How to secure your Webmin panel

 

Your VPS is set up with standard ports to access your server, which makes it easier for hackers to get to your data. The following changes can be easily managed through Webmin.

This is a management interface that can be accessed via any web browser by using the following link: https://(your IPv4 address):12321 the link should look like this  https://x.x.x.x:12321

 

Step 1 - logging into your dashboard

As soon as you navigate to this URL, you can log in into Webmin using the username root combined with the password that is given in your Tilaa dashboard.

mceclip4.png

 

Step 2 – Change your standard Root password

The first step is to change the standard password to something which is more secure. In the Webmin sidepanel click on ‘System’ and next on the menu item ‘Change Passwords’. Select root to change your root password.

 

mceclip5.png

 

When changing the original password, you can check the box ‘Change password in other modules?’. This also makes sure you change your admin password on the instance that you have running.

 

mceclip6.png

 

Step 3 – Configure SSH via Webmin

Next, you might consider configuring SSH to use a non-standard port for your access. To do this, click on ‘Servers’ in your Webmin sidepanel and go to the menu item ‘SSH server’ and go to the ‘Networking’ options.

 

mceclip7.png

 

Under the networking options, you’ll see that the default port is set to 22. You can change this to another value such as 2200 and then click on save.

 

mceclip8.png

By changing the port, you also need to update the port settings of your Firewall. To achieve this, click on ‘Networking’ in your Webmin side panel and go to the menu item ‘Linux Firewall’. A screen will open which shows all firewall rules. Click on the rule which states, “If protocol is TCP and destination is port 22”, change the value 22 to 2200.

mceclip9.png

Step 4 – Adding an SSL certificate to your WordPress website

For security reasons, it is advised to secure your website with an SSL certificate. Adding the right certificates can also be easily done via the server settings in your Webmin dashboard. By installing an SSL certificate on your WordPress website, a padlock is activated and the HTTPS protocol is used in the address bar of your web browser.

 

You can get your SSL certificate from a Certificate Authority (CA), some examples are Cloudflare (https://www.cloudflare.com/), Lets Encrypt (https://letsencrypt.org/)  or ZeroSSL (https://zerossl.com/). There are several types of certificates also different in terms of pricing. More info on these certificates can be found in a previous blog.

 

After you’ve set up your SSL certificates from your CA, you will end up with 3 different files: ca_bundle.crt, certificate.crt and private.key. The next step is to place these 3 files on your server in the right folder and link them in the SSL server settings.

To achieve this, click on ‘Tools’ in your Webmin side panel and go to the menu item ‘File manager’. Navigate to the folder:

 /etc/ssl/certs/

In this folder, you can place the 3 files.
The next step is to link these files in the server settings of your Apache server.

To do this, click on ‘Servers’ in your Webmin side panel and go to the menu item ‘Apache Webserver’. Here you will see a list of virtual machines, to change the right settings click on the virtual server with the port 443:

mceclip10.png

 

A screen will show with the server settings and next you can select the SSL options of this server. Here, you can link the 3 files that you’ve just placed onto your server via the file manager. Also be sure to only check the SSL protocols TLSv1.2 & TLSv1.3.

mceclip11.png

 

After the above changed have been made, be sure to click on save and the SSL settings are configured on your web server.

 

Wordpress - Updating the SSL settings in your wp-config.php file

To finalize the SSL setup, some changes also need to be made to the wp-config.php file. This file contains the base configuration details of your WordPress website and is located in the root of your WordPress file directory.

These changes can also be done in your Webmin dashboard. First locate the wp-config.php file via the file manager. Click on ‘Tools’ in your Webmin side panel and go to the menu item ‘File manager’. Navigate to the folder:

/var/www/wordpress/

Here you will find the file wp-config.php, right-click on the file and click on edit:

mceclip12.png

A text editor will open showing the rules for your Wordpress website. First make sure to change the part for WP_SITEURL & WP_HOME from http:// to https:// . Next to this also add the following code above the “That’s all, stop editing!” line in your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

All changes made to your wp-config.php file should look like this: 

mceclip13.png

 

After these changes be sure to save the file by clicking on the safe icon in the right top corner. Now your SSL settings are finalized.

 

Step 2 – Setting up proper redirects for non-www & http links

Now that all security measures have been done you will see that your WordPress website can be accessed via a https protocol. However incoming traffic to non-www or to http URLS also have to be redirected to the right links including https:// . This is something that you can change in the .htaccess File which also can be found in the WordPress folder on your server.

The .htaccess file is a configuration file that’s used by the Apache server. Rules defined in the file will override several settings of server configurations, and it’s often used for cache control, website optimization, URL rewriting, and authorization.

Again in the Webmin dashboard. First locate .htaccess file via the file manager. Click on ‘Tools’ in your Webmin sidepanel and go to the menu item ‘File manager’. Navigate to the folder:

/var/www/wordpress/

mceclip14.png

 

Again, a text editor will open the file. The final thing to do is to paste the following text between # BEGIN WordPress and # END WordPress in this document.

 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>


Afterwards, save the file, and you can close the Webmin dashboard.

Now, your WordPress VPS is properly set up for usage. Future changes can still be made in the Webmin dashboard for advanced security measures. Logging into WordPress can be done via the normal /wp-admin URL on your SSL secured website domain along with your new password.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Articles in this section