Skip to content

Instantly share code, notes, and snippets.

@Depicus

Depicus/Securing Wordpress

Last active March 26, 2019 21:31
Show Gist options
  • Save Depicus/c280746524f94b03398e9e6623ff54ec to your computer and use it in GitHub Desktop.
Save Depicus/c280746524f94b03398e9e6623ff54ec to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Securing Wordpress
sudo apt update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-apache
sudo certbot certonly --manual --preferred-challenges dns -d wordpress.depicus.com
SSLCertificateFile /etc/letsencrypt/live/wordpress.depicus.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wordpress.depicus.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# make files
find /var/www/wordpress/ -type f -exec chmod 640 {} \;
find /var/www/wordpress/ -type d -exec chmod 750 {} \;
chown -R www-data:www-data /var/www/wordpress
<Directory /var/www/wordpress>
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Require all granted
</Directory>
# redirect pesky script kiddies use in root
RewriteEngine on
RewriteRule phpmyadmin http://www.fbi.gov/ [L,NC,QSA]
RewriteRule phptest http://www.fbi.gov/ [L,NC,QSA]
RewriteRule pma http://www.fbi.gov/ [L,NC,QSA]
RewriteRule myadmin http://www.fbi.gov/ [L,NC,QSA]
RewriteRule wp-admin http://www.fbi.gov/ [L,NC,QSA]
RewriteRule HNAP1 http://www.fbi.gov/ [L,NC,QSA]
RewriteRule administrator http://www.fbi.gov/ [L,NC,QSA]
RewriteRule vtigercrm http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^w00tw00t$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule manager http://www.fbi.gov/ [L,NC,QSA]
RewriteRule cgi-bin http://www.fbi.gov/ [L,NC,QSA]
RewriteRule wp-login.php http://www.fbi.gov/ [L,NC,QSA]
RewriteRule manager http://www.fbi.gov/ [L,NC,QSA]
RewriteRule components http://www.fbi.gov/ [L,NC,QSA]
RewriteRule admin.php http://www.fbi.gov/ [L,NC,QSA]
RewriteRule blog_edit.php http://www.fbi.gov/ [L,NC,QSA]
RewriteRule blogs.php http://www.fbi.gov/ [L,NC,QSA]
RewriteRule profile_blog_new.php$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^member/manage_blog.php$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^blogs/my_page/add/$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^account/submit/add-blog/$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^my_blogs&action=add http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^member/manage_blog.php$ http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^user/soapCaller.bs http://www.fbi.gov/ [L,NC,QSA]
RewriteRule ^phph/php/ph.php http://www.fbi.gov/ [L,NC,QSA]
# block access to files
<Files ~ "\.(sql|bak)$">
Order allow,deny
Deny from all
</Files>
<FilesMatch "^\.">
Order allow,deny
Deny from all
</FilesMatch>
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Only allow GET,PUT,POST and HEAD Request Methods
RewriteCond %{REQUEST_METHOD} !^(GET|PUT|POST|HEAD)
RewriteRule .* - [F]
#
<IfModule mod_headers.c>
Header unset ETag
# Header set X-Frame-Options: deny
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff
# Header set X-WebKit-CSP: "default-src 'self'"
# Header set X-Permitted-Cross-Domain-Policies: "master-only"
</IfModule>
# add in wp-admin .htaccess
Order deny,allow
Deny from all
Allow from 192.168.43.0/24
Allow from x.xx.x.x
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment