If Certbot is installed in Debian, renewal of certificates should be already automated and there is nothing else to do:

The Debian Certbot package installs a systemd timer which runs every 12 hours, calling a Certbot service. The Certbot service then executes the Certbot command for renewing expiring certificates.

To make sure the certbot timer is running, check the list of active timers:

$ systemctl list-timers

Or look at the status of the Certbot timer itself:

$ systemctl status certbot.timer

To see what exactly the Certbot service does:

$ less /usr/lib/systemd/system/certbot.service

More: Certbot – User Guide

add_filter('nav_menu_item_id', '__return_empty_string');
add_filter('nav_menu_css_class', '__return_empty_array');
add_filter('page_css_class', '__return_empty_array');

The three lines above will remove all IDs and classes from menu items, including classes for the current item. The current item can still be targeted using the aria-current attribute:

.menu li a[aria-current="page"] {
  color: red;
}

Documentation

• developer.wordpress.org/reference/functions/__return_empty_array
• developer.wordpress.org/reference/functions/__return_empty_string
• developer.wordpress.org/reference/hooks/nav_menu_css_class
• developer.wordpress.org/reference/hooks/nav_menu_item_id
• developer.wordpress.org/reference/hooks/page_css_class

Using GNU sed:

$ sed -i '/pattern/d' ./file

To remove the lines and keep a copy of the original:

$ sed -i.bak '/pattern/d' ./file

Since the pattern is a regular expression, special characters should be escaped. For example, to remove all lines containing example.com:

$ sed -i '/example\.com/d' ./file

Documentation

• GNU sed manual – 2.2. Command-Line options
• GNU sed manual – 3.2. sed commands summary
• GNU sed manual – 5.3. Overview of basic regular expression syntax

This is a list of security items to check when setting up WordPress websites or web servers for WordPress websites.

I use it for web servers running Debian 10 (Buster), Apache 2.4 and PHP 7.3 or PHP 7.4, and for websites accessible via HTTPS. The list is a work in progress.

Apache HTTP server

• Disable TLS 1.0 and 1.1
• Disable AllowOverride globally (default since Apache 2.3.9) and for each site
  • Put WP rewrite rules in vhost config – default rules
• Disable the autoindex module
• Disable the auth_basic module
• Disable the TRACE HTTP method (disabled by default in Debian 10) – h5bp snippet
• Configure security response headers:
  • Disallow MIME sniffing
  • Remove X-Powered-By
  • Configure X-Frame-Options
  • Configure Strict-Transport-Security – h5bp snippet
  • Configure Content-Security-Policy – h5bp snippet – may need adapting
• Forbid access to files that don’t need to be accessible – h5bp snippet
• Forbid access to hidden files and directories that don’t need to be accessible – h5bp snippet
• (for WP) Forbid access to xmlrpc.php if XML-RPC is not needed – snippets
• (for WP) Forbid access to wp-login.php unless IP is trusted – not always feasible
• (for WP) Forbid access to wp-login.php if agent uses HTTP/1.* – snippets
• (for WP) Forbid access to PHP files in wp-content
• (for WP) Forbid access to PHP files in wp-includes
• (for WP) Forbid manual uploading of themes and plugins – snippet
• (for WP) Forbid user enumeration
• (for WP) Forbid GET requests to core REST API endpoints
• (for WP) Configure Content-Security-Policy for wp-admin

PHP

• Disable eval if not needed – PHP diseval extension

WordPress

• Set DISALLOW_FILE_EDIT to true
• Set WP_DEBUG_DISPLAY to false
• Set WP_DEBUG_LOG to true
• Remove inactive themes except one (fallback)
• Remove inactive plugins
• Disable gravatars (one less thing to set CSP for)
• (via plugin) Require strong passwords for all users
• (via plugin) Require multi-factor authentication for admins – plugin
• (via plugin) Disable comments completely if not needed – plugin

Resources and documentation

• Apache HTTP Server 2.4 – Documentation – Access Control
• H5BP – Apache HTTP server boilerplate configs
• Mozilla Observatory
• Mozilla SSL Configurator Generator
• Qualys SSL Server Test
• Security Headers – Analyse your HTTP response headers

Possible additions and improvements for the future

• Try Snuffleupagus when version 0.6.0 comes out
  • github.com/jvoisin/snuffleupagus/issues/328

Changelog

• 2020-07-14. Added Mozilla Observatory to resources.

First get a numbered list of all certificates that can be deleted:

$ sudo certbot delete

Then type the number of the certificate you want to delete and hit Enter.

Certificates can also be deleted by name:

$ sudo certbot delete --cert-name CERTNAME

Run certbot --help delete for more information.