Skip to main content

Securing your Webmin Server & WordPress Site

Webmin is a powerful, web-based interface for system administration for Unix. When you deploy a LAMP or WordPress appliance at Tilaa, Webmin is often included to help you manage your server.

This guide covers three essential security steps:

  1. Securing the Webmin access itself.
  2. Hardening SSH access.
  3. Enabling SSL (HTTPS) for your WordPress site.

Part 1: Securing Webmin

1. Login

Access your Webmin interface via your browser:

  • URL: https://<your-ip>:12321 (e.g., https://192.168.1.1:12321)
  • Username: root
  • Password: Your initial root password.

2. Change Root Password

We strongly recommend changing the root password immediately.

  1. Go to System > Change Passwords.
  2. Select the user root.
  3. Enter a new, strong password and click Change.

Part 2: Hardening SSH Access

Changing the default SSH port (22) drastically reduces brute-force attacks.

  1. Go to Servers > SSH Server.
  2. Click on Networking.
  3. Change Port from 22 to a custom port (e.g., 2200).
  4. Click Save.
Don't lock yourself out!
Before restarting SSH, you must update the firewall to allow the new port.

Update Firewall (Webmin)

  1. Go to Networking > Linux Firewall.
  2. Find the rule allowing port 22 (SSH).
  3. Edit it to allow your new port (e.g., 2200).
  4. Click Apply Configuration.
  5. Now go back to the SSH Server page and click Apply Changes (or restart SSH).

Part 3: Securing WordPress with SSL

To get the green padlock on your WordPress site, you need to install an SSL certificate in Apache.

1. Upload Certificates

You need your certificate files (certificate.crt, private.key, ca_bundle.crt) from your SSL provider.

  1. Go to Tools > File Manager.
  2. Navigate to /etc/ssl/certs/.
  3. Upload your 3 files here.

2. Configure Apache

  1. Go to Servers > Apache Webserver.
  2. Click on the Virtual Host for port 443 (SSL).
  3. Click SSL Options.
  4. Link the files you just uploaded:
    • Certificate/Cert file: /etc/ssl/certs/certificate.crt
    • Private Key file: /etc/ssl/certs/private.key
    • Certificate Authority file: /etc/ssl/certs/ca_bundle.crt
  5. Ensure SSL Protocol is set to disable old versions (uncheck SSLv2/SSLv3).
  6. Click Save and then Apply Changes (top right) to restart Apache.

Part 4: Force HTTPS in WordPress

Now that the server supports SSL, tell WordPress to use it.

  1. In File Manager, open /var/www/wordpress/wp-config.php.
  2. Add this line above "That's all, stop editing": 
    define('FORCE_SSL_ADMIN', true);
  3. Save the file.
  4. Log in to your WordPress Admin Dashboard (/wp-admin).
  5. Go to Settings > General.
  6. Change both "WordPress Address" and "Site Address" from http:// to https://.