Hello. I’m pretty new here. I just managed to get my Raspberry Pi setup at home to selfhost a simple website that will act as my portfolio for some art I do.

I’m using WordPress to make the content of the website, meaning it runs on Apache, MariaDB and MySQL in the background. It’s connected via port 80 since I don’t want to pay for SSL certificates to setup https. There will be no accounts or transactions happening on my website. I don’t have anything to manage my dynamic IP but I’ll figure that out later. I’ve deleted the default Pi user on the RPi.

Are there security issues I should address preemptively? I’m worried for instance that I am exposing my home network, making it easier for someone to breach into whatever is connected there.

Any tips on making sure my setup is secure?

  • PSoul•Lemmy@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 day ago

    Alright everyone, thank you so much for your thoughtful recommendations! To sum it up, here’s what I have done:

    • I used let’s encrypt’s Certbot to get my SSL certs and setup https, auto-renew every 3 months and I setup a reminder to update Certbot every month.
    • I setup a permanent redirect from http to https in Apache
    • I installed a firewall on the Pi, only 80, 443 and [22 from my computer to the RPi] are open. I couldn’t find the firewall settings on my router but I assume they exist since I had to forward 80 and 443 there.
    • installed the following plugins: WordFence and WP Fail2Ban
    • changed the user password on the pi to a better longer one

    I think I should be all set, shouldn’t I?

    • Sproutling@lemmy.ml
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 day ago

      You may want to consider dockerizing your services just for maintainability and isolation from your host. I recommend something like Nginx Proxy Manager to serve as the “main entrance” for your docker network and to handle Let’s Encrypt for you.

      • werefreeatlast@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 hours ago

        I second this. I didn’t understand that until…you know, like you install the latest python or something and then your website is proof! Gone. Dockerization gives it a little bit of stability.