a CC number.

I hope this guide helps someone. Happy software/server hardening and good luck.

More Reading

Check out my Kali Linux guide.

Ask a question or recommend an article

Revision History

V1.3 fixed hasting typo.

v1.2 False Positive

v1.1 updated main features

v1.0 Initial post

Wordfence Security Plugin for WordPress

October 10, 2017 by Simon

WordFence is a great security plugin for WordPress that allows you to secure your WordPress installation and prevent brute force attacks, rate-limit visitors (or Bots), block banned IP’s that are accessing your site and more.

Fyi

20th Dec 2017: Wordfence report Backdoor in Captcha Plugin Affects 300K WordPress Sites

Backup

Before I started I performed a quick mysql backup from the command line to ensure my WordPress is backed up. Read my guide on installing WordPress from the command line (here) and securin Ubuntu (here).

/usr/bin/mysqldump --all-databases > /mysql-database-dump-prewordfence.sql -u 'user' -p'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

1	/usr/bin/mysqldump --all-databases > /mysql-database-dump-prewordfence.sql -u 'user' -p'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

Don’t forget to backup your WordPress files.

sudo cp -R /www-root/* /backup/www-backup/

1	sudo cp -R /www-root/* /backup/www-backup/

Download and extract WordFence

I downloaded and installed the Wordfence plugin via command line. I visited https://wordpress.org/plugins/wordfence/ and got the plugin URL for the latest version (e.g https://downloads.wordpress.org/plugin/wordfence.6.3.19.zip).

I downloaded the plugin zip file from the command line to my WordPress plugins folder. Read my guide (here) on managing WordPress from the command line.

cd /www-root/wp-content/plugins/
sudo wget https://downloads.wordpress.org/plugin/wordfence.6.3.19.zip
sudo unzip /www-root/wp-content/plugins/wordfence.6.3.19.zip
rm -R /www-root/wp-content/plugins/*.zip

cd /www-root/wp-content/plugins/

sudo wget https://downloads.wordpress.org/plugin/wordfence.6.3.19.zip

sudo unzip /www-root/wp-content/plugins/wordfence.6.3.19.zip

rm -R /www-root/wp-content/plugins/*.zip

Now the Wordfence plugin can be activated in WordPress.

Enter your email to receive Wordfence alerts.

Your Wordfence Dashboard will show local and global issues and statistics.

I set these default Wordfence options.

More Wordfence Options

Set Permissions (for Firewall)

You may need to create a log folder (e.g /www/wp-content/wflogs/) and set permissions to allow Wordfence to work.

cd /www-root/wp-content/
mkdir wflogs
sudo chmod -R 777 /www-root/wp-content/wflogs/

cd /www-root/wp-content/

mkdir wflogs

sudo chmod -R 777 /www-root/wp-content/wflogs/

Now I can enable the Wordfence firewall via the WordFence plugin at /wp-admin/admin.php?page=WordfenceWAF

Wordfence Firewall

Don’t forget to configure the Wordfence firewall.

Firewall Install Options

I do not have FTP setup so I’ll do a manual install based on these instructions.

I manually added this to my ~/nxinx/sites-available/default config.

I added this to my nginx config.

location ~ ^/\.user\.ini {
    deny all;
}

location ~ ^/\.user\.ini {

deny all;

}

This did not work as specified in the official Wordfence docs (https://docs.wordfence.com/en/Web_Application_Firewall_FAQ#NGINX) so I added the following.

location ~ (\.ini) {
    return 403;
}

location ~ (\.ini) {

return 403;

}

Accessing a test /test.user.ini file in a web browser returns a 403 (always test access)

403 Forbidden

nginx

403 Forbidden

nginx

I added this to my active php.ini configuration file.

auto_prepend_file = '/www-root/wordfence-waf.php'

1	auto_prepend_file = '/www-root/wordfence-waf.php'

I restart PHP.

sudo systemctl restart php7.0-fpm

1	sudo systemctl restart php7.0-fpm

I added my IP to the Wordfence whitelist textbox to ensure I am not blocked: /wp-admin/admin.php?page=WordfenceSecOpt

Tip: Grab your IPV4 address from https://ipv4.icanhazip.com/

Recent Wordfence Scan Summary (1st Scan)

Wordfence Dashboard allows you to see local and global stats.

Wordfence (In Progress) Scan summary.

My Issues

Wordfence alerted me that I needed to update WordPress and some plugins (see my guide on installing and managing your WordPress via the Command Line here).

I updated my WordPress core files (via the command line).

sudo wp core update
> Success: WordPress is up to date.

1 2	sudo wp core update > Success: WordPress is up to date.

I updated my WordPress plugins (via the command line).

sudo wp plugin update --all

1	sudo wp plugin update --all

Output:

>Enabling Maintenance mode...
>Downloading update from https://downloads.wordpress.org/plugin/>add-to-any.1.7.19.zip...
>Unpacking the update...
>Installing the latest version...
>Removing the old version of the plugin...
>Plugin updated successfully.
>Downloading update from https://downloads.wordpress.org/plugin/>display-posts-shortcode.2.9.0.zip...
>Unpacking the update...
>Installing the latest version...
>Removing the old version of the plugin...
>Plugin updated successfully.
>Downloading update from https://downloads.wordpress.org/plugin/>wordpress-seo.5.5.1.zip...
>Unpacking the update...
>Installing the latest version...
>Removing the old version of the plugin...
>Plugin updated successfully.
>Disabling Maintenance mode...
>+-------------------------+-------------+-------------+---------+
>| name                    | old_version | new_version | status  |
>+-------------------------+-------------+-------------+---------+
>| add-to-any              | 1.7.17      | 1.7.19      | Updated |
>| display-posts-shortcode | 2.8.0       | 2.9.0       | Updated |
>| wordpress-seo           | 5.4.2       | 5.5.1       | Updated |
>+-------------------------+-------------+-------------+---------+
>Success: Updated 3 of 3 plugins.

>Enabling Maintenance mode...

>Downloading update from https://downloads.wordpress.org/plugin/>add-to-any.1.7.19.zip...

>Unpacking the update...

>Installing the latest version...

>Removing the old version of the plugin...

>Plugin updated successfully.

>Downloading update from https://downloads.wordpress.org/plugin/>display-posts-shortcode.2.9.0.zip...

>Unpacking the update...

>Installing the latest version...

>Removing the old version of the plugin...

>Plugin updated successfully.

>Downloading update from https://downloads.wordpress.org/plugin/>wordpress-seo.5.5.1.zip...

>Unpacking the update...

>Installing the latest version...

>Removing the old version of the plugin...

>Plugin updated successfully.

>Disabling Maintenance mode...

>+-------------------------+-------------+-------------+---------+

>+-------------------------+-------------+-------------+---------+

>| add-to-any | 1.7.17 | 1.7.19 | Updated |

>| display-posts-shortcode | 2.8.0 | 2.9.0 | Updated |

>| wordpress-seo | 5.4.2 | 5.5.1 | Updated |

>+-------------------------+-------------+-------------+---------+

>Success: Updated 3 of 3 plugins.

I manually updated my WordPress theme (from my.studiopress.com website) and uploaded via SSH

 scp ~/Downloads/genesis.2.5.3.zip sshuser@www.example.com:/www-root/wp-content/themes/genesis.2.5.3.zip

1	scp ~/Downloads/genesis.2.5.3.zip sshuser@www.example.com:/www-root/wp-content/themes/genesis.2.5.3.zip

I could then SSH into my server and extract the theme.

cd /www-root/wp-content/themes/
unzip genesis.2.5.3.zip
rm -R genesis.2.5.3.zip

cd /www-root/wp-content/themes/

unzip genesis.2.5.3.zip

rm -R genesis.2.5.3.zip

Wordfence Dashboard

Wordfence allows you to see worldwide Blocked IP’s by the Wordfence network.

You can also see local successful or failed login attempts. The Ukraine IP 91.200.12.49 tried to log in to my WordPress installation but was banned globally as it was seen unsuccessfully logging into 900 other global servers, good work Wordfence.

Attacks blocked locally.

View global WordPress attacks by countries

Wordfence Features I like

Finding abandoned plugins
See Globally banned IP’s
See local failed login attempts
Brute force protection.
Stats on local blocked events.
Identification of old files.
Simple reports.

Wordfence Features I don’t like

Your mouse must be active in the window for scans to complete/seen.
Setup firewall almost requires FTP.

Wordfence: 7.02 updated (listed here)

Revised Dashboard looks nice

More to come, I will update this guide over time.

Donate and make this blog better

Revision Historyv1.2 added info on Wordfence 7.0.2

v1.1 added info on Captcha plugin backdoor detected by Wordfence

v1.0 Initial Post

etc

Setup Ruby, Rails, Gem and a command line twitter tool to query Twitter on Ubuntu 16.04 via a Twitter App

September 17, 2017 by Simon

Below is how I setup Ruby, Rails, Gem and a command line twitter tool to query Twitter on Ubuntu 16.04 via a Twitter App

Setup Twitter feed scraping on Ubuntu 16.04

At first, I had no network (I could not ping, run a system update or install packages (even though I had opened the firewall ports and disabled the firewall temporarily)? I fixed this by editing /etc/resolv.conf and added a google DNS entry.

sudo nano /etc/resolv.conf

1	sudo nano /etc/resolv.conf

Added the Google DNS server.

nameserver 8.8.8.8

1	nameserver 8.8.8.8

Bingo, I can now ping and update my system.

Setup Ruby and Pre-Requisites

sudo apt-get update
sudo apt-get install git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev
git clone https://github.com/rbenv/rbenv.git ~/.rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL
git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
exec $SHELL
rbenv install 2.4.1
rbenv global 2.4.1

sudo apt-get update

sudo apt-get install git-core curl zlib1g-dev build-essential libssl-dev libreadline-dev libyaml-dev libsqlite3-dev sqlite3 libxml2-dev libxslt1-dev libcurl4-openssl-dev python-software-properties libffi-dev

git clone https://github.com/rbenv/rbenv.git ~/.rbenv

echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc

echo 'eval "$(rbenv init -)"' >> ~/.bashrc

exec $SHELL

git clone https://github.com/rbenv/ruby-build.git ~/.rbenv/plugins/ruby-build

echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc

exec $SHELL

rbenv install 2.4.1

rbenv global 2.4.1

If ruby 2.4.1 fails o install try and install the older ruby 2.2.1

Error

rbenv install 2.4.1
Downloading ruby-2.4.1.tar.bz2...
-> https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.1.tar.bz2
Installing ruby-2.4.1...

BUILD FAILED (Ubuntu 16.04 using ruby-build 20170914-2-ge40cd1f)
...

rbenv install 2.4.1

Downloading ruby-2.4.1.tar.bz2...

-> https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.1.tar.bz2

Installing ruby-2.4.1...

BUILD FAILED (Ubuntu 16.04 using ruby-build 20170914-2-ge40cd1f)

...

Optional Troubleshooting: Install Ruby 2.2.1 (if 2.4.1 fails to install)

rbenv install 2.2.1
rbenv global 2.2.1

1 2	rbenv install 2.2.1 rbenv global 2.2.1

Optional Troubleshooting: Ruby 2.2.1 is no longer recommended

rbenv install 2.2.1
Downloading ruby-2.2.1.tar.bz2...
-> https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.1.tar.bz2
Installing ruby-2.2.1...

WARNING: ruby-2.2.1 is nearing its end of life.
It only receives critical security updates, no bug fixes.
...

rbenv install 2.2.1

Downloading ruby-2.2.1.tar.bz2...

-> https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.1.tar.bz2

Installing ruby-2.2.1...

WARNING: ruby-2.2.1 is nearing its end of life.

It only receives critical security updates, no bug fixes.

...

Optional Install: Ruby 2.4.0

mkdir ~/.rbenv/cache
# download manually ruby file
wget https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.0.tar.bz2
# move file
mv ruby-2.4.0.tar.bz2 ~/.rbenv/cache
# do the install
rbenv install 2.4.0

mkdir ~/.rbenv/cache

# download manually ruby file

wget https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.0.tar.bz2

# move file

mv ruby-2.4.0.tar.bz2 ~/.rbenv/cache

# do the install

rbenv install 2.4.0

Hopefully, Ruby is now installed

ruby -v
ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]

1 2	ruby -v ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]

Install Bundler Gem

gem install bundler

1	gem install bundler

Install Rails

curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -

1	curl -sL https://deb.nodesource.com/setup_8.x \| sudo -E bash -

I skipped the Install (as I had node installed).

node -v
v6.11.3

1 2	node -v v6.11.3

Continue with rails install

gem install rails -v 5.1.3
rbenv rehash

1 2	gem install rails -v 5.1.3 rbenv rehash

Rails is installed

rails -v
Rails 5.1.3

1 2	rails -v Rails 5.1.3

Install the t gem (read more at the https://github.com/sferik/t GitHub repository)

gem install t

1	gem install t

You can now authorize the t gem to use your twitter.

