Hands-On Web Application Security: From Cloud to Code (AWS Lightsail + Bitnami + WordPress)
WordPress powers a large portion of the web, but its popularity makes it a common target for attacks. This hands-on tutorial guides you through securing a WordPress site deployed via Bitnami on AWS Lightsail, covering everything from cloud setup to code-level hardening. Download the slides to follow along step by step.
1. Understanding the Attack Surface
Even in a simplified stack like Lightsail + Bitnami + WordPress, there are multiple layers to secure:
-
Cloud Layer (Lightsail): Instances, firewalls, IAM permissions.
-
Server Layer (Bitnami Stack): Apache/Nginx, MySQL, PHP configuration.
-
WordPress Application: Plugins, themes, user authentication.
-
Code Layer: Custom themes or plugin code, hardcoded secrets, unsafe inputs.
Think of it like a layered cake: even if the top layer looks safe (WordPress), a weak foundation (Lightsail server misconfiguration) can spoil the whole cake.
2. Securing AWS Lightsail
Lightsail makes deployment simple, but default configurations need hardening:
-
Firewall Rules: Only allow HTTP/HTTPS and SSH from trusted IPs.
-
SSH Security: Use key pairs, disable password login, and optionally change the default port.
-
Automatic Backups & Snapshots: Schedule snapshots to quickly recover from compromises.
-
Monitoring: Enable Lightsail metrics and logs for unusual CPU/network spikes.
Hands-On Exercise:
-
Launch a WordPress instance on Lightsail with Bitnami.
-
Review firewall and SSH settings; lock down SSH access.
-
Take a snapshot of your instance before making changes.
3. Securing Bitnami WordPress Stack
Bitnami packages WordPress with Apache/Nginx, MySQL, and PHP—all need configuration:
-
Update the Stack: Keep WordPress, PHP, and MySQL up-to-date using
bncert-toolor Bitnami update scripts. -
SSL/TLS: Use the Bitnami HTTPS configuration tool to enable Let’s Encrypt SSL.
-
File Permissions: Ensure the WordPress files have correct ownership (
bitnami:daemon) and permissions (644for files,755for directories). -
Disable Directory Listings: Prevent attackers from browsing directories.
Hands-On Exercise:
-
Run
sudo /opt/bitnami/bncert-toolto configure SSL. -
Test HTTPS in a browser and verify SSL/TLS strength with SSL Labs
- Review
/opt/bitnami/apps/wordpress/htdocspermissions.
4. Securing WordPress (AIOS)
AIOS (All-in-One Security) plugin simplifies WordPress security but requires proper configuration:
-
Login Security: Enable two-factor authentication, limit login attempts, and rename the login URL.
-
File Integrity Monitoring: Detect changes in core files, plugins, and themes.
-
Database Security: Change default table prefix and schedule database backups.
-
Firewall & Brute Force Protection: Block malicious IPs and monitor traffic.
Hands-On Exercise:
-
Install AIOS (All-in-One Security).
-
Follow the plugin wizard to configure firewall, login, and file integrity settings.
-
Test login throttling and two-factor authentication.
5. Securing Custom Code & Plugins
Even with AIOS, vulnerabilities in themes or custom plugins can be exploited:
-
Avoid Hardcoding Secrets: Use
wp-config.phpand environment variables for API keys. -
Check Plugins & Themes: Only use reputable sources; update regularly.
Hands-On Exercise:
-
Introduce a sample vulnerable plugin (or review an existing one).
-
Scan it with a static analyzer.
-
Apply fixes and validate functionality.
6. Continuous Monitoring & Maintenance
Security is ongoing:
-
Updates: Keep WordPress, plugins, and the Bitnami stack up-to-date.
-
Backups: Schedule automated Lightsail snapshots and WordPress backups.
-
Monitoring: Enable CloudWatch or other monitoring to detect unusual activity.
Hands-On Exercise:
-
Set up automated Lightsail snapshots.
-
Schedule AIOS database backups.
-
Test restoring a snapshot or backup to ensure recovery works.
Key Takeaways
-
Even managed stacks like Lightsail + Bitnami + WordPress require careful security hardening.
-
AIOS helps, but you must also secure the cloud and server layers.
-
Hands-on exercises reinforce best practices more effectively than theory alone.
Downloadable Lab Slides
The slides contain diagrams, commands, screenshots, and step-by-step exercises so you can follow along.
Additional Resources
