Which ports should I block on my WordPress website?

Hi, I’m making a WordPress Site.

After a security scan I’ve noticed I have like 11 open ports which I dont understand much about, apparantly some are Email ports & some are for HTTP, HTTPS, and some other stuff.

  1. I’m not sure which ports should I keep open or which should I request to close.
  2. If I have a valid SSL and I redirect everyone from HTTP to HTTPS. why shouldnt I completely block Port 80 to enhance security?

Thank you for your time.

Please specify which ports they are. Else we won’t be able to help.

You shouldn’t, because people that visit the site using http:// won’t get redirected to https:// and the wouldn’t be able to even connect to your server.

Hope it helps!

2 Likes

It really depends on what services you need to be publicly accessible. If you are just running a web server, you only need ports 80 and 443 to server requests to visitors. If you use FTP to manage your files, you will need to be able to reach its ports as well. You won’t be able to do that using any hostnames that are :orange: proxied through Cloudflare.

Wikipedia has a decent list of port assignments and IANA publishes their list of registered port assignments. You list has two ports that don’t appear on either. One can make an educated guess about 2525, as it is often used as an alternate SMTP port.

1 Like

May I ask if you have done it over a HTTP(S) or IP address? :thinking:

You can block any unused, compatbile & supported port over a proxied :orange: hostname using an expression for a Firewall Rule at Cloudflare from below. I only keep the access to over the 80 and 443 ports, others like 2083 (and more which the scanner might show to you) are and will show as “open” at Cloudflare proxied :orange: by default even if we “block” them via Firewall Rule.

In case you’re interested, you can block access to them, for example when someone tries to open the hostname:port in the URL address bar from their Web browser.

It should look like this in your Firewall rule (you can remove hostname and leave only the second part:

  • (http.host contains "example.com" and not cf.edge.server_port in {80 443})

  • or go with (not cf.edge.server_port in {80 443}) with action “Block”

Full list of compatbile & supported ports with the Cloudflare proxy :orange: mode can be found at the link from below:

Otherwise, if you’ve scanned your IP, then that’s the other thing and you should either contact your hosting provider to check this and secure them, else you’d have to implement some firewall at your origin host/server.

Nevertheless, you can use cloudflared tunnel and lock your web server only to Cloudflare IPs, but be cautious with it.

Else, Cloudflare Spectrum could help you.

Just for an addition, even if you have cPanel hosting with the AutoSSL, you’d have to keep it open with some other tricks to make sure your SSL certificate gets renewed as it should normally while using a proxied :orange: hostname.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.