t authorize
Welcome! Before you can use t, you'll first need to register an
application with Twitter. Just follow the steps below:
  1. Sign in to the Twitter Application Management site and click
     "Create New App".
  2. Complete the required fields and submit the form.
     Note: Your application must have a unique name.
  3. Go to the Permissions tab of your application, and change the
     Access setting to "Read, Write and Access direct messages".
  4. Go to the Keys and Access Tokens tab to view the consumer key
     and secret which you'll need to copy and paste below when
     prompted.

t authorize

Welcome! Before you can use t, you'll first need to register an

application with Twitter. Just follow the steps below:

1. Sign in to the Twitter Application Management site and click

"Create New App".

2. Complete the required fields and submit the form.

Note: Your application must have a unique name.

3. Go to the Permissions tab of your application, and change the

Access setting to "Read, Write and Access direct messages".

4. Go to the Keys and Access Tokens tab to view the consumer key

and secret which you'll need to copy and paste below when

prompted.

But first let’s create a twitter app.

Goto https://apps.twitter.com/, login and create an app.

Twitter will provide app details when you create the app.

Go to Permissions and set “Read, Write and Access direct messages” and save changes.

Linking the Twitter app to t Gem

Now that the Twitter app is created let’s activate and link it to the t gem,

Run the following command to start the authorization process.

t authorize

1	t authorize

The authorization process is dead simple, just follow the on-screen prompts.

Welcome! Before you can use t, you'll first need to register an
application with Twitter. Just follow the steps below:
  1. Sign in to the Twitter Application Management site and click
     "Create New App".
  2. Complete the required fields and submit the form.
     Note: Your application must have a unique name.
  3. Go to the Permissions tab of your application, and change the
     Access setting to "Read, Write and Access direct messages".
  4. Go to the Keys and Access Tokens tab to view the consumer key
     and secret which you'll need to copy and paste below when
     prompted.

Press [Enter] to open the Twitter Developer site.

Open: https://apps.twitter.com
Enter your API key: ########################
Enter your API secret: ################################################

In a moment, you will be directed to the Twitter app authorization page.
Perform the following steps to complete the authorization process:
  1. Sign in to Twitter.
  2. Press "Authorize app".
  3. Copy and paste the supplied PIN below when prompted.

Press [Enter] to open the Twitter app authorization page.

Open: https://api.twitter.com/oauth/authorize?oauth_callback=oob&oauth_consumer_key=################################################&oauth_signature=################################################&oauth_signature_method=HMAC-SHA1&oauth_timestamp=123456789&oauth_token=########################&oauth_version=1.0
Enter the supplied PIN: ######
Authorization successful.

Welcome! Before you can use t, you'll first need to register an

application with Twitter. Just follow the steps below:

1. Sign in to the Twitter Application Management site and click

"Create New App".

2. Complete the required fields and submit the form.

Note: Your application must have a unique name.

3. Go to the Permissions tab of your application, and change the

Access setting to "Read, Write and Access direct messages".

4. Go to the Keys and Access Tokens tab to view the consumer key

and secret which you'll need to copy and paste below when

prompted.

Press [Enter] to open the Twitter Developer site.

Open: https://apps.twitter.com

Enter your API key: ########################

Enter your API secret: ################################################

In a moment, you will be directed to the Twitter app authorization page.

Perform the following steps to complete the authorization process:

1. Sign in to Twitter.

2. Press "Authorize app".

3. Copy and paste the supplied PIN below when prompted.

Press [Enter] to open the Twitter app authorization page.

Open: https://api.twitter.com/oauth/authorize?oauth_callback=oob&oauth_consumer_key=################################################&oauth_signature=################################################&oauth_signature_method=HMAC-SHA1&oauth_timestamp=123456789&oauth_token=########################&oauth_version=1.0

Enter the supplied PIN: ######

Authorization successful.

