Add the WP location hardening config

2024-06-04 14:29:41 +02:00 · 2024-06-04 14:29:41 +02:00 · 51847c0738
commit 51847c0738
parent 868bd9e1da
1 changed files with 176 additions and 0 deletions
--- a/conf/nginx/wordpress-locations.conf
+++ b/conf/nginx/wordpress-locations.conf
@ -0,0 +1,176 @@
 ###################################################################
 ###            Nginx locations for WordPress websites           ###
 ###################################################################
 # These locations add some basic protection against common mistakes
 # (like exposing a .env file). These rules are in no way complete.
 # You can include them in the {,free}nginx server block. Hope it is
 # useful to someone :)
 # -h3artbl33d
 ###
 ###
 # Regarding the robots, you can also choose to serve a static version, like:
 # location = /robots.txt {
 #	access_log off;
 #	add_header Content-Type text/plain;
 # 	return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n\nSitemap: /sitemap_index.xml\n\nUser-agent: YandexBot\nDisallow: /\n\nUser-agent: ClaudeBot\nDisallow: /\n\nUser-agent: 360Spider\nDisallow: /\n\nUser-agent: AhrefsBot\nDisallow: /\n\nUser-agent: Baiduspider\nDisallow: /\n\nUser-agent: BLEXBot\nDisallow: /\n\nUser-agent: DotBot\nDisallow: /\n\nUser-agent: Exabot\nDisallow: /\n\nUser-agent: MJ12bot\nDisallow: /\n\nUser-agent: PetalBot\nDisallow: /\n\nUser-agent: SEOkicks-Robot\nDisallow: /\n\nUser-agent: SemrushBot\nDisallow: /\n\nUser-agent: SiteExplorer\nDisallow: /\n\nUser-agent: Sogou\nDisallow: /\n\nUser-agent: spbot\nDisallow: /\n\nUser-agent: YandexImages\nDisallow: /\n\nUser-agent: Yeti\nDisallow: /\n\nUser-agent: YisouSpider\nDisallow: /\n";
 # }
 ###
 location = /robots.txt {
 	allow all;
 	log_not_found off;
 	access_log off;
 	try_files $uri /index.php?$args;
 }
 location = /favicon.ico {
 	try_files /favicon.ico @empty;
 	access_log off;
 	log_not_found off;
 	expires max;
 }
 location @empty {
 	empty_gif;
 }
 location ~ ^/wp-content/uploads/sucuri {
 	deny all;
 }
 location ~ ^/wp-content/updraft {
 	deny all;
 }
 location ~* .(pl|cgi|py|sh|lua|asp)$ {
 	return 444;
 }
 location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
 	deny all;
 }
 location /wp-content/uploads/ {
 	location ~ \.php$ {
 		deny all;
 	}
 }
 location /xmlrpc.php {
 	deny all;
 	access_log off;
 	log_not_found off;
 	return 444;
 }
 location ^~ /wp-admin/install.php {
 	deny all;
 	error_page 403 =404 /;
 }
 location ~* /(?:uploads|files)/.*\.php$ {
 	deny all;
 }
 location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ {
 	deny all;
 }
 location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
 	deny all;
 	error_page 403 =404 /;
 }
 location ~* ^/wp-content/themes/.+\.(txt|log|md)$ {
 	deny all;
 	error_page 403 =404 /;
 }
 location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
 	deny all;
 }
 location ~* ^/(license.txt|wp-includes/(.*)/.+\.(js|css)|wp-admin/(.*)/.+\.(js|css))$ {
 	sub_filter_types text/css text/javascript text/plain;
 	sub_filter_once on;
 	sub_filter ';' '; /* $msec */ ';
 }
 location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
 	deny all;
 	access_log off;
 	log_not_found off;
 }
 location ~ /\.(svn|git)/* {
 	deny all;
 	access_log off;
 	log_not_found off;
 }
 location ~ /\.ht {
 	deny all;
 	access_log off;
 	log_not_found off;
 }
 location ~ /\.user.ini {
 	deny all;
 	access_log off;
 	log_not_found off;
 }
 location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
 	deny all;
 	access_log off;
 	log_not_found off;
 }
 location ~ \.user\.ini$ {
 	deny all;
 }
 location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
 	deny all;
 }
 location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
 	deny all;
 }
 location ~ /\. {
 	deny all;
 }
 location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" {
 	deny all;
 }
 location ~* "(eval\()" {
 	deny all;
 }
 location ~* "(127\.0\.0\.1)" {
 	deny all;
 }
 location ~* "([a-z0-9]{2000})" {
 	deny all;
 }
 location ~* "(javascript\:)(.*)(\;)" {
 	deny all;
 }
 location ~* "(base64_encode)(.*)(\()" {
 	deny all;
 }
 location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
 	deny all;
 }
 location ~* "(<|%3C).*script.*(>|%3)" {
 	deny all;
 }
 location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
 	deny all;
 }
 location ~* "(boot\.ini|etc/passwd|self/environ)" {
 	deny all;
 }
 location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
 	deny all;
 }
 location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
 	deny all;
 }
 location ~* "(https?|ftp|php):/" {
 	deny all;
 }
 location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
 	deny all;
 }
 location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
 	deny all;
 }
 location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
 	deny all;
 }
 location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
 	deny all;
 }
 location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
 	deny all;
 }
 location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
 	deny all;
 }