DEV Community

Sharon
Sharon

Posted on

Prevent Attacks on Your WordPress Site with Docker and SafeLine WAF

I recently set up a new cloud server to host a WordPress website using a decoupled architecture. The goal was to separate the web and database servers, leverage Docker for containerization, and configure Nginx as a reverse proxy. On top of that, I enhanced security by deploying SafeLine WAF locally to filter and monitor all incoming traffic.


Architecture Overview

The setup is based on Docker, which provides isolated environments for the web service. I used Portainer for graphical management of Docker containers. Nginx, installed directly on the server, acts as a reverse proxy.

Traffic flow is structured as follows:

  1. The server listens on port 81 for internal web services.
  2. SafeLine WAF binds to the domain on port 80, intercepting and filtering incoming requests.
  3. WAF forwards traffic back to port 81, which is then routed to port 8080, finally reaching the WordPress container.

This configuration ensures that all external traffic passes through the WAF first, enhancing security while maintaining efficiency.


Technical Details

SSH Access to Ubuntu Server

The default username for Ubuntu is ubuntu, and the root account is not assigned a password during installation by default. Always ensure proper user and permission management for security.

Docker Mapping and Communication

You can define Docker volume mappings using the -v parameter. For example, to map a local hard drive /data to the WordPress container’s web directory:

docker run -v /data:/var/www/html <your_wordpress_image>
Enter fullscreen mode Exit fullscreen mode

Configuring MySQL Container

After starting your MySQL container, external access must be configured:

docker exec -it mysql5.7 bash
mysql -u root -p
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
Enter fullscreen mode Exit fullscreen mode

⚠️ Note: Granting full privileges to root is insecure for production. It’s recommended to create a dedicated MySQL user with a strong password for external access.

Connecting Docker to a Local Database Host

To connect a container to a local database host:

  • Use host.docker.internal (for Docker Desktop environments)
  • For Dockerized MySQL, find the container’s IP with:
docker inspect <mysql-container-name> | grep IPAddress
Enter fullscreen mode Exit fullscreen mode

Nginx Reverse Proxy Configuration

While setting up Nginx as a reverse proxy, I encountered two common issues:

  1. Redirection Loop Simply using proxy_pass http://<host_ip>:8080; can trigger a redirect loop. Fix it by adding:
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
Enter fullscreen mode Exit fullscreen mode
  1. WAF Bypass by Port Redirection Users clicking certain links or buttons may bypass the WAF if redirected to another port. This can be temporarily mitigated with proper Nginx configuration (screenshot or config snippet can be added here).


Conclusion

By carefully configuring Docker, Nginx, and SafeLine WAF, I successfully built a secure and efficient WordPress environment. This setup ensures:

  • All web traffic is filtered and monitored by WAF
  • Internal services remain isolated and efficient
  • Security and performance are balanced

These steps provide a practical blueprint for anyone looking to deploy a secure WordPress site using containerization and a robust WAF layer.


Join the SafeLine Community

If you continue to experience issues, feel free to contact SafeLine support for further assistance.

Top comments (0)