This was easy.

fyi: Authorization (Twitter authorize app screenshot)

fyi: Authorization (Twitter authorize app pin screenshot)

Using T

T Help

t help
Commands:
  t accounts                          # List accounts
  t authorize                         # Allows an application to request user authorization
  t block USER [USER...]              # Block users.
  t delete SUBCOMMAND ...ARGS         # Delete Tweets, Direct Messages, etc.
  t direct_messages                   # Returns the 20 most recent Direct Messages sent to you.
  t direct_messages_sent              # Returns the 20 most recent Direct Messages you've sent.
  t dm USER MESSAGE                   # Sends that person a Direct Message.
  t does_contain [USER/]LIST USER     # Find out whether a list contains a user.
  t does_follow USER [USER]           # Find out whether one user follows another.
  t favorite TWEET_ID [TWEET_ID...]   # Marks Tweets as favorites.
  t favorites [USER]                  # Returns the 20 most recent Tweets you favorited.
  t follow USER [USER...]             # Allows you to start following users.
  t followers [USER]                  # Returns a list of the people who follow you on Twitter.
  t followings [USER]                 # Returns a list of the people you follow on Twitter.
  t followings_following USER [USER]  # Displays your friends who follow the specified user.
  t friends [USER]                    # Returns the list of people who you follow and follow you back.
  t groupies [USER]                   # Returns the list of people who follow you but you don't follow back.
  t help [COMMAND]                    # Describe available commands or one specific command
  t intersection USER [USER...]       # Displays the intersection of users followed by the specified users.
  t leaders [USER]                    # Returns the list of people who you follow but don't follow you back.
  t list SUBCOMMAND ...ARGS           # Do various things with lists.
  t lists [USER]                      # Returns the lists created by a user.
  t matrix                            # Unfortunately, no one can be told what the Matrix is. You have to see it for y...
  t mentions                          # Returns the 20 most recent Tweets mentioning you.
  t mute USER [USER...]               # Mute users.
  t muted [USER]                      # Returns a list of the people you have muted on Twitter.
  t open USER                         # Opens that user's profile in a web browser.
  t reach TWEET_ID                    # Shows the maximum number of people who may have seen the specified tweet in th...
  t reply TWEET_ID [MESSAGE]          # Post your Tweet as a reply directed at another person.
  t report_spam USER [USER...]        # Report users for spam.
  t retweet TWEET_ID [TWEET_ID...]    # Sends Tweets to your followers.
  t retweets [USER]                   # Returns the 20 most recent Retweets by a user.
  t retweets_of_me                    # Returns the 20 most recent Tweets of the authenticated user that have been ret...
  t ruler                             # Prints a 140-character ruler
  t search SUBCOMMAND ...ARGS         # Search through Tweets.
  t set SUBCOMMAND ...ARGS            # Change various account settings.
  t status TWEET_ID                   # Retrieves detailed information about a Tweet.
  t stream SUBCOMMAND ...ARGS         # Commands for streaming Tweets.
  t timeline [USER]                   # Returns the 20 most recent Tweets posted by a user.
  t trend_locations                   # Returns the locations for which Twitter has trending topic information.
  t trends [WOEID]                    # Returns the top 50 trending topics.
  t unfollow USER [USER...]           # Allows you to stop following users.
  t update [MESSAGE]                  # Post a Tweet.
  t users USER [USER...]              # Returns a list of users you specify.
  t version                           # Show version.
  t whoami                            # Retrieves profile information for the authenticated user.
  t whois USER                        # Retrieves profile information for the user.

Options:
  -C, [--color=COLOR]   # Control how color is used in output
                        # Default: auto
                        # Possible values: icon, auto, never
  -P, [--profile=FILE]  # Path to RC file
                        # Default: /root/.trc

t help

Commands:

t accounts # List accounts

t authorize # Allows an application to request user authorization

t block USER [USER...] # Block users.

t delete SUBCOMMAND ...ARGS # Delete Tweets, Direct Messages, etc.

t direct_messages # Returns the 20 most recent Direct Messages sent to you.

t direct_messages_sent # Returns the 20 most recent Direct Messages you've sent.

t dm USER MESSAGE # Sends that person a Direct Message.

t does_contain [USER/]LIST USER # Find out whether a list contains a user.

t does_follow USER [USER] # Find out whether one user follows another.

t favorite TWEET_ID [TWEET_ID...] # Marks Tweets as favorites.

t favorites [USER] # Returns the 20 most recent Tweets you favorited.

t follow USER [USER...] # Allows you to start following users.

t followers [USER] # Returns a list of the people who follow you on Twitter.

t followings [USER] # Returns a list of the people you follow on Twitter.

t followings_following USER [USER] # Displays your friends who follow the specified user.

t friends [USER] # Returns the list of people who you follow and follow you back.

t groupies [USER] # Returns the list of people who follow you but you don't follow back.

