{"id":1677,"date":"2025-07-14T18:05:17","date_gmt":"2025-07-14T23:05:17","guid":{"rendered":"https:\/\/zewwy.ca\/?p=1677"},"modified":"2025-07-14T20:15:31","modified_gmt":"2025-07-15T01:15:31","slug":"fixing-wordpress-security-recommendations","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2025\/07\/14\/fixing-wordpress-security-recommendations\/","title":{"rendered":"Fixing WordPress Security Recommendations"},"content":{"rendered":"<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Fixing_WordPress_Security_Recommendations\"><\/span>Fixing WordPress Security Recommendations<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>So.. I log into my WordPress server, and under site health on the Dashboard, the yellow&#8230; basically sayin&#8230;. &#8220;Do better&#8221;<\/p>\n<p>Anyway, I asked Co-Pilot for help on this (Specifically about the warning about a dated PHP version [7.4]), and it basically said:<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%9B%A0%EF%B8%8F_Update_PHP_for_Your_WordPress_Site\"><\/span>\ud83d\udee0\ufe0f Update PHP for Your WordPress Site<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>1. <strong>Check Your Current PHP Version<\/strong><\/p>\n<ul>\n<li>Go to your WordPress dashboard<\/li>\n<li>Navigate to <strong>Tools &gt; Site Health &gt; Info tab<\/strong><\/li>\n<li>Expand the <strong>Server<\/strong> section to see your PHP version<\/li>\n<\/ul>\n<p>2. <strong>Back Up Your Site First<\/strong><\/p>\n<ul>\n<li>Use a plugin like <strong>UpdraftPlus<\/strong> or <strong>Duplicator<\/strong><\/li>\n<li>Save both your files and database\u2014just in case something breaks<\/li>\n<\/ul>\n<p>3. <strong>Update PHP via Hosting Control Panel<\/strong><\/p>\n<p>Depending on your host, the process varies slightly:<\/p>\n<div>\n<div>\n<table>\n<thead>\n<tr>\n<th>Hosting Provider<\/th>\n<th>How to Update PHP<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Bluehost<\/strong><\/td>\n<td>Go to <strong>Websites &gt; Settings &gt; PHP Version<\/strong>, choose the latest version<\/td>\n<\/tr>\n<tr>\n<td><strong>SiteGround<\/strong><\/td>\n<td>Use <strong>Site Tools &gt; Devs &gt; PHP Manager<\/strong>, select manual update<\/td>\n<\/tr>\n<tr>\n<td><strong>Hostinger<\/strong><\/td>\n<td>Go to <strong>Websites &gt; Manage &gt; PHP Configuration<\/strong>, pick a new version<\/td>\n<\/tr>\n<tr>\n<td><strong>cPanel Hosts<\/strong><\/td>\n<td>Use <strong>MultiPHP Manager<\/strong> under the <strong>Software<\/strong> section<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<div><\/div>\n<\/div>\n<p>If you\u2019re unsure where to find this, your host\u2019s support team can guide you.<\/p>\n<p>4. <strong>Test Compatibility<\/strong><\/p>\n<ul>\n<li>Use the <strong>PHP Compatibility Checker<\/strong> plugin to scan for issues<\/li>\n<li>Or create a <strong>staging site<\/strong> to test the update safely<\/li>\n<\/ul>\n<p>5. <strong>Update WordPress, Plugins, and Themes<\/strong><\/p>\n<ul>\n<li>Make sure everything is up to date before switching PHP versions<\/li>\n<li>This reduces the chance of conflicts<\/li>\n<\/ul>\n<p>Great, except that I&#8217;m self hosting&#8230; I have no interest in my access to a service pay walled and managed via poorly coded web sites.\u00a0 So I followed up with Co-Pilot which it then wanted me to basically add a third party repo, in this specific case, a PPA &#8220;ondreJ&#8221;. I had a couple issues with this.<\/p>\n<ol>\n<li>This is known as a Frankstein build.<\/li>\n<li>Managing third party repo&#8217;s can cause issues, and is usually frown&#8217;d apon.<\/li>\n<\/ol>\n<p>These are mentioned in <a href=\"https:\/\/www.reddit.com\/r\/debian\/comments\/198c1kh\/how_update_debian_82_without_installing_php_83\/\">this reddit post<\/a> where a sysadmin was confused and this type of setup was instantly caught by others with experience. Which is what AI was telling me to do, it&#8217;s reasoning was as follows:<\/p>\n<p>&#8220;Ubuntu\u2019s default repositories only include certain PHP versions\u2014usually the ones that were current when that Ubuntu release came out. So if you\u2019re on, say, Ubuntu 22.04 or 24.04, you might only get PHP 8.1 or 8.2 from the official repos. Anything newer (like PHP 8.3 or 8.4)? Not there yet.<\/p>\n<p>That\u2019s why developers lean on Ond\u0159ej Sur\u00fd\u2019s PPA (ppa:ondrej\/php). He\u2019s a trusted Debian developer who maintains up-to-date PHP packages for Ubuntu and Debian.&#8221;<\/p>\n<p>When asked why someone woudl have to install the actual maintainers repo, instead of those builds being pushed to the OS default repo&#8217;s, AI stated this:<\/p>\n<p>&#8220;Here\u2019s the short version: distro maintainers often freeze package versions when they release a new OS version\u2014for stability and compatibility across thousands of other packages. So even if the upstream maintainer (like Ond\u0159ej) has newer PHP versions ready to go, the official Ubuntu repo won\u2019t touch them unless there\u2019s a security patch or they release a new Ubuntu version that includes the updated language package.&#8221;<\/p>\n<p>Anyway&#8230; instead of all this rubbish, it makes more sense to upgrade the base OS at this point. So let&#8217;s do that.