Securing Redis is crucial to protect your data. In this guide, we’ll walk you through how to enable password protection, set up Redis Access Control Lists (ACLs), and apply these security measures to your WordPress website’s Redis Object Cache. 

Why Securing Redis Is Important

By default, Redis does not have any authentication.

As such, using ACLs (Redis Access Control Lists) and securing Redis is how you can:

  1. Prevent unauthorized access to your Redis data
  2. Protect sensitive information in your Redis instance
  3. Ensure only authorized clients can execute specific commands

Note: Redis Object Caching and Full-Page Caching are separate. Redis authentication does not work for Full-Page Caching. In this guide, we focus on Redis Object Caching – the most useful and widely-used form of caching for high-traffic websites on RunCloud. We recommend securing your Redis Object Cache using the methods outlined here for production use if you use more than one web application per server and wish to take additional measures to reduce the risk of one site being able to affect other sites on your server. That said, the default (out of the box) setup is suitable and carries no considerable risk, i.e., where one business runs multiple related sites on a single server.

Methods To Secure Redis

There are two primary methods you can use to secure Redis:

Method 1 – Redis Password

This method involves setting a global password that any client must provide before accessing the Redis instance.

Suitable for: A single-site setup (one site per server) where straightforward security mechanisms are sufficient.

Advantages:

  • Easy to implement: Just set a single password in the redis.conf file.
  • Provides a basic level of security: This method implements a basic level of protection suitable for less complex environments.

Disadvantages:

  • A single password: All clients use the same password, which could be a security risk in the event that it is compromised.
  • Limited granularity: You can’t specify different permissions for different users.

Redis ACLs allow for more granular control by defining multiple users with different permissions.

Suitable for: Multiple websites per server, or environments where different applications share the same Redis instance and require distinct access controls.

Advantages:

  • Granular control: Define multiple users with different passwords and permissions.
  • Role-based access control: Assign specific commands and key access to different users.
  • Enhanced security: Provides a higher level of security suitable for complex environments.

Disadvantages:

  • Complex to configure: Requires more upfront effort.
  • Management overhead: Managing multiple users and permissions can be more complex.

Prerequisites – Before Getting Started

Before you make any changes to your Redis configuration, disable Redis Object Caching for all web applications running on that server.

This will prevent temporary configuration changes from resulting in your web applications being unable to establish a connection with Redis.

#1 – Securing Redis With ‘requirepass’

Enable the ‘requirepass’ directive

To secure Redis using ‘requirepass’ (enabling you to set a password), simply locate the Redis configuration file.

Note: By default, your Redis configuration file will be located in: /etc/redis/redis.conf

Run the following command to check the existing value:

sudo grep requirepass /etc/redis/redis.conf

In the above screenshot, you can see that the line had a # before it, which means it was disabled. To set the new password, run the following command, but first, make sure to replace your_secure_password with what you want to set your password to.

sudo sed -i 's/# requirepass foobared/requirepass your_secure_password/g' /etc/redis/redis.conf

Once you’ve done this, you can verify your changes by running the following grep command once again:

sudo grep requirepass /etc/redis/redis.conf

If you now see requirepass followed by the password you wanted to set, you need to restart Redis for the changes to take effect.

You can do this by running the following command:

sudo systemctl restart redis-server

Test the Redis Password

To verify that the password has been set correctly, connect to the Redis CLI:

redis-cli

Then authenticate using the password:

AUTH your_secure_password

And finally, run the ping command:

PING

If authenticated, you should see the following response:


You can exit the redis-cli by typing exit and hitting ‘Enter’.

For more granular control, we recommend using Redis ACLs.

Note: Redis ACL requires the requirepass to be set up first. So carry out all of the steps defined in #1 – Securing Redis with ‘requirepass’ before proceeding below with #2 – How To Secure Redis using Access Control Lists. #2 is an optional extra step you can use to secure Redis even further, but method #1 and #3 are required.

Now that you’ve set a password for Redis in your configuration file, if you wish to also protect Redis with Access Control Lists (ideal if you run multiple web applications per server), you’ll need to add ACL users.

You can do so by manually opening up the redis.conf file and adding each entry manually:

sudo nano /etc/redis/redis.conf

Adding ACL users with the following syntax:

user webappname on webappnameprefix:* +@all >wp_secure_password

Adding this to your configuration creates a Redis user webappname1 with password wp_secure_password that will have access to prefix ~webappnameprefix1:*.

