From 33bb4c35597e4bab298611b2e2dfc8ace5290d99 Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Thu, 7 Nov 2019 12:22:15 +0100 Subject: [PATCH] Update wpcommon and fix incorrect config --- etc/nginx/common/wpcommon-php72.conf | 139 ++++++++++++++------- etc/nginx/common/wpcommon-php73.conf | 177 +++++++++++++++------------ 2 files changed, 192 insertions(+), 124 deletions(-) diff --git a/etc/nginx/common/wpcommon-php72.conf b/etc/nginx/common/wpcommon-php72.conf index afda8a7..237a906 100644 --- a/etc/nginx/common/wpcommon-php72.conf +++ b/etc/nginx/common/wpcommon-php72.conf @@ -1,43 +1,96 @@ -# WordPress COMMON SETTINGS -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Limit access to avoid brute force attack -location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php72; -} -# Disable wp-config.txt -location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# webp rewrite rules for jpg and png images -# try to load alternative image.png.webp before image.png -location /wp-content/uploads { - location ~ \.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; - } - location ~ \.php$ { -#Prevent Direct Access Of PHP Files From Web Browsers - deny all; - } -} -# Deny access to any files with a .php extension in the uploads directory -# Works in sub-directory installs and also in multisite network -# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) -location ~* /(?:uploads|files)/.*\.php$ { - deny all; -} -# mitigate DoS attack CVE with WordPress script concatenation -# add the following line to wp-config.php -# define( 'CONCATENATE_SCRIPTS', false ); -location ~ \/wp-admin\/load-(scripts|styles).php { - deny all; -} +# WordPress COMMON SETTINGS - WO v3.9.7 +# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE +# Limit access to avoid brute force attack +location = /wp-login.php { + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php72; +} +# Prevent DoS attacks on wp-cron +location = /wp-cron.php { + limit_req zone=two burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php72; +} +# Prevent Dos attacks with xmlrpc.php +location = /xmlrpc.php { + limit_req zone=two burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php72; +} +# Disable wp-config.txt +location = /wp-config.txt { + deny all; + access_log off; + log_not_found off; +} +location = /robots.txt { +# Some WordPress plugin gererate robots.txt file +# Refer #340 issue + try_files $uri $uri/ /index.php?$args @robots; + access_log off; + log_not_found off; +} +# fallback for robots.txt with default wordpress rules +location @robots { + return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n"; +} +# webp rewrite rules for jpg and png images +# try to load alternative image.png.webp before image.png +location /wp-content/uploads { + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + more_set_headers 'Access-Control-Allow-Origin : *'; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } + location ~* \.(php|gz|log|zip|tar|rar)$ { + #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers + deny all; + } +} +# webp rewrite rules for EWWW testing image +location /wp-content/plugins/ewww-image-optimizer/images { + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + more_set_headers 'Access-Control-Allow-Origin : *'; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } +} +# enable gzip on static assets - php files are forbidden +location /wp-content/cache { +# Cache css & js files + location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ { + more_set_headers 'Access-Control-Allow-Origin : *'; + access_log off; + log_not_found off; + expires 30d; + } + location ~ \.php$ { + #Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } +} +# Deny access to any files with a .php extension in the uploads directory +# Works in sub-directory installs and also in multisite network +# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) +location ~* /(?:uploads|files)/.*\.php$ { + deny all; +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; +} diff --git a/etc/nginx/common/wpcommon-php73.conf b/etc/nginx/common/wpcommon-php73.conf index 737dc5c..a4441b7 100644 --- a/etc/nginx/common/wpcommon-php73.conf +++ b/etc/nginx/common/wpcommon-php73.conf @@ -1,81 +1,96 @@ -# WordPress COMMON SETTINGS -# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee) -# Limit access to avoid brute force attack -location = /wp-login.php { - limit_req zone=one burst=1 nodelay; - include fastcgi_params; - fastcgi_pass php73; -} -# Disable wp-config.txt -location = /wp-config.txt { - deny all; - access_log off; - log_not_found off; -} -# webp rewrite rules for jpg and png images -# try to load alternative image.png.webp before image.png -location /wp-content/uploads { - location ~ \.