<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%9B%A0%EF%B8%8F_Upgrading_Base_OS_Debain_11_to_12\"><\/span>\ud83d\udee0\ufe0f Upgrading Base OS Debain 11 to 12<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>1. <strong>Back Up Your System<\/strong><\/p>\n<p>You\u2019ve already got backups\u2014perfect. Just make sure you\u2019ve got <code>\/etc<\/code>, <code>\/var\/lib\/dpkg<\/code>, and <code>\/var\/lib\/apt\/extended_states<\/code> covered.<\/p>\n<p>2. <strong>Update Current System<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo apt update\r\nsudo apt upgrade\r\nsudo apt full-upgrade\r\nsudo apt --purge autoremove\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>3. <strong>Edit Your APT Sources<\/strong><\/p>\n<p>Replace all instances of <code>bullseye<\/code> with <code>bookworm<\/code> in your sources list:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo sed -i 's\/bullseye\/bookworm\/g' \/etc\/apt\/sources.list\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>If you use additional repos in <code>\/etc\/apt\/sources.list.d\/<\/code>, update those too:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo sed -i 's\/bullseye\/bookworm\/g' \/etc\/apt\/sources.list.d\/*\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Optionally, add the new <code>non-free-firmware<\/code> section:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo sed -i 's\/non-free\/non-free non-free-firmware\/g' \/etc\/apt\/sources.list\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>4. <strong>Refresh Package Index<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo apt update\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>5. <strong>Minimal Upgrade First<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo apt upgrade --without-new-pkgs\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>6. <strong>Full System Upgrade<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo apt full-upgrade\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Follow any prompts carefully\u2014especially ones about restarting services or replacing config files.<\/p>\n<p>7. <strong>Reboot<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo reboot\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>8. <strong>Verify Upgrade<\/strong><\/p>\n<div>\n<div>bash<\/div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>lsb_release -a\r\ncat \/etc\/debian_version\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<div>After the reboot I was back in to my wordpress admin portal, and the site warning was gone. Yay&#8230; but some still remain.. lets see if we can clean these up.. on at a time:<\/div>\n<div><\/div>\n<div><a href=\"https:\/\/i.imgur.com\/nh55NuE.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/nh55NuE.png\" alt=\"\" width=\"830\" height=\"721\" \/><\/a><\/div>\n<div>right inactive plugins, that should be easy enough. Deleted 2 unused plugins, and sure enough the warning is gone. Same with themes, let&#8217;s do that next.<\/div>\n<div><\/div>\n<div>Appearance -&gt; Themes -&gt; Theme Details -&gt; Delete.<\/div>\n<div><\/div>\n<div>Older version of PHP&#8230; well here we go again, so we went from a site warning to site good, but it still wants php8.3&#8230; which was discussed above. Frankenstein the build or wait for a new base OS, I&#8217;ll await Debian 13 before introducing a Frankenstein Debian build. We&#8217;ll ignore this warning.<\/div>\n<div><\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Recommended_Module_ZIP\"><\/span>Recommended Module: ZIP<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<div><\/div>\n<div><a href=\"https:\/\/i.imgur.com\/WEz4j0h.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/WEz4j0h.png\" alt=\"\" width=\"810\" height=\"218\" \/><\/a><\/div>\n<div><\/div>\n<div>This one is a bit annoying cause it can go two ways:<\/div>\n<div><\/div>\n<div>1) Sure, I can install this module, but if I don&#8217;t need it why would I? Just to remove this warning, I suppose.<\/div>\n<div><\/div>\n<div>\n<p>Fair question\u2014and the short answer is: <em>probably not essential<\/em>, but it&#8217;s handy to have. \ud83d\udc4d<\/p>\n<p>The <code>zip<\/code> module isn\u2019t required for WordPress to function at a basic level. If your site is running smoothly, you\u2019re likely not using any plugins or features that rely on it yet. But here\u2019s why WordPress flags it:<\/p>\n<p>\ud83d\udce6 What the <code>zip<\/code> Module Is Used For<\/p>\n<ul>\n<li><strong>Plugin installation and updates<\/strong> (especially from ZIP files)<\/li>\n<li><strong>Theme import\/export<\/strong><\/li>\n<li><strong>Backup plugins<\/strong> (e.g., Duplicator, UpdraftPlus)<\/li>\n<li><strong>Migration tools<\/strong><\/li>\n<\/ul>\n<p>If you&#8217;re manually installing things via FTP or don&#8217;t use plugins that automate packaging and extraction, you&#8217;re fine without it. WordPress just lists it because a lot of plugins assume it&#8217;s present.<\/p>\n<p>\ud83e\udde0 TL;DR<\/p>\n<ul>\n<li>\u2705 Your site can run without it<\/li>\n<li>\u26a0\ufe0f If you install or update ZIP-based plugins through the admin interface, you might hit errors<\/li>\n<li>\ud83d\udee0\ufe0f It&#8217;s a tiny module and safe to install if you&#8217;re future-proofing<\/li>\n<\/ul>\n<p>How to?<\/p>\n<h3><span class=\"ez-toc-section\" id=\"%F0%9F%9B%A0%EF%B8%8F_Enable_the_zip_PHP_Module_on_Debian_12\"><\/span>\ud83d\udee0\ufe0f Enable the <code>zip<\/code> PHP Module on Debian 12<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>1. <strong>Install the Extension<\/strong><\/p>\n<p>Make sure you install the correct version for your PHP setup. If you\u2019re using PHP 8.2 (the default in Debian 12):<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo apt update\r\nsudo apt install php8.2-zip\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>If you\u2019ve upgraded to PHP 8.3 via SURY:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo apt install php8.3-zip\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>2. <strong>Restart Your Web Server<\/strong><\/p>\n<p>Depending on your setup:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo systemctl restart apache2<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>3. <strong>Verify Installation<\/strong><\/p>\n<p>Run:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>php -m | grep zip\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>If it returns <code>zip<\/code>, you\u2019re good to go.<\/p>\n<\/div>\n<div>\n<p>2) Don&#8217;t install it from a security stand point:<\/p>\n<\/div>\n<div>\n<p>Security Angle: Why <em>Not<\/em> Installing <code>zip<\/code> Might Be Safer<\/p>\n<ul>\n<li><strong>Less attack surface<\/strong>: Fewer PHP extensions mean fewer potential vulnerabilities, especially from bugs in parsing zip headers or malicious zip payloads.<\/li>\n<li><strong>Blocks auto-installs<\/strong>: Without <code>ZipArchive<\/code>, plugins\/themes that use zipped packages via the WordPress admin can\u2019t self-extract. That forces all installs to be manual\u2014good for auditability.<\/li>\n<li><strong>Script-based exploits are blunted<\/strong>: Malware that attempts to download, unpack, and activate zip files through vulnerable plugins or upload endpoints will hit a wall.<\/li>\n<li><strong>Prevents sneaky plugin drops<\/strong>: No zip means plugins can&#8217;t unpack themselves unnoticed during malicious file uploads or improperly sanitized form inputs.<\/li>\n<\/ul>\n<div><\/div>\n<p>\u26a0\ufe0f Trade-Offs<\/p>\n<ul>\n<li>Some legit backup or migration plugins won&#8217;t work\u2014or will throw warnings<\/li>\n<li>Manual updates and installs are more tedious<\/li>\n<li>You may need to temporarily install it for specific maintenance tasks, then uninstall afterward<\/li>\n<\/ul>\n<\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Object_Cache\"><\/span>Object Cache<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>This one was a bit more annoying than I wanted it to be simply because it&#8217;s got many options. beside 1) Do it vs 2) Don&#8217;t do it.<\/p>\n<p>Right now, my site runs fine but doesn&#8217;t want a faster site&#8230; right&#8230; Right?<\/p>\n<h3><span class=\"ez-toc-section\" id=\"%F0%9F%94%B4_Redis\"><\/span>\ud83d\udd34 Redis<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u2705 <strong>Pros<\/strong><\/p>\n<ul>\n<li>Very fast and widely adopted<\/li>\n<li>Works across multiple servers (great for scaling)<\/li>\n<li>Excellent support from plugins like <em>Redis Object Cache<\/em><\/li>\n<li>Stores complex data types (not just key-value pairs)<\/li>\n<li>Can be configured for persistence (disk backup of cache)<\/li>\n<\/ul>\n<p>\u26a0\ufe0f <strong>Cons<\/strong><\/p>\n<ul>\n<li>Uses more memory than simpler caches<\/li>\n<li>Requires a background daemon (<code>redis-server<\/code>)<\/li>\n<li>Overkill for tiny or low-traffic sites<\/li>\n<\/ul>\n<div><\/div>\n<h3><span class=\"ez-toc-section\" id=\"%F0%9F%94%B5_Memcached\"><\/span>\ud83d\udd35 Memcached<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u2705 <strong>Pros<\/strong><\/p>\n<ul>\n<li>Lightweight and blazing fast<\/li>\n<li>Great for simple key-value object caching<\/li>\n<li>Minimal resource usage\u2014ideal for single-server setups<\/li>\n<\/ul>\n<p>\u26a0\ufe0f <strong>Cons<\/strong><\/p>\n<ul>\n<li>Doesn\u2019t support complex data types<\/li>\n<li>No persistence: cache is lost if the server reboots<\/li>\n<li>Fewer modern plugin options compared to Redis<\/li>\n<\/ul>\n<div><\/div>\n<h3><span class=\"ez-toc-section\" id=\"%F0%9F%9F%A3_APCu\"><\/span>\ud83d\udfe3 APCu<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u2705 <strong>Pros<\/strong><\/p>\n<ul>\n<li>Fast, simple, and bundled with PHP<\/li>\n<li>No external services required\u2014runs in-process<\/li>\n<li>Perfect for single-server, low-footprint setups<\/li>\n<\/ul>\n<p>\u26a0\ufe0f <strong>Cons<\/strong><\/p>\n<ul>\n<li>Only works per process: no shared cache across servers<\/li>\n<li>Not ideal for large or complex sites<\/li>\n<li>Might get flushed more often depending on your PHP configuration<\/li>\n<\/ul>\n<p>In my case I&#8217;m going to try memcached, why I unno&#8230;.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"%F0%9F%A7%B0_Install_Memcached_WordPress_Integration\"><\/span>\ud83e\uddf0 Install Memcached + WordPress Integration<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>1. <strong>Install Memcached Server + PHP Extension<\/strong><\/p>\n<div>\n<div>bash<\/div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo apt update\r\nsudo apt install memcached php8.2-memcached\r\nsudo systemctl enable memcached\r\nsudo systemctl start memcached\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<blockquote><p>Replace <code>php8.2<\/code> with your actual PHP version if needed.<\/p><\/blockquote>\n<div><\/div>\n<p>2. <strong>Verify Memcached Is Running<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>echo \"stats settings\" | nc localhost 11211\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>You can use Bash\u2019s built-in TCP support:<\/p>\n<pre>exec 3&lt;&gt;\/dev\/tcp\/127.0.0.1\/11211\r\necho -e \"stats\\r\\nquit\\r\\n\" &gt;&amp;3\r\ncat &lt;&amp;3<\/pre>\n<p>This opens a raw TCP connection and sends the stats command directly.<\/p>\n<p>You should see a list of stats\u2014if not, Memcached isn\u2019t active.<\/p>\n<div><\/div>\n<p>3. <strong>Install a WordPress Plugin<\/strong><\/p>\n<p>The most common plugin for Memcached integration is <strong>W3 Total Cache<\/strong>:<\/p>\n<ul>\n<li>Go to your WordPress dashboard<\/li>\n<li>Navigate to <strong>Plugins &gt; Add New<\/strong><\/li>\n<li>Search for <strong>W3 Total Cache<\/strong><\/li>\n<li>Click <strong>Install<\/strong>, then <strong>Activate<\/strong><\/li>\n<\/ul>\n<div><\/div>\n<p>4. <strong>Configure W3 Total Cache for Memcached<\/strong><\/p>\n<ul>\n<li>Go to <strong>Performance &gt; General Settings<\/strong><\/li>\n<li>Under <strong>Object Cache<\/strong>, enable it and select <strong>Memcached<\/strong> as the method<br \/>\n*If memcached is not selectable restart web service (apache2)<\/li>\n<li>Do the same for <strong>Database Cache<\/strong> if desired<\/li>\n<li>Save settings and purge cache<\/li>\n<\/ul>\n<div><\/div>\n<p>\u2705 Optional: Use a Drop-In Instead of a Plugin<\/p>\n<p>If you want to skip plugins entirely:<\/p>\n<ul>\n<li>Download <code>object-cache.php<\/code> from Memcachy<\/li>\n<li>Place it in <code>\/wp-content\/<\/code><\/li>\n<li>Add this to <code>wp-config.php<\/code>:\n<div>\n<div>php<\/div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>define('WP_CACHE', true);\r\n$memcached_servers = array(\r\n  array('127.0.0.1', 11211)\r\n);\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<p>This gives you Memcached support without a full plugin UI.<\/p>\n<p>After installing the backend modules and the plugin, and configuring memcached as the object cache, site health finally removed that warning too.. now the final one.. HTTPS.<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"HTTPS\"><\/span>HTTPS<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now it&#8217;s not possible to access my site via HTTP, not externally anyway. So, why the warning?<\/p>\n<p>Ah, that\u2019s a classic WordPress quirk\u2014your browser\u2019s using HTTPS, but WordPress itself still thinks it\u2019s living in the insecure past. \ud83d\ude05<\/p>\n<p>Here\u2019s how to fix it since you\u2019re self-hosting:<\/p>\n<div><\/div>\n<h3><span class=\"ez-toc-section\" id=\"%F0%9F%94%90_Update_WordPress_URLs_to_Use_HTTPS\"><\/span>\ud83d\udd10 Update WordPress URLs to Use HTTPS<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ol start=\"1\">\n<li><strong>Log into your WordPress Admin Dashboard<\/strong><\/li>\n<li>Go to <strong>Settings &gt; General<\/strong><\/li>\n<li>Update both:\n<ul>\n<li><strong>WordPress Address (URL)<\/strong><\/li>\n<li><strong>Site Address (URL)<\/strong> to use <code>https:\/\/yourdomain.com<\/code> instead of <code>http:\/\/<\/code><\/li>\n<\/ul>\n<\/li>\n<li>Scroll down and click <strong>Save Changes<\/strong><\/li>\n<\/ol>\n<p>But it&#8217;s greyed out&#8230;<\/p>\n<p>\ud83d\udee0\ufe0f How to Fix It<\/p>\n<ol start=\"1\">\n<li><strong>Open your <\/strong><code>wp-config.php<\/code><strong> file<\/strong> It\u2019s located in the root of your WordPress installation (same folder as <code>wp-load.php<\/code> and <code>wp-settings.php<\/code>).<\/li>\n<li><strong>Look for these lines:<\/strong>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>define('WP_HOME','http:\/\/yourdomain.com');\r\ndefine('WP_SITEURL','http:\/\/yourdomain.com');\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Or they might be using <code>https:\/\/<\/code> if you\u2019ve already set up SSL.<\/li>\n<li><strong>Delete or comment them out:<\/strong>\n<div>\n<div>php<\/div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>\/\/ define('WP_HOME','https:\/\/yourdomain.com');\r\n\/\/ define('WP_SITEURL','https:\/\/yourdomain.com');\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<li><strong>Save the file and reload your WordPress dashboard<\/strong> The fields under <strong>Settings &gt; General<\/strong> should now be editable.<\/li>\n<\/ol>\n<p>mhmm, uhhh commenting them out caused my site to simple redirect to local loop back IP which of course the system I&#8217;m navigating my site on isn&#8217;t hosting a web server thus the site timeouts.<\/p>\n<p>yeah, that redirect to <code>127.0.0.1<\/code> or <code>localhost<\/code> is a classic symptom of WordPress falling back to default behavior when it can\u2019t find proper site URLs. Here&#8217;s what likely happened:<\/p>\n<div><\/div>\n<p>\ud83e\udde0 Why It Redirected to Localhost<\/p>\n<p>When you <strong>commented out <\/strong><code>WP_HOME<\/code><strong> and <\/strong><code>WP_SITEURL<\/code> in <code>wp-config.php<\/code>, WordPress tried to pull the site URL from the <strong>database<\/strong> (<code>wp_options<\/code> table). If those values are still set to <code>http:\/\/localhost<\/code> or <code>http:\/\/127.0.0.1<\/code>, it\u2019ll redirect there\u2014even if you\u2019re accessing the site from a public domain.