Hi. I've played with Centminmod in the past, but ended up wanting to set up everything myself. I'm currently on a VPS at Digital Ocean. Now I'm getting to be done with 100% self management and am looking to make things easier. I've looked at managed VPS hosting, but it seems that it's really not that managed in the lower plans or it's too locked down (and quite expensive) in the higher ones. Then there are services like serverpilot and cloudways, but I'm not sure if it's that much of a value-add compared to something like Centminmod (especially if you're used to managing servers yourself). The main question I have, and I apologize if this isn't the right forum to ask, is how secure is Centminmod out of the box? Are there common extra security measures that are recommended before launching an eCommerce site with Wordpress and a membership plugin using Paypal Pro? I've browsed the FAQ and searched the forums, but I couldn't find a definitive (e.g., "one page") answer/guide. And I don't mean making sure the application has secure code or adding a third party WAF, etc. I'm wondering about the server itself. Thanks and it's nice to meet y'all.
I know Centminmod is secured enough out of the box. With CSF auto installed and configured, open_base_dir restriction for PHP-FPM. Specific for WP sites, wp-login.php/wp-admin already protected with 2nd layer Nginx auth. Most of your packages are updated (Nginx, PHP, MariaDB, CSF, Openssl, Memcached) so you will have instant security patch applied. Plus if you really want more, disable root login and password based ssh.
Thanks for the quick reply. I usually do these (and change the ssh port, which looks like it's a menu option) anyway. Is there a resource for that? I depend on a plugin that, unfortunately, needs to run something that depends on a file in that folder. Basically, the user clicks a link and a needed item is generated, but it takes a https trip beneath wp-admin to get there. Assuming that the user is already logged on, would this 2nd layer interfere?
welcome @slugmug to Centmin Mod Community Out of the box Centmin Mod is pretty much secure in that if you left it alone in it's default configuration you would be fine provided you had strong root password and not weak password. It's only when you start adding web apps and scripts that security would depend on the weakest link i.e. web app level insecurity or bugs. this only applies to centmin.sh menu option 22 created wordpress sites of course @slugmug you can read about that at Beta Branch - Preview: Wordpress + WP Super Cache installer - centmin.sh option 22 | Centmin Mod Community in such cases you can poke holes in http authentication by defining specific files or directories in their own location context match outside of the protection similar to this Nginx - Exclude certain folder from 404 redirect for pictures | Centmin Mod Community
For install/pre-install questions might want to start posting in the more appropriate forum at Install & Upgrades or Pre-Install Questions | Centmin Mod Community