Chris's picture

Hello everyone,


I just discovered Turnkey today and I am hoping to learn more. I host a few Wordpress sites currently on Windows. I've been wanting to switch to Linux but I don't really know much about securing a distro or anything like that.


I came across the Turnkey WordPress appliance ISO and VM and I am wondering how safe they are for production use. The sites I host are tiny and generally get less than 100 views a month.


Is the Turnkey WordPress appliance a good fit for me or should I look elsewhere? How secure is the Turnkey WordPress appliance out of the box (outside of any WordPress vulnerabilities itself)?




Jeremy Davis's picture

I suspect that the TurnKey appliance would be a good starting point for you. As you are probably aware security is always a compromise against user friendliness/usability. The TurnKey WP appliance is relatively secure, however it is certainly not 'locked down'. Some concessions have been made and in fact the next release will probably have permissions relaxed a little further due to issues some people have had with updates.

So I suggest that you have a look - try it as a local VM and see how you go...! If you want to lock it down you will find plenty of tutorials and blog posts about that (Just keep in mind that TurnKey is based on Debian so Debian specific should work fine).

And if you get stuck, post in the support forums and I reckon someone will help you out - good luck! :)

Tom's picture

Hi everyone,


speaking about "locking down" TurnKey WP - is there a way to improve the security side?

Custom web application development company with years of experience

Liraz Siri's picture

There's no limit to how much you can tighten the screws but you usually trade off some convenience and possibly functionality for that. The more you tighten the screws, the higher the cost of attack will be for an attacker. At some point presumably the attack is more expensive than what it is worth in terms of the risk/benefit.

Tightening the screws for a TurnKey app is exactly the same process as locking down any other Linux integration. You can google securing Debian/Ubuntu and will find plenty of information.

For what it's worth we try to strike a good balance between ease of use and security out of the box. There are occasional reports of servers getting hacked when they chose weak passwords but other then that there have been no major incidents and there are about 50,000 production deployments worldwide so that's a decent footprint.

If you want to go the extra mile I'd start with minimizing the attack surface by shutting down any services you aren't using.

Also, make the passwords as strong as possible or better yet disabling password authentication altogether and configuring SSH to only allow key based authentication. Password bruteforcing is incredibly widespread.

Add new comment