<\/p>\n<div><\/div>\n<p>\ud83d\udee0\ufe0f How to Fix It<\/p>\n<p>\u2705 Option 1: Restore the Correct URLs in <code>wp-config.php<\/code><\/p>\n<p>Uncomment and update the lines like this:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>define('WP_HOME', 'https:\/\/yourdomain.com');\r\ndefine('WP_SITEURL', 'https:\/\/yourdomain.com');\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Replace <code>yourdomain.com<\/code> with your actual domain name.<\/p>\n<p>\u2705 Option 2: Update URLs Directly in the Database<\/p>\n<p>If you want to manage URLs from the dashboard again, you\u2019ll need to fix the database values:<\/p>\n<ol start=\"1\">\n<li>Access <strong>phpMyAdmin<\/strong> or use the MySQL CLI<\/li>\n<li>Run:\n<div>\n<div>sql<\/div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>UPDATE wp_options SET option_value = 'https:\/\/yourdomain.com' WHERE option_name IN ('siteurl', 'home');\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<li>Clear your browser cache and reload the site<\/li>\n<\/ol>\n<p>You can then safely remove the hardcoded lines from wp-config.php and regain control via the WordPress admin panel.<\/p>\n<p><a href=\"https:\/\/i.imgur.com\/MN62Uan.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" src=\"https:\/\/i.imgur.com\/MN62Uan.png\" alt=\"\" width=\"842\" height=\"535\" \/><\/a><\/p>\n<p>FINALLY What a PITA&#8230; Hope this helps someone&#8230;<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Small_Rabbit_Hole\"><\/span>Small Rabbit Hole<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Allllllright, I wanted to check if I was even running phpMyAdmin (I vaguely remembering that it was part of turnkey Linux setup, which I THINK is what this was originally spun up from, which had such services baked in for ease of use)&#8230; ANYWAY, I went to try n figure this out my simply checking my servers listening ports&#8230; when I found IPV6<\/p>\n<h3 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%9A%AB_IPv6\"><\/span>\ud83d\udeab IPv6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>I dislike it, others disagree. if it be supported (by now it&#8217;s pretty widely adopted), or if it&#8217;s something you need.. ughhh, then give er&#8230; let\u00a0 the world be your oyster or some dumb shit. I personally don&#8217;t like the idea of everything having a fully publicly routeable IP address.. if it even works that way.. unno&#8230; I still stick to IPv4 where, yes I use NAT&#8230; ooo nooooo&#8230;<\/p>\n<p>Anyway long story short I wanted to disable IPv6 on my WordPress server&#8230;<\/p>\n<p>\ud83e\uddf1 Method 1: Disable via <code>sysctl<\/code> (Persistent)<\/p>\n<p>Edit the system config file:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo nano \/etc\/sysctl.conf\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Add these lines at the end:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>net.ipv6.conf.all.disable_ipv6 = 1\r\nnet.ipv6.conf.default.disable_ipv6 = 1\r\nnet.ipv6.conf.lo.disable_ipv6 = 1\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Apply changes:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<pre><code>sudo sysctl -p<\/code><\/pre>\n<p>I did this but still found listening port on IPv6 (specifically SSH and NTP), I could have reconfigured this services butt, instead..<\/p>\n<p>\ud83e\udde8 Method 2: Blacklist the IPv6 Kernel Module<\/p>\n<p>Create a blacklist file:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo nano \/etc\/modprobe.d\/blacklist-ipv6.conf\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Add:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>blacklist ipv6\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Then update initramfs:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo update-initramfs -u\r\nsudo reboot\r\n<\/code><\/pre>\n<\/div>\n<p>This didn&#8217;t work for me.<\/p>\n<p>\ud83e\uddea Method 3: Disable via GRUB Boot Parameters<\/p>\n<p>Edit GRUB config:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo nano \/etc\/default\/grub\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Find the line starting with <code>GRUB_CMDLINE_LINUX_DEFAULT<\/code> and add:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>ipv6.disable=1\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Example:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>GRUB_CMDLINE_LINUX_DEFAULT=\"quiet ipv6.disable=1\"\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Update GRUB:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<pre><code>sudo update-grub\r\nsudo reboot<\/code><\/pre>\n<p>This finally worked!