iThemes Security offers some security hardening measures that require some information to be added to the nginx.conf file. When these settings are activated, you'll see a message that says:
"The settings saved successfully.
You must restart your NGINX server for the changes to take effect."
iThemes will create this file and add it to your website's htdocs folder, however, this is both in the wrong place and has the wrong name for the changes to take effect, even once Nginx has been reloaded.
iThemes Security Hardening and GridPane
Many of the features that iThemes offers are great for your average budget hosting provider, but with GridPane, the following security hardening features are ready to go out of the box:
- Disable Directory Browsing
- Disable PHP execution in the uploads directory
- Disable PHP execution in the themes directory
And, the following are preventable by either one of our integrated Web Application Firewalls (WAFs):
- Filter Request Methods - Filter out hits with the trace or track request methods
- Filter Suspicious Query Strings in the URL
Learn more about our WAF integrations here:
There are also lots of extra, cool features you enable on your GridPane servers via GP-CLI. See the following 2 articles on Fail2Ban integration and Nginx hardening here:
Activate your iThemes Settings
The following will walk you through how to activate your iThemes settings on your GridPane server. It's important to note here that if you make any future changes in your iThemes settings, then you will need to go through this process again. Before continuing, it's a good idea to make sure you have all of your desired settings in place.
Step 1. SSH into your server:
Please see the following articles to get started:
Generate your SSH Key:
Add your SSH Key to GridPane:
Connect to your server:
Step 2. Copy your iThemes nginx.conf contents
The config that iThemes has created and wrote to is located inside your htdocs folder. Open this file with the following command (replacing "site.url" with your websites domain name):
Copy the contents of this file. We'll be using it in the next step. To exit, hit CTRL+X.
If you use the same settings for every website, you may wish to store a copy of these settings. You can also export your plugin settings inside of your WordPress dashboard. This way, next time your set up a website, you simply install the plugin, import your plugin settings, and then SSH into your server and head straight to step 3 below.
The export/import feature is located in Dashboard > iThemes Security > Settings > Notification Center. You're looking for "Settings Export".
You can check out how to do this with this KB from iThemes themselves:
At this point, you've copied your iThemes Nginx configuration. The question now is whether we already take care of these features out of the box. If you're unsure, please send a copy of your configuration file to firstname.lastname@example.org and we will let you know which settings are not required [if any].
Step 3. Create a new config for iThemes
We'll be creating a file called "ithemes-main-context.conf". Run the following command switching out "site.url" for your website's domain:
Paste the code you copied in step 2 into the file.
Ctrl+O and then press enter to save the file. Then Ctrl+X to exit nano.
Step 4. Check and reload Nginx
We now need to test our Nginx syntax with:
If there are no errors present, reload Nginx with the following command:
gp ngx reload
Your iThemes settings have now been activated for your website :)