Last active
October 24, 2022 13:48
-
-
Save czachor/a2eb8cf8622c4cbecb7604f126e463f5 to your computer and use it in GitHub Desktop.
Wordpress security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Wordpress security |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### SECURITY | |
| # 6G FIREWALL/BLACKLIST | |
| # @ https://perishablepress.com/6g/ | |
| # 6G:[QUERY STRING] | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteCond %{QUERY_STRING} (eval\() [NC,OR] | |
| RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR] | |
| RewriteCond %{QUERY_STRING} ([a-z0-9]{2000,}) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR] | |
| RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR] | |
| RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR] | |
| RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC] | |
| RewriteRule .* - [F] | |
| </IfModule> | |
| # 6G:[REQUEST METHOD] | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{REQUEST_METHOD} ^(connect|debug|move|put|trace|track) [NC] | |
| RewriteRule .* - [F] | |
| </IfModule> | |
| # 6G:[REFERRER] | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000,}) [NC,OR] | |
| RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC] | |
| RewriteRule .* - [F] | |
| </IfModule> | |
| # 6G:[REQUEST STRING] | |
| <IfModule mod_alias.c> | |
| RedirectMatch 403 (?i)([a-z0-9]{2000,}) | |
| RedirectMatch 403 (?i)(https?|ftp|php):/ | |
| RedirectMatch 403 (?i)(base64_encode)(.*)(\() | |
| RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\. | |
| # RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&?)/?$ # sometimes 403 triggered | |
| RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\") | |
| RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\{|\}|\[|\]|\|) | |
| RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|muieblack) | |
| RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ) | |
| RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$ | |
| RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php | |
| </IfModule> | |
| # 6G:[USER AGENT] | |
| <IfModule mod_setenvif.c> | |
| SetEnvIfNoCase User-Agent ([a-z0-9]{2000,}) bad_bot | |
| SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot | |
| # Apache < 2.3 | |
| <IfModule !mod_authz_core.c> | |
| Order Allow,Deny | |
| Allow from all | |
| Deny from env=bad_bot | |
| </IfModule> | |
| # Apache >= 2.3 | |
| <IfModule mod_authz_core.c> | |
| <RequireAll> | |
| Require all Granted | |
| Require not env bad_bot | |
| </RequireAll> | |
| </IfModule> | |
| </IfModule> | |
| # SGS XMLRPC Disable Service | |
| <Files xmlrpc.php> | |
| order deny,allow | |
| deny from all | |
| </Files> | |
| # SGS XMLRPC Disable Service END | |
| <files wp-config.php> | |
| order allow,deny | |
| deny from all | |
| </files> | |
| <files ~ "^.*\.([Hh][Tt][Aa])"> | |
| order allow,deny | |
| deny from all | |
| satisfy all | |
| </files> | |
| Options -Indexes | |
| # Blocks some XSS attacks | |
| <IfModule mod_rewrite.c> | |
| RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] | |
| RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] | |
| RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) | |
| RewriteRule .* index.php [F,L] | |
| </IfModule> | |
| # Blocks all wp-includes folders and files | |
| <IfModule mod_rewrite.c> | |
| RewriteEngine On | |
| RewriteBase / | |
| RewriteRule ^wp-admin/includes/ - [F,L] | |
| RewriteRule !^wp-includes/ - [S=3] | |
| RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
| RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
| RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
| </IfModule> | |
| # Restricts access to PHP files from plugin and theme directories | |
| RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php | |
| RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/ | |
| RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L] | |
| RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php | |
| RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/ | |
| RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L] | |
| <FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$"> | |
| Order deny,allow | |
| Deny from all | |
| </FilesMatch> | |
