From 51847c073894f4a82eebb4a5f689ad9bb00ec45c Mon Sep 17 00:00:00 2001 From: h3artbl33d Date: Tue, 4 Jun 2024 14:29:41 +0200 Subject: [PATCH] Add the WP location hardening config --- conf/nginx/wordpress-locations.conf | 176 ++++++++++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100644 conf/nginx/wordpress-locations.conf diff --git a/conf/nginx/wordpress-locations.conf b/conf/nginx/wordpress-locations.conf new file mode 100644 index 0000000..ed22956 --- /dev/null +++ b/conf/nginx/wordpress-locations.conf @@ -0,0 +1,176 @@ +################################################################### +### Nginx locations for WordPress websites ### +################################################################### +# These locations add some basic protection against common mistakes +# (like exposing a .env file). These rules are in no way complete. +# You can include them in the {,free}nginx server block. Hope it is +# useful to someone :) +# -h3artbl33d +### + +### +# Regarding the robots, you can also choose to serve a static version, like: +# location = /robots.txt { +# access_log off; +# add_header Content-Type text/plain; +# return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n\nSitemap: /sitemap_index.xml\n\nUser-agent: YandexBot\nDisallow: /\n\nUser-agent: ClaudeBot\nDisallow: /\n\nUser-agent: 360Spider\nDisallow: /\n\nUser-agent: AhrefsBot\nDisallow: /\n\nUser-agent: Baiduspider\nDisallow: /\n\nUser-agent: BLEXBot\nDisallow: /\n\nUser-agent: DotBot\nDisallow: /\n\nUser-agent: Exabot\nDisallow: /\n\nUser-agent: MJ12bot\nDisallow: /\n\nUser-agent: PetalBot\nDisallow: /\n\nUser-agent: SEOkicks-Robot\nDisallow: /\n\nUser-agent: SemrushBot\nDisallow: /\n\nUser-agent: SiteExplorer\nDisallow: /\n\nUser-agent: Sogou\nDisallow: /\n\nUser-agent: spbot\nDisallow: /\n\nUser-agent: YandexImages\nDisallow: /\n\nUser-agent: Yeti\nDisallow: /\n\nUser-agent: YisouSpider\nDisallow: /\n"; +# } +### +location = /robots.txt { + allow all; + log_not_found off; + access_log off; + try_files $uri /index.php?$args; +} +location = /favicon.ico { + try_files /favicon.ico @empty; + access_log off; + log_not_found off; + expires max; +} +location @empty { + empty_gif; +} +location ~ ^/wp-content/uploads/sucuri { + deny all; +} +location ~ ^/wp-content/updraft { + deny all; +} +location ~* .(pl|cgi|py|sh|lua|asp)$ { + return 444; +} +location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) { + deny all; +} +location /wp-content/uploads/ { + location ~ \.php$ { + deny all; + } +} +location /xmlrpc.php { + deny all; + access_log off; + log_not_found off; + return 444; +} +location ^~ /wp-admin/install.php { + deny all; + error_page 403 =404 /; +} +location ~* /(?:uploads|files)/.*\.php$ { + deny all; +} +location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { + deny all; +} +location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ { + deny all; + error_page 403 =404 /; +} +location ~* ^/wp-content/themes/.+\.(txt|log|md)$ { + deny all; + error_page 403 =404 /; +} +location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ { + deny all; +} +location ~* ^/(license.txt|wp-includes/(.*)/.+\.(js|css)|wp-admin/(.*)/.+\.(js|css))$ { + sub_filter_types text/css text/javascript text/plain; + sub_filter_once on; + sub_filter ';' '; /* $msec */ '; +} +location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ { + deny all; + access_log off; + log_not_found off; +} +location ~ /\.(svn|git)/* { + deny all; + access_log off; + log_not_found off; +} +location ~ /\.ht { + deny all; + access_log off; + log_not_found off; +} +location ~ /\.user.ini { + deny all; + access_log off; + log_not_found off; +} +location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { + deny all; + access_log off; + log_not_found off; +} +location ~ \.user\.ini$ { + deny all; +} +location ~* ^/(?:wp-content|wp-includes)/.*\.php$ { + deny all; +} +location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ { + deny all; +} +location ~ /\. { + deny all; +} +location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { + deny all; +} +location ~* "(eval\()" { + deny all; +} +location ~* "(127\.0\.0\.1)" { + deny all; +} +location ~* "([a-z0-9]{2000})" { + deny all; +} +location ~* "(javascript\:)(.*)(\;)" { + deny all; +} +location ~* "(base64_encode)(.*)(\()" { + deny all; +} +location ~* "(GLOBALS|REQUEST)(=|\[|%)" { + deny all; +} +location ~* "(<|%3C).*script.*(>|%3)" { + deny all; +} +location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { + deny all; +} +location ~* "(boot\.ini|etc/passwd|self/environ)" { + deny all; +} +location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { + deny all; +} +location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { + deny all; +} +location ~* "(https?|ftp|php):/" { + deny all; +} +location ~* "(=\\\'|=\\%27|/\\\'/?)\." { + deny all; +} +location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { + deny all; +} +location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { + deny all; +} +location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { + deny all; +} +location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { + deny all; +} +location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" { + deny all; +}