[TriLUG] Distro recommendation for secure hosting

[Igor Partola]

These days Linux distro choice is not going to be a matter of security. Sure, you have some SE Linux enabled distros, etc., but in general all major distros run all the same software, and let you configure it mostly the same way.

Another thing to remember is that these days your typical "hacking" attempts are different from those of yesteryears. Where you had towery about open ports, ping of death, and buffer overflow exploits, now you have to worry about SQL injection, unencrypted traffic, XSS attacks, MITM attacks, etc. I am going to venture a guess that your issue is people trying to break into WordPress admin. This is a problem on all distributions. The solutions are generally:

 - don't use WordPress. I personally like Pelican, but any static site generator will do for most very simple, geek maintained sites.

 - only allow wp-admin logins from certain IP's. You could even make this localhost and use an ssh tunnel to make it work.

 - set up 2 factor auth using a plugin

 - set up fail2ban.

Always keep WordPress and all plugins up to date. Having worked with core WordPress code, as well as many plugins, I can tell you there's some really scary stuff in there (eval to do simple variable assignment was one of the features I once found). WP can now auto-update, which is very nice.

Finally, consider just using WordPress.com. This is by far the cheapest way to host it (factor in your billable time and mental energy to see just how many orders of magnitude cheaper it is). 

Igor