| <FilesMatch "readme\.html"> | |
| Order allow,deny | |
| Deny from all | |
| </FilesMatch> | |
| RewriteCond %{QUERY_STRING} ^author=([0-9]*) | |
| RewriteRule ^ /? [L,R=301] | |
| ### SECURITY |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * Security | |
| */ | |
| /** | |
| * Removes x-powered-by header which is set by PHP | |
| */ | |
| header_remove('x-powered-by'); | |
| /** | |
| * Remove X-Pingback header | |
| */ | |
| add_filter('pings_open', function () { | |
| return false; | |
| }); | |
| /** | |
| * Disables xmlrpc.php | |
| * Disable only if your site does not require use of xmlrpc | |
| */ | |
| function remove_xmlrpc_pingback_ping( $methods ) { | |
| unset($methods['pingback.ping']); | |
| unset($headers['X-Pingback']); | |
| return $methods; | |
| } | |
| add_filter('xmlrpc_enabled', '__return_false'); | |
| add_filter('xmlrpc_methods', 'remove_xmlrpc_pingback_ping' ); | |
| /** | |
| * Disables REST API completely for non-logged in users | |
| * Use this option only if your site does not require use of REST API | |
| */ | |
| // add_filter('rest_authentication_errors', function($result) { | |
| // return (is_user_logged_in()) ? $result : new WP_Error('rest_not_logged_in', 'You are not currently logged in.', array('status' => 401)); | |
| // }); | |
| /** | |
| * Disables Wordpress default REST API endpoints. | |
| * Use this option if your plugins require use of REST API, but would still like to disable core endpoints. | |
| */ | |
| add_filter('rest_endpoints', function ($endpoints) { | |
| // If user is logged in, allow all endpoints | |
| if (is_user_logged_in()) { | |
| return $endpoints; | |
| } | |
| foreach ($endpoints as $route => $endpoint) { | |
| if (stripos($route, '/wp/') === 0) { | |
| unset($endpoints[$route]); | |
| } | |
| } | |
| return $endpoints; | |
| }); | |
| /** | |
| * Removes unnecesary information from <head> tag | |
| */ | |
| add_action('init', function () { | |
| // Remove post and comment feed link | |
| remove_action('wp_head', 'feed_links', 2); | |
| // Remove post category links | |
| remove_action('wp_head', 'feed_links_extra', 3); | |
| // Remove link to the Really Simple Discovery service endpoint | |
| remove_action('wp_head', 'rsd_link'); | |
| // Remove the link to the Windows Live Writer manifest file | |
| remove_action('wp_head', 'wlwmanifest_link'); | |
| // Remove the XHTML generator that is generated on the wp_head hook, WP version | |
| remove_action('wp_head', 'wp_generator'); | |
| // Remove start link | |
| remove_action('wp_head', 'start_post_rel_link'); | |
| // Remove index link | |
| remove_action('wp_head', 'index_rel_link'); | |
| // Remove previous link | |
| remove_action('wp_head', 'parent_post_rel_link', 10, 0); | |
| // Remove relational links for the posts adjacent to the current post | |
| remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0); | |
| // Remove relational links for the posts adjacent to the current post | |
| remove_action('wp_head', 'wp_oembed_add_discovery_links'); | |
| // Remove REST API links | |
| remove_action('wp_head', 'rest_output_link_wp_head'); | |
| // Remove Link header for REST API | |
| remove_action('template_redirect', 'rest_output_link_header', 11, 0); | |
| // Remove Link header for shortlink | |
| remove_action('template_redirect', 'wp_shortlink_header', 11, 0); | |
| }); | |
| /** | |
| * List of feeds to disable | |
| */ | |
| $feeds = [ | |
| 'do_feed', | |
| 'do_feed_rdf', | |
| 'do_feed_rss', | |
| 'do_feed_rss2', | |
| 'do_feed_atom', | |
| 'do_feed_rss2_comments', | |
| 'do_feed_atom_comments', | |
| ]; | |
| foreach ($feeds as $feed) { | |
| add_action($feed, function () { | |
| wp_die('Feed has been disabled.'); | |
| }, 1); | |
| } | |
| /** | |
| * Remove wp-embed.js file from loading | |
| */ | |
| add_action('wp_footer', function () { | |
| wp_deregister_script('wp-embed'); | |
| }); | |
| /** | |
| * Security END | |
| */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // add: | |
| define('DISALLOW_FILE_EDIT', true); | |
| // after WP_DEBUG: | |
| define('WP_DEBUG', false); | |
| if ( ! WP_DEBUG ) { | |
| ini_set('display_errors', 0); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment