5.0 KiB
Security Policy
Supported Versions
We actively support the following versions of this project with security updates:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| 0.x.x | ❌ |
Reporting a Vulnerability
We take the security of our software seriously. If you believe you have found a security vulnerability in this project, please report it to us as described below.
Where to Report
Please do not report security vulnerabilities through public GitHub issues.
Instead, please use GitHub's private vulnerability reporting feature or create a private issue.
What to Include
Please include the following information in your report:
- Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
Response Timeline
- We will acknowledge receipt of your vulnerability report within 48 hours
- We will provide a detailed response within 7 days indicating next steps
- We will notify you when the vulnerability has been fixed
- We will coordinate with you on disclosure timing
Safe Harbor
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Only interact with accounts you own or with explicit permission of the account holder
- Do not access data that doesn't belong to you
- Report vulnerabilities as soon as possible after discovery
- Do not exploit a security issue for purposes other than verification
Security Best Practices
When using this project, please follow these security best practices:
Server Security
- Keep your operating system and all packages up to date
- Use strong passwords and SSH keys for authentication
- Configure firewall rules to restrict access
- Regularly review and rotate credentials
- Enable automatic security updates where possible
WordPress Security
- Keep WordPress core, themes, and plugins updated
- Use strong passwords for WordPress admin accounts
- Enable two-factor authentication
- Regularly backup your WordPress site and database
- Use security plugins like Wordfence or Sucuri
- Limit login attempts and implement IP blocking
SSL/TLS Security
- Use strong SSL/TLS configurations
- Regularly renew SSL certificates
- Implement HSTS headers
- Use secure cipher suites
Ansible Security
- Use Ansible Vault for sensitive variables
- Store secrets in external credential stores when possible
- Regularly rotate SSH keys and passwords
- Use least privilege principles for Ansible users
- Keep Ansible and its dependencies updated
Database Security
- Use strong database passwords
- Limit database user permissions
- Enable database logging and monitoring
- Regularly backup databases
- Use encrypted connections to databases
Known Security Considerations
Default Configurations
- The project includes development-friendly defaults that may not be suitable for production
- Review all default passwords and change them before production deployment
- SSL is optional but strongly recommended for production use
Network Security
- The project opens standard web ports (80, 443)
- SSH access is required for Ansible deployment
- Consider using VPN or bastion hosts for enhanced security
Third-Party Dependencies
- This project installs various third-party packages
- Regularly update these dependencies for security patches
- Monitor security advisories for WordPress, Nginx, MySQL, and PHP
Security Features
This project includes several security features:
- SSL/HTTPS support with modern TLS configuration (TLS 1.2/1.3)
- Nginx security headers (X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, etc.)
- HSTS (HTTP Strict Transport Security) for SSL-enabled deployments
- Secure WordPress configurations out of the box
- Database security hardening with user privilege restrictions
- File permission hardening for WordPress files and directories
- Strong SSL cipher suites and secure session handling
Contributing to Security
If you'd like to contribute to the security of this project:
- Review the code for potential security issues
- Suggest security improvements in pull requests
- Help maintain documentation about security best practices
- Participate in security-related discussions
Acknowledgments
We would like to thank the following individuals who have helped improve the security of this project:
Thank you for helping keep our project and our users safe!
Maintainer: Sebastian Palencsár
Copyright: (c) 2025 Sebastian Palencsár