t help [COMMAND] # Describe available commands or one specific command

t intersection USER [USER...] # Displays the intersection of users followed by the specified users.

t leaders [USER] # Returns the list of people who you follow but don't follow you back.

t list SUBCOMMAND ...ARGS # Do various things with lists.

t lists [USER] # Returns the lists created by a user.

t matrix # Unfortunately, no one can be told what the Matrix is. You have to see it for y...

t mentions # Returns the 20 most recent Tweets mentioning you.

t mute USER [USER...] # Mute users.

t muted [USER] # Returns a list of the people you have muted on Twitter.

t open USER # Opens that user's profile in a web browser.

t reach TWEET_ID # Shows the maximum number of people who may have seen the specified tweet in th...

t reply TWEET_ID [MESSAGE] # Post your Tweet as a reply directed at another person.

t report_spam USER [USER...] # Report users for spam.

t retweet TWEET_ID [TWEET_ID...] # Sends Tweets to your followers.

t retweets [USER] # Returns the 20 most recent Retweets by a user.

t retweets_of_me # Returns the 20 most recent Tweets of the authenticated user that have been ret...

t ruler # Prints a 140-character ruler

t search SUBCOMMAND ...ARGS # Search through Tweets.

t set SUBCOMMAND ...ARGS # Change various account settings.

t status TWEET_ID # Retrieves detailed information about a Tweet.

t stream SUBCOMMAND ...ARGS # Commands for streaming Tweets.

t timeline [USER] # Returns the 20 most recent Tweets posted by a user.

t trend_locations # Returns the locations for which Twitter has trending topic information.

t trends [WOEID] # Returns the top 50 trending topics.

t unfollow USER [USER...] # Allows you to stop following users.

t update [MESSAGE] # Post a Tweet.

t users USER [USER...] # Returns a list of users you specify.

t version # Show version.

t whoami # Retrieves profile information for the authenticated user.

t whois USER # Retrieves profile information for the user.

Options:

-C, [--color=COLOR] # Control how color is used in output

# Default: auto

# Possible values: icon, auto, never

-P, [--profile=FILE] # Path to RC file

# Default: /root/.trc

Show linked twitter accounts with t

t accounts
yourappnamehere
  ###################### (active)

t accounts

yourappnamehere

###################### (active)

Show authorized twitter accounts

t set active yourtwitterappnamehere ########################
Active account has been updated to yourtwitterappnamehere.

1 2	t set active yourtwitterappnamehere ######################## Active account has been updated to yourtwitterappnamehere.

Using t to query a Twitter user

t whois @fearbysoftware
ID           1468627891
Since        May 30  2013 (4 years ago)
Last update  Editing remote files locally with sublime text editor over ssh https://t.co/k5qSnHmUrP #VoteYes (7 hours ago)
Screen name  @FearbySoftware
Name         Simon Fearby
Tweets       4,797
Favorites    940
Listed       88
Following    1,933
Followers    616
Bio          Developing augmented reality mobile apps, websites, ardrino and raspberry pi code/circuits etc. Tweets are my own not my employer. Blog at https://t.co/Azo81pi8Yt
Location     Tamworth NSW, Australia
URL          http://www.fearby.com

t whois @fearbysoftware

ID 1468627891

Since May 30 2013 (4 years ago)

Last update Editing remote files locally with sublime text editor over ssh https://t.co/k5qSnHmUrP #VoteYes (7 hours ago)

Screen name @FearbySoftware

Name Simon Fearby

Tweets 4,797

Favorites 940

Listed 88

Following 1,933

Followers 616

Bio Developing augmented reality mobile apps, websites, ardrino and raspberry pi code/circuits etc. Tweets are my own not my employer. Blog at https://t.co/Azo81pi8Yt

Location Tamworth NSW, Australia

URL http://www.fearby.com

Search Twitter for “fearby”

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

"If you're not still learning, you're already dying."
- Ryan Holiday - Ego is the Enemy

Follow me on Twitter: @FearbySoftware

View All Posts.

Firewall

I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.

Set up a whitelisted IP on an UpCloud VM and WordPress using a VPN to get a static IP address

Using the Qualys FreeScan Scanner to test your website for online vulnerabilities

Using OWASP ZAP GUI to scan your Applications for security issues

Wordfence Security Plugin for WordPress

Setup Ruby, Rails, Gem and a command line twitter tool to query Twitter on Ubuntu 16.04 via a Twitter App