A faster way of editing the redis.conf file would be using the echo command below (again replacing the arguments, webappname1, wp_secure_password1, and ~webappnameprefix:*.

echo "user webappname1 on ~webappnameprefix1:* +@all >wp_secure_password" >> /etc/redis/redis.conf

Once you have created the users, you can verify it by running the following command:

grep "+@all >" /etc/redis/redis.conf

The following screenshot shows that two different users (webappname1 and webappname2) were created successfully.

Related: If you want to learn how to edit files manually, (or go back and change the password in future) then you can read our post on how to edit files via Nano over SSH.

#3 – Restart Redis

After changing the configuration file, you will need to restart the Redis server again using the following command:

sudo systemctl restart redis-server

#4 – Test Redis ACL setup

Connect with Redis CLI:

redis-cli

Then authenticate with the ACL User:

AUTH webappname webapp_secure_password

And finally, run the ping command:

PING

If authenticated, you should see PONG.

Applying The New Configuration to Your WordPress Websites

In this final step, we’ll ensure that your WordPress websites are able to communicate with Redis now that you’ve applied additional layers of security to prevent unauthorized access.

RunCloud Hub Redis Object Cache

This guide is applicable when you use the Redis Object Cache feature from RunCloud Hub.

After you add a password to your Redis instance, Redis Object Caching implemented using RunCloud Hub will stop working as Redis needs to be reconnected, as demonstrated in the following screenshot:

Option 1: Apply Redis Password

To configure RunCloud Hub’s Redis caching for WordPress using a Redis password, add the following lines to your wp-config.php file:

define('RCWP_REDIS_PASSWORD', 'your_secure_password');

Once it is configured correctly, you can verify it from your RunCloud Hub Settings page in the WordPress dashboard.

Option 2:  Apply Redis ACL

To configure RunCloud Hub’s Redis caching for your WordPress website using ACLs, add the following lines to your wp-config.php file:

define('RCWP_REDIS_PASSWORD', ['webappname1', 'wp_secure_password1']);
define('RCWP_REDIS_DOMAIN', 'webappnameprefix1');

LS Cache on Redis

If you are using OpenLiteSpeed server on RunCloud, then you can take advantage of LS Cache functionality to speed up your website without any additional effort.

However, if you wish to use Redis Object caching with ACL, then you need to enter your username and password in your app settings. Start by editing your wp-config.php file using RunCloud file manager and add the following code snippet:

define('LSOC_PREFIX', 'webappnameprefix:');

In the above code snippet, make sure to replace the webappnameprefix with the prefix that you defined in the previous step. Once you have added the value, you can save the configuration file and close the file editor.

Next, you need to log into your WordPress dashboard and navigate to the Object Cache page of the LiteSpeed Cache settings. On this page, you need to turn on the caching functionality and select Redis.

After that, you need to fill-in a few fields with the provided values:

  • Host: 127.0.0.1
  • Port: 6379
  • Username: Enter the username that you configured in the previous step
  • Password: Enter the password corresponding to the username

Finally, scroll to the bottom of the page and click Save to save the changes on your website. Now when you refresh this page, you should see “Connection Test: Passed” in the status box.

Redis Object Cache WordPress Plugin

This guide is only applicable when you use the Redis Object Cache WordPress Plugin https://wordpress.org/plugins/redis-cache/ 

Option 1: Apply Redis Password

To configure the Redis Object Cache plugin for WordPress using a Redis password, add the following lines to your wp-config.php file:

define('WP_REDIS_PASSWORD', 'your_secure_password');

Option 2:  Apply Redis ACL

To configure the Redis Object Cache plugin for your WordPress website using ACLs, add the following lines to your wp-config.php file.

define('WP_REDIS_PASSWORD', ['webappname', 'webapp_secure_password']);
define('WP_REDIS_PREFIX', 'webappnameprefix:');

Clear Redis Object Cache From Terminal

If you run into any issues after applying the above configuration, make sure you clear your Redis Object Cache using your Redis Password from the terminal. This can be done using the following command:

redis-cli -a your_secure_password FLUSHALL

Summary

By setting up both a global password and Redis ACLs, you enhance the security of your Redis instance and ensure that only authorized users and applications have access.

Applying these settings to your WordPress Redis Object Cache ensures your site runs securely and efficiently.

For further reading, consult the Redis documentation:

If you run into any issues, please feel free to get in touch with our support team – we’re here to help.