VPS: Linux Kernel, Apache web server, and mod_security2

Hi everyone. Is there going to be any chances that the Linux kernel will be exploited in the wild when ti comes to exploting any vulnerabilities in my ClassicPress website or Apache web server? I have followed security best practices such as securing my ClassicPress website. I have Content Security Policy (CSP) and mod_security2 in place.

I only have a handful of plugins such as “Toggle wpautop” (disable automatic generation of paragraph tags), Google Sitemap Generator, Edit Author Slug, Disable REST API, and WP-Optimize for cleaning up my database. Plus, I built my own theme from scratch and did not have any security problems so far. So yeah, I’m up to date with ClassicPress and plugins. Plus, I don’t use wp_head() function that exposes ClassicPress version number along with the plugins.

Besides, I chose ClassicPress over WordPress for security over new features per update. Every update that adds a new feature increases the attack surface and I want to keep that to the minimum. Also, my website does not get a lot of traffic. I have much greater presence in Twitter than in my blog when it comes to writing articles. This is my website I’m referring to:

Sure, if there are any security vulnerabilies within the Linux kernel that relate to Apache web server or my website, then I will update the kernel and restart the VPS server, but honestly, I don’t see stability being one of the reasons for keeping the Linux kernel up-to-date. So whenever a new kernel release comes out about 5 times a month, should I update the Linux kernel and restart my VPS server from time to time (after midnight in the east coast)?

1 Like

I would say yes. Kernel updates are important for security and since it is exposed to the open net I would keep up to date. If this were an on [rem server for internal only then one might take a different tact.
You might want to look into Tux Care they offer live Kernel and application patching without reboots.

1 Like

Okay, thanks. And what’s that “[rem” you are referring to?

Actually, I’ll save $4/month and just update and reboot my VPS myself. Reboots are very quick so it shouldn’t take that long (less than 10 seconds). Plus, the service targets the enterprise and not individuals, so other than updating my system automatically, I don’t see what $4/month will get me.

Update: I’ve decided to write a script for /usr/local/bin/reboot-if-required:

if [ -f /var/run/reboot-required ]; then reboot; fi

Then in crontab -e:

0 5 * * 0 /usr/local/bin/reboot-if-required

Is there a downside for doing that? As I mentioned before, the rebooting of the kernel does not take long.

1 Like

You’ve got it down. If it works it works.

1 Like