Update wpcommon and fix incorrect config
This commit is contained in:
parent
bc249cbc48
commit
33bb4c3559
|
@ -1,43 +1,96 @@
|
||||||
# WordPress COMMON SETTINGS
|
# WordPress COMMON SETTINGS - WO v3.9.7
|
||||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
|
||||||
# Limit access to avoid brute force attack
|
# Limit access to avoid brute force attack
|
||||||
location = /wp-login.php {
|
location = /wp-login.php {
|
||||||
limit_req zone=one burst=1 nodelay;
|
limit_req zone=one burst=1 nodelay;
|
||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
fastcgi_pass php72;
|
fastcgi_pass php72;
|
||||||
}
|
}
|
||||||
# Disable wp-config.txt
|
# Prevent DoS attacks on wp-cron
|
||||||
location = /wp-config.txt {
|
location = /wp-cron.php {
|
||||||
deny all;
|
limit_req zone=two burst=1 nodelay;
|
||||||
access_log off;
|
include fastcgi_params;
|
||||||
log_not_found off;
|
fastcgi_pass php72;
|
||||||
}
|
}
|
||||||
# webp rewrite rules for jpg and png images
|
# Prevent Dos attacks with xmlrpc.php
|
||||||
# try to load alternative image.png.webp before image.png
|
location = /xmlrpc.php {
|
||||||
location /wp-content/uploads {
|
limit_req zone=two burst=1 nodelay;
|
||||||
location ~ \.(png|jpe?g)$ {
|
include fastcgi_params;
|
||||||
add_header Vary "Accept-Encoding";
|
fastcgi_pass php72;
|
||||||
add_header "Access-Control-Allow-Origin" "*";
|
}
|
||||||
add_header Cache-Control "public, no-transform";
|
# Disable wp-config.txt
|
||||||
access_log off;
|
location = /wp-config.txt {
|
||||||
log_not_found off;
|
deny all;
|
||||||
expires max;
|
access_log off;
|
||||||
try_files $uri$webp_suffix $uri =404;
|
log_not_found off;
|
||||||
}
|
}
|
||||||
location ~ \.php$ {
|
location = /robots.txt {
|
||||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
# Some WordPress plugin gererate robots.txt file
|
||||||
deny all;
|
# Refer #340 issue
|
||||||
}
|
try_files $uri $uri/ /index.php?$args @robots;
|
||||||
}
|
access_log off;
|
||||||
# Deny access to any files with a .php extension in the uploads directory
|
log_not_found off;
|
||||||
# Works in sub-directory installs and also in multisite network
|
}
|
||||||
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
# fallback for robots.txt with default wordpress rules
|
||||||
location ~* /(?:uploads|files)/.*\.php$ {
|
location @robots {
|
||||||
deny all;
|
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
|
||||||
}
|
}
|
||||||
# mitigate DoS attack CVE with WordPress script concatenation
|
# webp rewrite rules for jpg and png images
|
||||||
# add the following line to wp-config.php
|
# try to load alternative image.png.webp before image.png
|
||||||
# define( 'CONCATENATE_SCRIPTS', false );
|
location /wp-content/uploads {
|
||||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
location ~ \.(png|jpe?g)$ {
|
||||||
deny all;
|
add_header Vary "Accept-Encoding";
|
||||||
}
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
||||||
|
add_header Cache-Control "public, no-transform";
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
expires max;
|
||||||
|
try_files $uri$webp_suffix $uri =404;
|
||||||
|
}
|
||||||
|
location ~* \.(php|gz|log|zip|tar|rar)$ {
|
||||||
|
#Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# webp rewrite rules for EWWW testing image
|
||||||
|
location /wp-content/plugins/ewww-image-optimizer/images {
|
||||||
|
location ~ \.(png|jpe?g)$ {
|
||||||
|
add_header Vary "Accept-Encoding";
|
||||||
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
||||||
|
add_header Cache-Control "public, no-transform";
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
expires max;
|
||||||
|
try_files $uri$webp_suffix $uri =404;
|
||||||
|
}
|
||||||
|
location ~ \.php$ {
|
||||||
|
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# enable gzip on static assets - php files are forbidden
|
||||||
|
location /wp-content/cache {
|
||||||
|
# Cache css & js files
|
||||||
|
location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
|
||||||
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
||||||
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
|
expires 30d;
|
||||||
|
}
|
||||||
|
location ~ \.php$ {
|
||||||
|
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# Deny access to any files with a .php extension in the uploads directory
|
||||||
|
# Works in sub-directory installs and also in multisite network
|
||||||
|
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
||||||
|
location ~* /(?:uploads|files)/.*\.php$ {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
# mitigate DoS attack CVE with WordPress script concatenation
|
||||||
|
# add the following line to wp-config.php
|
||||||
|
# define( 'CONCATENATE_SCRIPTS', false );
|
||||||
|
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
|
@ -1,81 +1,96 @@
|
||||||
# WordPress COMMON SETTINGS
|
# WordPress COMMON SETTINGS - WO v3.9.7
|
||||||
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
|
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
|
||||||
# Limit access to avoid brute force attack
|
# Limit access to avoid brute force attack
|
||||||
location = /wp-login.php {
|
location = /wp-login.php {
|
||||||
limit_req zone=one burst=1 nodelay;
|
limit_req zone=one burst=1 nodelay;
|
||||||