(png|jpe?g)$ { - add_header Vary "Accept-Encoding"; - add_header "Access-Control-Allow-Origin" "*"; - add_header Cache-Control "public, no-transform"; - access_log off; - log_not_found off; - expires max; - try_files $uri$webp_suffix $uri =404; - } - location ~ \.php$ { -#Prevent Direct Access Of PHP Files From Web Browsers - deny all; - } -} -# Deny access to any files with a .php extension in the uploads directory -# Works in sub-directory installs and also in multisite network -# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) -location ~* /(?:uploads|files)/.*\.php$ { - deny all; -} -# mitigate DoS attack CVE with WordPress script concatenation -# add the following line to wp-config.php -# define( 'CONCATENATE_SCRIPTS', false ); -location ~ \/wp-admin\/load-(scripts|styles).php { - deny all; -} - -location "=/wp-config\.(php|txt)" { - -location ~* wp-config.php { deny all; } - - location ~* "^/wp-content/uploads/.*\\.php" { deny all; } - location ~* "^/wp-includes/(?!js/tinymce/wp-tinymce\\.php$).*\\.php" { - deny all; - } - location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; } - - location ~* ".*/cache/.*\\.ph(?:p[345]?|t|tml)" { - access_log off; - log_not_found off; - deny all; - } - - if ($query_string ~ "author=\d+") { - return 403; - } - - location ~* "(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html))" { - return 403; - } - - location ~* ".*\\.(psd|log|cmd|exe|bat|csh|sh)" { - return 403; - } - - location ~* /\.ht { - deny all; - } - - if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") { - return 403; - } - - #extension wp-toolkit end +# WordPress COMMON SETTINGS - WO v3.9.7 +# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE +# Limit access to avoid brute force attack +location = /wp-login.php { + limit_req zone=one burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php73; +} +# Prevent DoS attacks on wp-cron +location = /wp-cron.php { + limit_req zone=two burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php73; +} +# Prevent Dos attacks with xmlrpc.php +location = /xmlrpc.php { + limit_req zone=two burst=1 nodelay; + include fastcgi_params; + fastcgi_pass php73; +} +# Disable wp-config.txt +location = /wp-config.txt { + deny all; + access_log off; + log_not_found off; +} +location = /robots.txt { +# Some WordPress plugin gererate robots.txt file +# Refer #340 issue + try_files $uri $uri/ /index.php?$args @robots; + access_log off; + log_not_found off; +} +# fallback for robots.txt with default wordpress rules +location @robots { + return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n"; +} +# webp rewrite rules for jpg and png images +# try to load alternative image.png.webp before image.png +location /wp-content/uploads { + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + more_set_headers 'Access-Control-Allow-Origin : *'; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } + location ~* \.(php|gz|log|zip|tar|rar)$ { + #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers + deny all; + } +} +# webp rewrite rules for EWWW testing image +location /wp-content/plugins/ewww-image-optimizer/images { + location ~ \.(png|jpe?g)$ { + add_header Vary "Accept-Encoding"; + more_set_headers 'Access-Control-Allow-Origin : *'; + add_header Cache-Control "public, no-transform"; + access_log off; + log_not_found off; + expires max; + try_files $uri$webp_suffix $uri =404; + } + location ~ \.php$ { +#Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } +} +# enable gzip on static assets - php files are forbidden +location /wp-content/cache { +# Cache css & js files + location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ { + more_set_headers 'Access-Control-Allow-Origin : *'; + access_log off; + log_not_found off; + expires 30d; + } + location ~ \.php$ { + #Prevent Direct Access Of PHP Files From Web Browsers + deny all; + } +} +# Deny access to any files with a .php extension in the uploads directory +# Works in sub-directory installs and also in multisite network +# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) +location ~* /(?:uploads|files)/.*\.php$ { + deny all; +} +# mitigate DoS attack CVE with WordPress script concatenation +# add the following line to wp-config.php +# define( 'CONCATENATE_SCRIPTS', false ); +location ~ \/wp-admin\/load-(scripts|styles).php { + deny all; +}