In line with the concept of JeOS security is handled in the cloud and not on Ubuntu or in WordPress.
CloudFlare has some security features that will protect your server and WordPress well.
The firewall is available in your AWS control panel. Block any port and service not needed. Allow only the required IP addresses. Furthermore, CloudFlare provides some WordPress specific and general security features.
The only port that needs to be open on the server is 443 for web traffic and port 22 for your administration. All other ports should be closed.
Port 443 should only be open for the IP-range belonging to CloudFlare and perhaps the IP of your PC if you choose not to use VPN as described below.
When you are using VPN as described below, then connections to port 443 should only be allowed from the IP ranges belonging to CloudFlare.
Port 22 should only be open for the IP address belonging to the IP of your devices. Most of the time this would be only a single IP or a small IP-range.
Port 11211 for ElastiCahe – default security group
Port 3306 for Amazon – defult security group
Port 443 incoming from only CloudFlare.com IP-range
Port 443 outgoing for everything 0.0.0.0
Port 22 incoming and outgoing from only your office IP address.
When out of office log in to http://AWS.Amazon.com and add your current IP in the firewall. Delete the record when back in office.
The WordPress plugin Postman SMTP Mailer/Email Log uses OAuth 2.0 for sending mail using port 443. By using this plugin then there is no need for opening additional ports for outgoing traffic in the AWS firewall.
If the bad guys should get control over your server. Sometimes they start servers and services. Then they hope for that the service can run undetected for a long time. By blocking all outgoing traffic except 22 and 443, using your server undetected would become more difficult.
You can bypass CloudFlare and connect directly to your servers WordPress admin panel. Bypassing CloudFlare enables you to use even stricter security policy rules at CloudFlare. A good practice is to connect to WordPress directly on the IP using the hosts file. We have made a list with some useful tools to manage your hosts file easier and faster.
Alternatively, could you connect directly to the WordPress admin panel by using a VPN connection through SSH.
SSH can acts as an excellent VPN server using SOCKS. When you need to access WordPress admin panel from some different IP then open port 22 for any IP. Access the server admin pages using VPN through the SOCKS proxy. SOCKS is a fast and easy to set up. It is also fast to enable and disable. VPN provides secure access to the WordPress admin panel without going through the security systems at CloudFlare. There is no software to install on the server. There is no software to install on your MAC or Windows. Another example of the JeOS concept.