Guide Contents
Turn off detailed error display
Make sure display_errors is off in production
Open includes/config.php and make sure the display_errors lines near the top are commented out (between /* */), as they are by default.
Why? A detailed PHP error message sometimes reveals internal file paths or even parts of the database code — useful information for anyone trying to breach the site. Only leave error display enabled temporarily while debugging, then turn it off immediately.
Update the system and PHP regularly
A simple monthly update schedule
sudo apt update && sudo apt upgrade -y
Most breaches don't specifically target your site — they automatically scan for servers running outdated versions with known, already-patched vulnerabilities. A simple monthly update closes this door almost entirely.
Block repeated login attempts
Install Fail2Ban
sudo apt install fail2ban -y sudo systemctl enable fail2ban sudo systemctl start fail2ban
Fail2Ban monitors repeated failed login attempts (whether for SSH or the site's login page) and automatically bans an IP address after a certain number of failed attempts within a short time — significantly preventing automated "password guessing" attacks.
Restrict or remove phpMyAdmin
If you installed it only to help during setup
If you no longer need it after finishing the database import, remove it entirely:
sudo apt remove phpmyadmin -y
If you want to keep it, restrict access to your device's IP address only within your Apache configuration (Require ip your_IP_address) instead of leaving it open to anyone on the internet.
Always enforce HTTPS
Automatically redirect any HTTP visit to HTTPS
If you already enabled SSL via Certbot (from the installation guide), make sure it added an automatic redirect. To check, open the link with http:// explicitly in your browser — it should redirect you automatically to https://. If it doesn't, rerun:
sudo certbot --apache -d workup.yourcompany.com --redirect
Strong, unique passwords
Review every password in use
workup_user is strong and not used anywhere else.root password itself is also strong (and not blank as in the default local setup).