Hands-On Web Application Security

Hands-On Web Application Security: From Cloud to Code (AWS Lightsail + Bitnami + WordPress)

WordPress powers a large portion of the web, but its popularity makes it a common target for attacks. This hands-on tutorial guides you through securing a WordPress site deployed via Bitnami on AWS Lightsail, covering everything from cloud setup to code-level hardening. Download the slides to follow along step by step.

Download Lab Slides Here

1. Understanding the Attack Surface

Even in a simplified stack like Lightsail + Bitnami + WordPress, there are multiple layers to secure:

• Cloud Layer (Lightsail): Instances, firewalls, IAM permissions.

• Server Layer (Bitnami Stack): Apache/Nginx, MySQL, PHP configuration.

• WordPress Application: Plugins, themes, user authentication.

• Code Layer: Custom themes or plugin code, hardcoded secrets, unsafe inputs.

Think of it like a layered cake: even if the top layer looks safe (WordPress), a weak foundation (Lightsail server misconfiguration) can spoil the whole cake.

2. Securing AWS Lightsail

Lightsail makes deployment simple, but default configurations need hardening:

• Firewall Rules: Only allow HTTP/HTTPS and SSH from trusted IPs.

• SSH Security: Use key pairs, disable password login, and optionally change the default port.

• Automatic Backups & Snapshots: Schedule snapshots to quickly recover from compromises.

• Monitoring: Enable Lightsail metrics and logs for unusual CPU/network spikes.

Hands-On Exercise:

1. Launch a WordPress instance on Lightsail with Bitnami.

2. Review firewall and SSH settings; lock down SSH access.

3. Take a snapshot of your instance before making changes.

3. Securing Bitnami WordPress Stack

Bitnami packages WordPress with Apache/Nginx, MySQL, and PHP—all need configuration:

• Update the Stack: Keep WordPress, PHP, and MySQL up-to-date using bncert-tool or Bitnami update scripts.

• SSL/TLS: Use the Bitnami HTTPS configuration tool to enable Let’s Encrypt SSL.

• File Permissions: Ensure the WordPress files have correct ownership (bitnami:daemon) and permissions (644 for files, 755 for directories).

• Disable Directory Listings: Prevent attackers from browsing directories.

Hands-On Exercise:

1. Run sudo /opt/bitnami/bncert-tool to configure SSL.

2. Test HTTPS in a browser and verify SSL/TLS strength with SSL Labs

3. Review /opt/bitnami/apps/wordpress/htdocs permissions.

4. Securing WordPress (AIOS)

AIOS (All-in-One Security) plugin simplifies WordPress security but requires proper configuration:

• Login Security: Enable two-factor authentication, limit login attempts, and rename the login URL.

• File Integrity Monitoring: Detect changes in core files, plugins, and themes.

• Database Security: Change default table prefix and schedule database backups.

• Firewall & Brute Force Protection: Block malicious IPs and monitor traffic.

Hands-On Exercise:

1. Install AIOS (All-in-One Security).

2. Follow the plugin wizard to configure firewall, login, and file integrity settings.

3. Test login throttling and two-factor authentication.

5. Securing Custom Code & Plugins

Even with AIOS, vulnerabilities in themes or custom plugins can be exploited:

• Avoid Hardcoding Secrets: Use wp-config.php and environment variables for API keys.

• Check Plugins & Themes: Only use reputable sources; update regularly.

Hands-On Exercise:

1. Introduce a sample vulnerable plugin (or review an existing one).

2. Scan it with a static analyzer.

3. Apply fixes and validate functionality.

6. Continuous Monitoring & Maintenance

Security is ongoing:

• Updates: Keep WordPress, plugins, and the Bitnami stack up-to-date.

• Backups: Schedule automated Lightsail snapshots and WordPress backups.

• Monitoring: Enable CloudWatch or other monitoring to detect unusual activity.

Hands-On Exercise:

1. Set up automated Lightsail snapshots.

2. Schedule AIOS database backups.

3. Test restoring a snapshot or backup to ensure recovery works.

Key Takeaways

• Even managed stacks like Lightsail + Bitnami + WordPress require careful security hardening.

• AIOS helps, but you must also secure the cloud and server layers.

• Hands-on exercises reinforce best practices more effectively than theory alone.

Downloadable Lab Slides

The slides contain diagrams, commands, screenshots, and step-by-step exercises so you can follow along.

Additional Resources

• Bitnami WordPress Security

• AWS Lightsail Security Best Practices

• AIOS Plugin Documentation