Skip to content

111 Recipes

How to auto-renew Let’s Encrypt certificates in Debian 10

If Certbot is installed, renewal of certificates should be already automated and there is no need to do anything else:

The Debian Certbot package installs a systemd timer which runs every 12 hours and calls a Certbot service. The Certbot service then executes the Certbot command for renewing expiring certificates.

To make sure the certbot timer is running, check the list of active timers:

systemctl list-timers

Or look at the status of the Certbot timer itself:

systemctl status certbot.timer

To see what exactly the Certbot service does:

less /usr/lib/systemd/system/certbot.service

More: Certbot – User Guide

How to remove all CSS classes and IDs from WordPress menu items

add_filter('nav_menu_item_id', '__return_empty_string');
add_filter('nav_menu_css_class', '__return_empty_array');
add_filter('page_css_class', '__return_empty_array');

This will remove all IDs and classes from menu items, including classes for the current item. The current item can still be targeted and styled using the aria-current attribute:

.menu li a[aria-current="page"] {
  color: red;
}

Documentation

How to remove file lines that match a pattern

Using GNU sed:

sed -i '/pattern/d' ./file

To remove the lines and keep a copy of the original:

sed -i.bak '/pattern/d' ./file

Since the pattern is a regular expression, special characters should be escaped. For example, to remove all lines containing example.com:

sed -i '/example\.com/d' ./file

Documentation

WordPress security checklist

This is a list of security items to check when setting up WordPress websites or web servers for WordPress websites.

I use it for web servers running Debian 10 (Buster), Apache 2.4 and PHP 7.3 or PHP 7.4, and for websites accessible via HTTPS. The list is a work in progress.

Apache HTTP server

  • Disable TLS 1.0 and 1.1
  • Disable AllowOverride globally (default since Apache 2.3.9) and for each site
  • Disable the autoindex module
  • Disable the auth_basic module
  • Disable the TRACE HTTP method (disabled by default in Debian 10) – h5bp snippet
  • Configure security response headers:
    • Disallow MIME sniffing
    • Remove X-Powered-By
    • Configure X-Frame-Options
    • Configure Strict-Transport-Security – h5bp snippet
    • Configure Content-Security-Policy – h5bp snippetmay need adapting
  • Forbid access to files that don’t need to be accessible – h5bp snippet
  • Forbid access to hidden files and directories that don’t need to be accessible – h5bp snippet
  • (for WP) Forbid access to xmlrpc.php if XML-RPC is not needed – snippets
  • (for WP) Forbid access to wp-login.php unless IP is trusted – not always feasible
  • (for WP) Forbid access to wp-login.php if agent uses HTTP/1.* – snippets
  • (for WP) Forbid access to PHP files in wp-content
  • (for WP) Forbid access to PHP files in wp-includes
  • (for WP) Forbid manual uploading of themes and plugins – snippet
  • (for WP) Forbid user enumeration
  • (for WP) Forbid GET requests to core REST API endpoints
  • (for WP) Configure Content-Security-Policy for wp-admin

PHP

WordPress

  • Set DISALLOW_FILE_EDIT to true
  • Set WP_DEBUG_DISPLAY to false
  • Set WP_DEBUG_LOG to true
  • Remove inactive themes except one (fallback)
  • Remove inactive plugins
  • Disable gravatars (one less thing to set CSP for)
  • (via plugin) Require strong passwords for all users
  • (via plugin) Require multi-factor authentication for admins – plugin
  • (via plugin) Disable comments completely if not needed – plugin

Resources and documentation

Possible additions and improvements for the future

Changelog

  • 2020-07-14. Added Mozilla Observatory to resources.

How to delete a Let’s Encrypt certificate

First get a numbered list of all certificates that can be deleted:

sudo certbot delete

Then type the number of the certificate you want to delete and hit Enter.

Certificates can also be deleted by name:

sudo certbot delete --cert-name CERTNAME

Run certbot --help delete for more information.