<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Rabbit_Hole_2_stunnel4\"><\/span>Rabbit Hole #2: stunnel4<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<div id=\"Qz7tXrr2PjfPrkxPMFNqs-user-message\" tabindex=\"0\" role=\"article\" data-tabster=\"{&quot;groupper&quot;:{&quot;tabbability&quot;:2},&quot;focusable&quot;:{}}\" aria-labelledby=\"Qz7tXrr2PjfPrkxPMFNqs-user-message\">\n<div>\n<div data-content=\"user-message\">\n<div>what is stunnel4<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div tabindex=\"0\" role=\"article\" data-tabster=\"{&quot;groupper&quot;:{&quot;tabbability&quot;:2},&quot;focusable&quot;:{}}\" data-content=\"ai-message\" aria-labelledby=\"23h3nyzP3eEmc9i3BJrEy-author} 23h3nyzP3eEmc9i3BJrEy-content-0\">\n<div><\/div>\n<div id=\"23h3nyzP3eEmc9i3BJrEy-content-0\" class=\"group\/ai-message-item space-y-3 break-words\">\n<p>Stunnel4 is a <strong>proxy tool that wraps unencrypted traffic in SSL\/TLS encryption<\/strong>, allowing legacy or non-secure services to communicate securely without modifying their original code. Think of it as a secure tunnel that sits between a client and a server, encrypting everything that passes through.<\/p>\n<div><\/div>\n<p>\ud83d\udd10 What Stunnel4 Does<\/p>\n<ul>\n<li><strong>Encrypts plaintext protocols<\/strong> like HTTP, SMTP, FTP, or Telnet<\/li>\n<li>Acts as a <strong>TLS\/SSL wrapper<\/strong> for services that don\u2019t natively support encryption<\/li>\n<li>Can run in <strong>client or server mode<\/strong><\/li>\n<li>Supports <strong>load balancing<\/strong>, <strong>certificate validation<\/strong>, and <strong>FIPS-compliant cryptography<\/strong><\/li>\n<li>Uses <strong>OpenSSL<\/strong> under the hood for encryption algorithms<\/li>\n<\/ul>\n<p>\ud83e\udde0 How It Works<\/p>\n<p>Imagine you have a mail server that only speaks plain SMTP on port 25. You can configure Stunnel to:<\/p>\n<ul>\n<li>Accept encrypted connections on port 465<\/li>\n<li>Decrypt the traffic<\/li>\n<li>Forward it to port 25 locally<\/li>\n<\/ul>\n<p>This way, clients connect securely\u2014even though the mail server itself is oblivious to SSL.<\/p>\n<p>\ud83d\udee0\ufe0f Typical Use Cases<\/p>\n<ul>\n<li>Securing legacy services without rewriting them<\/li>\n<li>Tunneling blocked protocols (e.g. SSH over HTTPS)<\/li>\n<li>Adding SSL to VPNs (like OpenVPN)<\/li>\n<li>Acting as a secure gateway for internal services<\/li>\n<\/ul>\n<p>Want help setting up a config file or using it to secure a specific service like SMTP or Redis? I can walk you through it.<\/p>\n<\/div>\n<\/div>\n<div id=\"woTx6M4UVtnBbrX8ngs9A-user-message\" tabindex=\"0\" role=\"article\" data-tabster=\"{&quot;groupper&quot;:{&quot;tabbability&quot;:2},&quot;focusable&quot;:{}}\" aria-labelledby=\"woTx6M4UVtnBbrX8ngs9A-user-message\">\n<div>\n<div class=\"flex w-full flex-col items-end\" data-content=\"user-message\">\n<div>&#8220;Tunneling blocked protocols (e.g. SSH over HTTPS)&#8221; This is exactly what I see my system doign on port 12320.. and it shows as service stunel4. but I don&#8217;t know if I want to stop the service as a whole&#8230;<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div tabindex=\"0\" role=\"article\" data-tabster=\"{&quot;groupper&quot;:{&quot;tabbability&quot;:2},&quot;focusable&quot;:{}}\" data-content=\"ai-message\" aria-labelledby=\"HS8vYpDDudXgFafFuZF9A-author} HS8vYpDDudXgFafFuZF9A-content-0\">\n<div><\/div>\n<div id=\"HS8vYpDDudXgFafFuZF9A-content-0\" class=\"group\/ai-message-item space-y-3 break-words\">\n<p>You&#8217;re spot-on in diagnosing that behavior\u2014port <code>12320<\/code> with <code>stunnel4<\/code> almost certainly means your system is <strong>tunneling SSH over HTTPS<\/strong>, or at least exposing a secure channel for remote access via SSL. This is commonly used in stacks like <strong>Webmin\/Virtualmin\/Usermin<\/strong>, where <code>stunnel4<\/code> wraps non-HTTPS services to provide secure access through a browser<\/p>\n<p>\ud83d\udd0d What Port 12320 Usually Does with <code>stunnel4<\/code><\/p>\n<ul>\n<li>Acts as a <strong>gateway to Webmin or Usermin<\/strong> shell access<\/li>\n<li>Allows <strong>remote file management, terminal, or SSH-like features<\/strong> over HTTPS<\/li>\n<li>Wrapped securely so that firewalls see it as \u201charmless\u201d SSL traffic<\/li>\n<\/ul>\n<p>You can confirm this by checking:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo systemctl status stunnel4\r\ncat \/etc\/stunnel\/stunnel.conf\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Or:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>grep -r 12320 \/etc\/stunnel\/\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>That config file should reveal exactly which service is being tunneled.<\/p>\n<p>\u26a0\ufe0f Should You Stop It?<\/p>\n<p>That depends on:<\/p>\n<ul>\n<li>Do you use Webmin\/Virtualmin remotely?<\/li>\n<li>Are you managing your server through a <strong>web browser<\/strong> interface?<\/li>\n<li>Is <code>12320<\/code> exposed to the public internet or locked behind a firewall?<\/li>\n<\/ul>\n<p>If you don\u2019t use it and it&#8217;s open to the world, you could:<\/p>\n<ul>\n<li>Disable it safely:\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo systemctl disable --now stunnel4\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<li>Or edit the config to disable only port <code>12320<\/code>, leaving other tunnels active<\/li>\n<\/ul>\n<blockquote><p>But if you rely on browser-based admin tools, killing <code>stunnel4<\/code> might break access to file manager or terminal tools from the web UI.