include fastcgi_params;
|
include fastcgi_params;
|
||||||
fastcgi_pass php73;
|
fastcgi_pass php73;
|
||||||
}
|
}
|
||||||
# Disable wp-config.txt
|
# Prevent DoS attacks on wp-cron
|
||||||
location = /wp-config.txt {
|
location = /wp-cron.php {
|
||||||
deny all;
|
limit_req zone=two burst=1 nodelay;
|
||||||
access_log off;
|
include fastcgi_params;
|
||||||
log_not_found off;
|
fastcgi_pass php73;
|
||||||
}
|
}
|
||||||
# webp rewrite rules for jpg and png images
|
# Prevent Dos attacks with xmlrpc.php
|
||||||
# try to load alternative image.png.webp before image.png
|
location = /xmlrpc.php {
|
||||||
location /wp-content/uploads {
|
limit_req zone=two burst=1 nodelay;
|
||||||
location ~ \.(png|jpe?g)$ {
|
include fastcgi_params;
|
||||||
add_header Vary "Accept-Encoding";
|
fastcgi_pass php73;
|
||||||
add_header "Access-Control-Allow-Origin" "*";
|
}
|
||||||
add_header Cache-Control "public, no-transform";
|
# Disable wp-config.txt
|
||||||
access_log off;
|
location = /wp-config.txt {
|
||||||
log_not_found off;
|
deny all;
|
||||||
expires max;
|
access_log off;
|
||||||
try_files $uri$webp_suffix $uri =404;
|
log_not_found off;
|
||||||
}
|
}
|
||||||
location ~ \.php$ {
|
location = /robots.txt {
|
||||||
#Prevent Direct Access Of PHP Files From Web Browsers
|
# Some WordPress plugin gererate robots.txt file
|
||||||
deny all;
|
# Refer #340 issue
|
||||||
}
|
try_files $uri $uri/ /index.php?$args @robots;
|
||||||
}
|
access_log off;
|
||||||
# Deny access to any files with a .php extension in the uploads directory
|
log_not_found off;
|
||||||
# Works in sub-directory installs and also in multisite network
|
}
|
||||||
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
# fallback for robots.txt with default wordpress rules
|
||||||
location ~* /(?:uploads|files)/.*\.php$ {
|
location @robots {
|
||||||
deny all;
|
return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
|
||||||
}
|
}
|
||||||
# mitigate DoS attack CVE with WordPress script concatenation
|
# webp rewrite rules for jpg and png images
|
||||||
# add the following line to wp-config.php
|
# try to load alternative image.png.webp before image.png
|
||||||
# define( 'CONCATENATE_SCRIPTS', false );
|
location /wp-content/uploads {
|
||||||
location ~ \/wp-admin\/load-(scripts|styles).php {
|
location ~ \.(png|jpe?g)$ {
|
||||||
deny all;
|
add_header Vary "Accept-Encoding";
|
||||||
}
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
||||||
|
add_header Cache-Control "public, no-transform";
|
||||||
location "=/wp-config\.(php|txt)" {
|
access_log off;
|
||||||
|
log_not_found off;
|
||||||
location ~* wp-config.php { deny all; }
|
expires max;
|
||||||
|
try_files $uri$webp_suffix $uri =404;
|
||||||
location ~* "^/wp-content/uploads/.*\\.php" { deny all; }
|
}
|
||||||
location ~* "^/wp-includes/(?!js/tinymce/wp-tinymce\\.php$).*\\.php" {
|
location ~* \.(php|gz|log|zip|tar|rar)$ {
|
||||||
deny all;
|
#Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers
|
||||||
}
|
deny all;
|
||||||
location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }
|
}
|
||||||
|
}
|
||||||
location ~* ".*/cache/.*\\.ph(?:p[345]?|t|tml)" {
|
# webp rewrite rules for EWWW testing image
|
||||||
access_log off;
|
location /wp-content/plugins/ewww-image-optimizer/images {
|
||||||
log_not_found off;
|
location ~ \.(png|jpe?g)$ {
|
||||||
deny all;
|
add_header Vary "Accept-Encoding";
|
||||||
}
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
||||||
|
add_header Cache-Control "public, no-transform";
|
||||||
if ($query_string ~ "author=\d+") {
|
access_log off;
|
||||||
return 403;
|
log_not_found off;
|
||||||
}
|
expires max;
|
||||||
|
try_files $uri$webp_suffix $uri =404;
|
||||||
location ~* "(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html))" {
|
}
|
||||||
return 403;
|
location ~ \.php$ {
|
||||||
}
|
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||||
|
deny all;
|
||||||
location ~* ".*\\.(psd|log|cmd|exe|bat|csh|sh)" {
|
}
|
||||||
return 403;
|
}
|
||||||
}
|
# enable gzip on static assets - php files are forbidden
|
||||||
|
location /wp-content/cache {
|
||||||
location ~* /\.ht {
|
# Cache css & js files
|
||||||
deny all;
|
location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
|
||||||
}
|
more_set_headers 'Access-Control-Allow-Origin : *';
|
||||||
|
access_log off;
|
||||||
if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") {
|
log_not_found off;
|
||||||
return 403;
|
expires 30d;
|
||||||
}
|
}
|
||||||
|
location ~ \.php$ {
|
||||||
#extension wp-toolkit end
|
#Prevent Direct Access Of PHP Files From Web Browsers
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
# Deny access to any files with a .php extension in the uploads directory
|
||||||
|
# Works in sub-directory installs and also in multisite network
|
||||||
|
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
|
||||||
|
location ~* /(?:uploads|files)/.*\.php$ {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
# mitigate DoS attack CVE with WordPress script concatenation
|
||||||
|
# add the following line to wp-config.php
|
||||||
|
# define( 'CONCATENATE_SCRIPTS', false );
|
||||||
|
location ~ \/wp-admin\/load-(scripts|styles).php {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue