1

On the near future I will have a WordPress blog, public and visible to anyone, that has a members area. This members area accesses some private data on a special database with financial data, so this kind of info should only be viewable to customers of the site.

The private site will be running inside a VPN on a business LAN and a little server, and I wonder if hosting that private part together with the public site would be a good idea.

In fact, due to WordPress vulnerabilities (it is a desired target right now) I think that if an attacker gains access to the WP site and that's inside the VPN, then he would be able to attack "from inside" and eventually he could even access to the private site and its data.

Wouldn't it be more appropiate to have the public site outside, on a VPS for example? The members area would be accessed through a secure protocol (HTPPS), and I wonder if there are some recommendations on this subject.

javipas
  • 1,332
  • 3
  • 23
  • 38

2 Answers2

0

Yes a typical configuration would be to have your public website on a separate server which is on the public internet. If it needs any data from your private database you'd setup a NAT that would do mapping for a single port, only to the IP your website runs on.

You can also take it a step further, and have your public internet device just do reverse proxy to a web server that is on a private or semi-private network.

Jeremy
  • 338
  • 2
  • 12
  • Thanks for the comment, could you recommend some tutorial or link to implement the reverse proxy solution? The private server is based on Windows, but the public site will be a WordPress blog hosted on a VPS with Linux (probably, Debian 6). – javipas May 20 '12 at 08:53
  • This tutorial talks about how to setup using NAT using iptables http://www.karlrupp.net/en/computer/nat_tutorial. The device that hosts the NAT, would have to be connected to both the internet and the private network. If you setup a private network connection on the Wordpress server you'd sort of defeat the whole purpose. – Jeremy May 21 '12 at 01:58
0

The first question is whether the public and private sites actually have to be run together. Ideally they would be run separately, with the public site on an external server and the private site on a server in the LAN.

If they have to be run on the same server then the risk of the private data being compromised is the same regardless of whether it is hosted externally or internally. The question is whether the compromised server can be used to access data and systems unrelated to the site. In order to protect against this you want to host the server in a DMZ if you host it internally.

mgorven
  • 30,615
  • 7
  • 79
  • 122
  • The private server is currently up and running in a DMZ, but the public site is a work in progress. They don't have to be on the same machine, so I guess I will host the public part outside the VPN, thanks. – javipas May 20 '12 at 08:53