I already know everything I should do to, but most of the guides out there just state that opening port 80 is very risky.
What are those risks, in practice?
I would use WAMP and WordPress, do they have some built-in security features?
I am using strong password, and I'm not worried about the site being offline, if I can, fix it. I would be worried about leaks from my computer or my home network. Also, I use ISP modem, if it's a useful information.
11 Answer
Most of the guides out there just state that opening port 80 is very risky. What are those risks, in practice?
The essential "risk" is that your computer is accepting arbitrary incoming requests from machines that aren't under your control. The danger is that those requests could be harmful or malicious in some way. In the broadest terms, those requests could:
Be used to install malicious software generally (on your server or on other devices on your network).
Allow devices on your network to engage in online behavior they may not otherwise. This can have larger repercussions including, in some rare cases, serious legal issues.
Allow personal information on your network to be accessed/removed/encrypted/destroyed.
Allow someone to spy on you in real time (depending on a number of factors).
If you are on a broadband connection, you get these kinds of requests all the time. However, they are mostly discarded by your firewall(s) or other security software.
When you open port 80 with an active server attempting to process these requests, you become reliant on that software to protect you (which it may not always do).
I would use WAMP and WordPress, do they have some built-in security features?
WAMP
WAMP itself is an front-end for Apache, MySQL and PHP, which are normally separate pieces of software. Therefore, it doesn't have "security features" as such.
Instead, each of these programs can be (relatively) secure depending on how they are individually configured. As a caveat, using WAMP may not provide the best security configurations for a public-facing web server (as it is designed more for development/ease of use). However, if you know nothing about web security, WAMP may offer better configurations than if you set things up yourself.
This is a long way of saying that the security of your server depends as much on your own knowledge as the software you use (whether using WAMP or installing each program individually). You can tweak each piece of software in WAMP to be more secure, and I would highly recommend that you do this, but you may have to put some effort into understanding the security concerns surrounding each program individually.
WordPress
WordPress is popular so it tries to be as secure as possible, generally speaking. It gets security updates on a regular basis, which is good... but it is also popular — which means that it attracts a lot of people consistently trying to break that security.
The other drawback to WordPress is that it's arguably a bit complex. This can make it harder to work with overall and harder to secure specifically. This isn't to say there is anything inherently wrong with running WordPress, but I would suggest you keep a sharp eye on your Apache server logs and any logs that WordPress provides if you do.
I am using a strong password.
Be aware that this isn't always how your server may be compromised. There can be security issues unrelated to your password directly that can allow a malicious actor to gain enough privileges on a system to create undesirable outcomes.
I am worried about leaks from my computer or my home network.
Unfortunately, this would be a possibility, depending on the software you are running. How strong of a possibility is likely a different matter, but it would be a non-zero chance in any case.
Thoughts
Despite what it may sounds like, I would say that running a minimal-traffic web server from a residential connection isn't inherently that unsafe. It may not be as safe as, for instance, using an online web host... but you aren't likely to be hacked the moment you open port 80, either.
If I were to make any suggestions, I would say make it a point to (at least minimally) study up on general web server security and why certain software configurations are recommended. Don't take it for granted that WAMP (or anyone else) is providing an adequate "out-of-the-box" security solution.
Also, check your server logs regularly (especially Apache), regardless of what software you run. This will give you a better appreciation for how many potential intrusions are actually being thwarted, a better idea of what's happening with your server generally and what you may need to keep an eye on to secure things in the future.
Finally, though it may sound counterintuitive, I would definitely suggest NOT putting your web server under the "DMZ" settings of your router (assuming there are any). This type of option often opens the server to all kinds of malicious traffic for which it may not be prepared. In short, it's likely a good way to get the server hacked/trashed ASAP.
Rather than using any "DMZ" settings, simply forward port 80 (and port 443, assuming you're using SSL) to your web server as normal and allow any firewall(s) in place on your network to do their job.
2
