Skip to content

111 Recipes

How to auto-renew Let’s Encrypt certificates in Debian 10

Published ·UPD ·In Documentation

If Certbot is installed in Debian, renewal of certificates should be already automated and there is nothing else to do:

The Debian Certbot package installs a systemd timer which runs every 12 hours, calling a Certbot service. The Certbot service then executes the Certbot command for renewing expiring certificates.

To make sure the certbot timer is running, check the list of active timers:

$ systemctl list-timers

Or look at the status of the Certbot timer itself:

$ systemctl status certbot.timer

To see what exactly the Certbot service does:

$ less /usr/lib/systemd/system/certbot.service

More: Certbot – User Guide

How to remove all CSS classes and IDs from WordPress menu items

Published ·UPD ·In Recipes
add_filter('nav_menu_item_id', '__return_empty_string');
add_filter('nav_menu_css_class', '__return_empty_array');
add_filter('page_css_class', '__return_empty_array');

The three lines above will remove all IDs and classes from menu items, including classes for the current item. The current item can still be targeted using the aria-current attribute:

.menu li a[aria-current="page"] {
  color: red;


How to remove file lines that match a pattern

Published ·UPD ·In Recipes

Using GNU sed:

$ sed -i '/pattern/d' ./file

To remove the lines and keep a copy of the original:

$ sed -i.bak '/pattern/d' ./file

Since the pattern is a regular expression, special characters should be escaped. For example, to remove all lines containing

$ sed -i '/example\.com/d' ./file


WordPress security checklist

Published ·UPD ·In Recipes

This is a list of security items to check when setting up WordPress websites or web servers for WordPress websites.

I use it for web servers running Debian 10 (Buster), Apache 2.4 and PHP 7.3 or PHP 7.4, and for websites accessible via HTTPS. The list is a work in progress.

Apache HTTP server

  • Disable TLS 1.0 and 1.1
  • Disable AllowOverride globally (default since Apache 2.3.9) and for each site
  • Disable the autoindex module
  • Disable the auth_basic module
  • Disable the TRACE HTTP method (disabled by default in Debian 10) – h5bp snippet
  • Configure security response headers:
    • Disallow MIME sniffing
    • Remove X-Powered-By
    • Configure X-Frame-Options
    • Configure Strict-Transport-Security – h5bp snippet
    • Configure Content-Security-Policy – h5bp snippetmay need adapting
  • Forbid access to files that don’t need to be accessible – h5bp snippet
  • Forbid access to hidden files and directories that don’t need to be accessible – h5bp snippet
  • (for WP) Forbid access to xmlrpc.php if XML-RPC is not needed – snippets
  • (for WP) Forbid access to wp-login.php unless IP is trusted – not always feasible
  • (for WP) Forbid access to wp-login.php if agent uses HTTP/1.* – snippets
  • (for WP) Forbid access to PHP files in wp-content
  • (for WP) Forbid access to PHP files in wp-includes
  • (for WP) Forbid manual uploading of themes and plugins – snippet
  • (for WP) Forbid user enumeration
  • (for WP) Forbid GET requests to core REST API endpoints
  • (for WP) Configure Content-Security-Policy for wp-admin



  • Set DISALLOW_FILE_EDIT to true
  • Set WP_DEBUG_DISPLAY to false
  • Set WP_DEBUG_LOG to true
  • Remove inactive themes except one (fallback)
  • Remove inactive plugins
  • Disable gravatars (one less thing to set CSP for)
  • (via plugin) Require strong passwords for all users
  • (via plugin) Require multi-factor authentication for admins – plugin
  • (via plugin) Disable comments completely if not needed – plugin

Resources and documentation

Possible additions and improvements for the future


  • 2020-07-14. Added Mozilla Observatory to resources.

How to delete a Let’s Encrypt certificate

Published ·UPD ·In Recipes

First get a numbered list of all certificates that can be deleted:

$ sudo certbot delete

Then type the number of the certificate you want to delete and hit Enter.

Certificates can also be deleted by name:

$ sudo certbot delete --cert-name CERTNAME

Run certbot --help delete for more information.