Add the WP location hardening config

2024-06-04 14:29:41 +02:00 · 2024-06-04 14:29:41 +02:00 · 51847c0738
commit 51847c0738
parent 868bd9e1da
1 changed files with 176 additions and 0 deletions
--- a/conf/nginx/wordpress-locations.conf
+++ b/conf/nginx/wordpress-locations.conf
@ -0,0 +1,176 @@
+###################################################################
+###            Nginx locations for WordPress websites           ###
+###################################################################
+# These locations add some basic protection against common mistakes
+# (like exposing a .env file). These rules are in no way complete.
+# You can include them in the {,free}nginx server block. Hope it is
+# useful to someone :)
+# -h3artbl33d
+###
+
+###
+# Regarding the robots, you can also choose to serve a static version, like:
+# location = /robots.txt {
+#	access_log off;
+#	add_header Content-Type text/plain;
+# 	return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n\nSitemap: /sitemap_index.xml\n\nUser-agent: YandexBot\nDisallow: /\n\nUser-agent: ClaudeBot\nDisallow: /\n\nUser-agent: 360Spider\nDisallow: /\n\nUser-agent: AhrefsBot\nDisallow: /\n\nUser-agent: Baiduspider\nDisallow: /\n\nUser-agent: BLEXBot\nDisallow: /\n\nUser-agent: DotBot\nDisallow: /\n\nUser-agent: Exabot\nDisallow: /\n\nUser-agent: MJ12bot\nDisallow: /\n\nUser-agent: PetalBot\nDisallow: /\n\nUser-agent: SEOkicks-Robot\nDisallow: /\n\nUser-agent: SemrushBot\nDisallow: /\n\nUser-agent: SiteExplorer\nDisallow: /\n\nUser-agent: Sogou\nDisallow: /\n\nUser-agent: spbot\nDisallow: /\n\nUser-agent: YandexImages\nDisallow: /\n\nUser-agent: Yeti\nDisallow: /\n\nUser-agent: YisouSpider\nDisallow: /\n";
+# }
+###
+location = /robots.txt {
+	allow all;
+	log_not_found off;
+	access_log off;
+	try_files $uri /index.php?$args;
+}
+location = /favicon.ico {
+	try_files /favicon.ico @empty;
+	access_log off;
+	log_not_found off;
+	expires max;
+}
+location @empty {
+	empty_gif;
+}
+location ~ ^/wp-content/uploads/sucuri {
+	deny all;
+}
+location ~ ^/wp-content/updraft {
+	deny all;
+}
+location ~* .(pl|cgi|py|sh|lua|asp)$ {
+	return 444;
+}
+location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
+	deny all;
+}
+location /wp-content/uploads/ {
+	location ~ \.php$ {
+		deny all;
+	}
+}
+location /xmlrpc.php {
+	deny all;
+	access_log off;
+	log_not_found off;
+	return 444;
+}
+location ^~ /wp-admin/install.php {
+	deny all;
+	error_page 403 =404 /;
+}
+location ~* /(?:uploads|files)/.*\.php$ {
+	deny all;
+}
+location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ {
+	deny all;
+}
+location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
+	deny all;
+	error_page 403 =404 /;
+}
+location ~* ^/wp-content/themes/.+\.(txt|log|md)$ {
+	deny all;
+	error_page 403 =404 /;
+}
+location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
+	deny all;
+}
+location ~* ^/(license.txt|wp-includes/(.*)/.+\.(js|css)|wp-admin/(.*)/.+\.(js|css))$ {
+	sub_filter_types text/css text/javascript text/plain;
+	sub_filter_once on;
+	sub_filter ';' '; /* $msec */ ';
+}
+location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
+	deny all;
+	access_log off;
+	log_not_found off;
+}
+location ~ /\.(svn|git)/* {
+	deny all;
+	access_log off;
+	log_not_found off;
+}
+location ~ /\.ht {
+	deny all;
+	access_log off;
+	log_not_found off;
+}
+location ~ /\.user.ini {
+	deny all;
+	access_log off;
+	log_not_found off;
+}
+location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
+	deny all;
+	access_log off;
+	log_not_found off;
+}
+location ~ \.user\.ini$ {
+	deny all;
+}
+location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
+	deny all;
+}
+location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
+	deny all;
+}
+location ~ /\. {
+	deny all;
+}
+location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
+	deny all;
+}
+location ~* "(eval\()" {
+	deny all;
+}
+location ~* "(127\.0\.0\.1)" {
+	deny all;
+}
+location ~* "([a-z0-9]{2000})" {
+	deny all;
+}
+location ~* "(javascript\:)(.*)(\;)" {
+	deny all;
+}
+location ~* "(base64_encode)(.*)(\()" {
+	deny all;
+}
+location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
+	deny all;
+}
+location ~* "(<|%3C).*script.*(>|%3)" {
+	deny all;
+}
+location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
+	deny all;
+}
+location ~* "(boot\.ini|etc/passwd|self/environ)" {
+	deny all;
+}
+location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
+	deny all;
+}
+location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
+	deny all;
+}
+location ~* "(https?|ftp|php):/" {
+	deny all;
+}
+location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
+	deny all;
+}
+location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
+	deny all;
+}
+location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
+	deny all;
+}
+location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
+	deny all;
+}
+location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
+	deny all;
+}
+location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
+	deny all;
+}