<\/p><\/blockquote>\n<p>\ud83e\udde0 Pro Tip<\/p>\n<p>Rather than killing the whole service, you can:<\/p>\n<ul>\n<li>Comment out the <code>12320<\/code> tunnel in <code>stunnel.conf<\/code><\/li>\n<li>Reload the config:\n<div>\n<div>bash<\/div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo systemctl restart stunnel4\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<\/ul>\n<p>That gives you <strong>selective control<\/strong>\u2014without losing secure access to services you still need.<\/p>\n<p>Want help editing that config file or running a quick audit on what\u2019s listening? I can help you tailor your server\u2019s security posture to your exact setup.<\/p>\n<\/div>\n<\/div>\n<div id=\"zupmLp1AsWvWjDHQ8Sadg-user-message\" tabindex=\"0\" role=\"article\" data-tabster=\"{&quot;groupper&quot;:{&quot;tabbability&quot;:2},&quot;focusable&quot;:{}}\" aria-labelledby=\"zupmLp1AsWvWjDHQ8Sadg-user-message\">\n<div>\n<div class=\"flex w-full flex-col items-end\" data-content=\"user-message\">\n<div>stunnel4.service, Loaded: masked (Reason: unit stunnel4.service is maked.), Active: inactive (dead) grep -r 12320 \/etc\/stunnel\/ \/etc\/stunnel\/shellinabox.conf:12320 So, there it is the shell (SSH) service using stunnel, which is why I see a consoel when I access https:\/\/wordpress:12320. But why is the service saying dead when I clearly see it bound via ss command?<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div tabindex=\"0\" role=\"article\" data-tabster=\"{&quot;groupper&quot;:{&quot;tabbability&quot;:2},&quot;focusable&quot;:{}}\" data-content=\"ai-message\" aria-labelledby=\"1QY8Qy8VQdyqNKbKqnL3R-author} 1QY8Qy8VQdyqNKbKqnL3R-content-0\">\n<div><\/div>\n<div id=\"1QY8Qy8VQdyqNKbKqnL3R-content-0\" class=\"group\/ai-message-item space-y-3 break-words\">\n<p>Excellent deduction \u2014 you\u2019re practically reverse-engineering the system just by reading its sockets. \ud83e\udde0\ud83d\udd27 Let\u2019s break down what\u2019s happening:<\/p>\n<p>\ud83e\udde9 Why <code>stunnel4.service<\/code> Says Dead but the Port Is Active<\/p>\n<p>You&#8217;re seeing a listening socket on port <code>12320<\/code>, likely from <strong>ShellInABox<\/strong> wrapped by <code>stunnel<\/code>, but <code>stunnel4.service<\/code> reports:<\/p>\n<div>\n<div><\/div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>Loaded: masked\r\nActive: inactive (dead)\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Here\u2019s the likely cause:<\/p>\n<p>\u2699\ufe0f Stunnel is running, <strong>but not via the <\/strong><code>stunnel4.service<\/code><strong> unit<\/strong><\/p>\n<ul>\n<li>The service is <strong>masked<\/strong>, which means it\u2019s intentionally disabled from being started or stopped using <code>systemctl<\/code>.<\/li>\n<li>This doesn\u2019t stop you (or another app) from <strong>manually launching Stunnel as a background process<\/strong>, or from invoking it via a <strong>custom systemd unit<\/strong>, <strong>init script<\/strong>, or even <strong>Webmin\/Virtualmin<\/strong>.<\/li>\n<\/ul>\n<p>\ud83e\udde0 <code>ss<\/code> shows the port because:<\/p>\n<ul>\n<li>The process was started <em>outside<\/em> the official service file, possibly via:\n<ul>\n<li>A different systemd unit (e.g., <code>webmin-stunnel.service<\/code>)<\/li>\n<li>A direct call in <code>\/etc\/rc.local<\/code> or <code>cron<\/code> or Webmin\u2019s internal startup sequence<\/li>\n<li>A bundled wrapper from ShellInABox or another tool<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div><\/div>\n<h3><span class=\"ez-toc-section\" id=\"%F0%9F%94%8D_How_to_Find_the_Real_Parent_Process\"><\/span>\ud83d\udd0d How to Find the Real Parent Process<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Let\u2019s track down what\u2019s owning port <code>12320<\/code>:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo lsof -i :12320\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Or:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo ss -tulpn | grep 12320\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>This will show you the actual <strong>PID<\/strong> and the <strong>command or executable<\/strong> responsible. Likely output will say something like:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>LISTEN  ... 12320  ... \/usr\/bin\/stunnel\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>Once you get the PID, trace it:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>ps -fp &lt;PID&gt;\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<h3><span class=\"ez-toc-section\" id=\"%F0%9F%9B%A0%EF%B8%8F_How_to_Disable_That_Specific_Tunnel_Without_Killing_Stunnel_Globally\"><\/span>\ud83d\udee0\ufe0f How to Disable That Specific Tunnel (Without Killing Stunnel Globally)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>You can comment out or delete the tunnel block in <code>\/etc\/stunnel\/shellinabox.conf<\/code>. Try this:<\/p>\n<ol start=\"1\">\n<li><strong>Edit the config<\/strong>:\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo nano \/etc\/stunnel\/shellinabox.conf\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<li><strong>Comment out all lines<\/strong> by adding <code>#<\/code>:\n<div>\n<div>conf<\/div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code># accept = 12320\r\n# connect = 127.0.0.1:12319\r\n# TIMEOUTclose = 0\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/li>\n<li><strong>Save and exit<\/strong>, then reboot.<\/li>\n<\/ol>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Rabbit_Hole_3_Master\"><\/span>Rabbit Hole #3: Master<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<div id=\"4QVQDtPQ414zaDZJd9u8R-user-message\" tabindex=\"0\" role=\"article\" data-tabster=\"{&quot;groupper&quot;:{&quot;tabbability&quot;:2},&quot;focusable&quot;:{}}\" aria-labelledby=\"4QVQDtPQ414zaDZJd9u8R-user-message\">\n<div>\n<div data-content=\"user-message\">\n<div>using ss -plunt it shows as service &#8220;master&#8221; I can&#8217;t see that in webmin.. what&#8217;s going on here? Port 25<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div tabindex=\"0\" role=\"article\" data-tabster=\"{&quot;groupper&quot;:{&quot;tabbability&quot;:2},&quot;focusable&quot;:{}}\" data-content=\"ai-message\" aria-labelledby=\"Qogjok8hr3NTRo49xvFG3-author} Qogjok8hr3NTRo49xvFG3-content-0\">\n<div><\/div>\n<div id=\"Qogjok8hr3NTRo49xvFG3-content-0\" class=\"group\/ai-message-item space-y-3 break-words\">\n<p>Ah, the mysterious <code>\"master\"<\/code> process \u2014 that\u2019s actually <strong>Postfix<\/strong>, your mail transfer agent (MTA). \ud83d\udce8<\/p>\n<p>When you run:<\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>sudo ss -plunt | grep :25\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>and see something like:<\/p>\n<div>\n<div><\/div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>LISTEN 0 100 0.0.0.0:25 0.0.0.0:* users:((\"master\",pid=1234,fd=12))\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>the <code>\"master\"<\/code> refers to the <strong>Postfix master daemon<\/strong>, which coordinates all the individual Postfix services (like <code>smtp<\/code>, <code>pickup<\/code>, <code>qmgr<\/code>, etc.).<\/p>\n<p>I disabled postfix and sure enough port 25 listener went away.<\/p>\n<p>I also disabled NTP service, to drop listening on port 123.<\/p>\n<p>OK, final one, I saw system listening on port\u00a0 UDP 10000. I saw one that was TCP based but it was only bound to loopback so I didn&#8217;t care about that much, and research showed it&#8217;s used by webmin. however I didn&#8217;t like the UDP cause it was listening to all interfaces on the system (0.0.0.0).<\/p>\n<p>After enough searching I found it configured by webmin itself.<\/p>\n<p>webmin -&gt; Webmin Configurtaions -&gt; ports and addresses -&gt; &#8220;Listen for broadcasts on UDP port&#8221; but what is this used for?<\/p>\n<p>The <strong>\u201cListen for broadcasts on UDP port\u201d<\/strong> option in Webmin is used for <strong>auto-discovery of other Webmin servers<\/strong> on the local network. Here&#8217;s what it&#8217;s doing:<\/p>\n<div><\/div>\n<p>\ud83d\udce1 What It\u2019s For<\/p>\n<ul>\n<li>Webmin listens on <strong>UDP port 10000<\/strong> to receive <strong>broadcast packets<\/strong> from other systems running Webmin.<\/li>\n<li>These packets are part of the <strong>Webmin Servers Index module<\/strong>, which lets you:\n<ul>\n<li>Scan your LAN for other Webmin instances<\/li>\n<li>Automatically add them to a central dashboard<\/li>\n<li>Optionally control them via RPC (Remote Procedure Calls)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div><\/div>\n<p>\ud83e\udde0 Why It\u2019s Optional<\/p>\n<ul>\n<li>If you\u2019re <strong>not using clustered Webmin setups<\/strong> or don\u2019t need to discover other servers, it\u2019s safe to disable.<\/li>\n<li>Disabling it stops Webmin from binding to UDP 10000, which:\n<ul>\n<li>Reduces your attack surface<\/li>\n<li>Cleans up your <code>ss<\/code> output<\/li>\n<li>Avoids confusion when auditing open ports<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<div><\/div>\n<p>\u2705 What Happens When You Turn It Off<\/p>\n<ul>\n<li>Webmin will no longer respond to broadcast discovery requests<\/li>\n<li>You can still manually add other servers to the Webmin Servers Index if needed<\/li>\n<li>The TCP listener on port 10000 (for HTTPS access) remains unaffected<\/li>\n<\/ul>\n<div><\/div>\n<p>Hope all these tweaks helps someone.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Fixing WordPress Security Recommendations So.. I log into my WordPress server, and under site health on the Dashboard, the yellow&#8230; basically sayin&#8230;. &#8220;Do better&#8221; Anyway, I asked Co-Pilot for help on this (Specifically about the warning about a dated PHP version [7.4]), and it basically said: \ud83d\udee0\ufe0f Update PHP for Your WordPress Site 1. Check &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/zewwy.ca\/index.php\/2025\/07\/14\/fixing-wordpress-security-recommendations\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Fixing WordPress Security Recommendations&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[223],"tags":[476,477,334,56],"class_list":["post-1677","post","type-post","status-publish","format-standard","hentry","category-wordpress","tag-ipv6","tag-php","tag-update","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1677"}],"version-history":[{"count":19,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1677\/revisions"}],"predecessor-version":[{"id":1681,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1677\/revisions\/1681"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1677"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}