Created
July 27, 2021 13:33
-
-
Save vpadhariya/14a54c1b11cc080ce706ab5b65e72b0d to your computer and use it in GitHub Desktop.
WordPress Security Rules as mu-plugins (put this file under wp-content/mu-plugins/security.php and you are done)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* | |
| Plugin Name: WP Security Rules | |
| Plugin URI: https://digitize-info.com | |
| Description: Here we will define the site wise security rules | |
| Version: 0.3 | |
| Author: Vijay Padhariya | |
| Author URI: https://vijaypadhariya.com | |
| */ | |
| /** | |
| * Disable Ping | |
| */ | |
| add_action('pre_ping', function (&$links) { | |
| $home = get_option('home'); | |
| foreach ($links as $l => $link) { | |
| if (0 === strpos($link, $home)) { | |
| unset($links[$l]); | |
| } | |
| } | |
| }, PHP_INT_MAX); | |
| /** | |
| * Set nonce life to 4 hours | |
| * NOTE : Issue with Caching plugin | |
| */ | |
| // add_filter('nonce_life', function () {return 4 * HOUR_IN_SECONDS; }); | |
| /** | |
| * Disable the WordPress JSON REST API Without Auth request | |
| * https://developer.wordpress.org/rest-api/frequently-asked-questions/#require-authentication-for-all-requests | |
| */ | |
| add_filter('rest_authentication_errors', function ($result) { | |
| $disabled_routs = ['/wp/v2', '/wp/v2/users', '/wp-site-health/v1']; // We disallow these routs | |
| $rest_route = $GLOBALS['wp']->query_vars['rest_route']; | |
| if(in_array($rest_route, $disabled_routs)) | |
| { | |
| return new WP_Error(rest_authorization_required_code(), __('This REST API has been disabled.'), ['status' => rest_authorization_required_code()]); | |
| } | |
| return $result; | |
| }, PHP_INT_MAX); | |
| /** | |
| * We will redirect to message no matter whether username is valid or not. | |
| */ | |
| add_filter('lostpassword_post', function ($errors) { | |
| if (!empty($_POST['user_login'])) { | |
| return wp_redirect(wp_login_url() . '?checkemail=confirm'); | |
| } | |
| }, PHP_INT_MAX); | |
| /** | |
| * Add some js code to login footer when password reset was done | |
| */ | |
| add_action('login_footer', function () { | |
| if ('confirm' === $_GET['checkemail']) { | |
| echo '<script>setTimeout(function(){ | |
| window.location.href = "' . wp_login_url() . '"; | |
| }, 10000)</script>'; | |
| } | |
| }, PHP_INT_MAX); | |
| /** | |
| * Disable login errors | |
| */ | |
| add_filter('login_errors', function ($error) { | |
| $error = 'Invalid <b>Username</b> or <b>Password</b>.'; | |
| // Show error for lost password | |
| if ($_GET['action'] == 'lostpassword') { | |
| if (empty($_POST['user_login'])) { | |
| $error = '<b>Username or Email Address</b> can\'t be empty.'; | |
| } else { | |
| $error = 'Invalid <b>Username or Email Address</b>.'; | |
| } | |
| } else // Show error for Login form | |
| { | |
| if (empty($_POST['log'])) { | |
| $error = '<b>Username or Email Address</b> can\'t be empty.'; | |
| } elseif (empty($_POST['pwd'])) { | |
| $error = '<b>Password</b> can\'t be empty.'; | |
| } | |
| } | |
| return $error; | |
| }); | |
| /** | |
| * Disable xml-rpc | |
| */ | |
| add_filter('xmlrpc_enabled', function ($enabled) { | |
| return die('XML-RPC services are disabled on this site.'); | |
| }, PHP_INT_MAX); | |
| /** | |
| * Disable all xml-rpc endpoints | |
| */ | |
| add_filter('xmlrpc_methods', function () { | |
| return []; | |
| }, PHP_INT_MAX); | |
| /** | |
| * Remove Header X-Pingback | |
| */ | |
| header_remove('X-Pingback'); | |
| add_filter('wp_headers', function ($headers) { | |
| unset($headers['X-Pingback']); | |
| return $headers; | |
| }, PHP_INT_MAX); | |
| /** | |
| * On Init event remove un-necessary links from source | |
| */ | |
| add_action('init', function () { | |
| // EditURI link. | |
| remove_action('wp_head', 'rsd_link'); | |
| // Category feed links. | |
| remove_action('wp_head', 'feed_links_extra', 3); | |
| // Post and comment feed links. | |
| remove_action('wp_head', 'feed_links', 2); | |
| // Windows Live Writer. | |
| remove_action('wp_head', 'wlwmanifest_link'); | |
| // Index link. | |
| remove_action('wp_head', 'index_rel_link'); | |
| // Previous link. | |
| remove_action('wp_head', 'parent_post_rel_link', 10, 0); | |
| // Start link. | |
| remove_action('wp_head', 'start_post_rel_link', 10, 0); | |
| // Canonical. | |
| remove_action('wp_head', 'rel_canonical', 10, 0); | |
| // Shortlink. | |
| remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0); | |
| // Links for adjacent posts. | |
| remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0); | |
| // WP version. | |
| remove_action('wp_head', 'wp_generator'); | |
| // Emoji detection script. | |
| remove_action('wp_head', 'print_emoji_detection_script', 7); | |
| // Emoji styles. | |
| remove_action('wp_print_styles', 'print_emoji_styles'); | |
| // Disable REST API link tag | |
| remove_action('wp_head', 'rest_output_link_wp_head', 10); | |
| // Disable oEmbed Discovery Links | |
| remove_action('wp_head', 'wp_oembed_add_discovery_links', 10); | |
| // Disable REST API link in HTTP headers | |
| remove_action('template_redirect', 'rest_output_link_header', 11, 0); | |
| }, PHP_INT_MAX); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment