Difference between revisions of "WordPress"
From Jon's Wiki
(Created page with "Enable user-plugin installation by allowing write access to wp-content/{plugins,themes} and configure: # in wp-config.php define('FS_METHOD', 'direct');") |
|||
| Line 3: | Line 3: | ||
# in wp-config.php | # in wp-config.php | ||
define('FS_METHOD', 'direct'); | define('FS_METHOD', 'direct'); | ||
| + | |||
| + | Other nifty things: | ||
| + | |||
| + | * CLI, wp-cli.org | ||
| + | * Security scanner, wpscan.org | ||
| + | * LetsEncrypt SSL everywhere CSP, Strict Transport, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Access-Control-Allow-Origin, Referrer-Policy etc. | ||
| + | * gzip + WP SuperCache = win | ||
| + | |||
| + | Deny some stupid stuff: | ||
| + | |||
| + | # Don't fill up the log with favicon and robots.txt | ||
| + | location = /favicon.ico { | ||
| + | log_not_found off; | ||
| + | access_log off; | ||
| + | } | ||
| + | location = /robots.txt { | ||
| + | allow all; | ||
| + | log_not_found off; | ||
| + | access_log off; | ||
| + | } | ||
| + | # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). | ||
| + | # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | ||
| + | location ~ /\. { | ||
| + | deny all; | ||
| + | } | ||
| + | # Deny access to any files with a .php extension in the uploads directory | ||
| + | # Works in sub-directory installs and also in multisite network | ||
| + | # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | ||
| + | location ~* /(?:uploads|files)/.*\.php$ { | ||
| + | deny all; | ||
| + | } | ||
Revision as of 01:17, 21 May 2018
Enable user-plugin installation by allowing write access to wp-content/{plugins,themes} and configure:
# in wp-config.php
define('FS_METHOD', 'direct');
Other nifty things:
- CLI, wp-cli.org
- Security scanner, wpscan.org
- LetsEncrypt SSL everywhere CSP, Strict Transport, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Access-Control-Allow-Origin, Referrer-Policy etc.
- gzip + WP SuperCache = win
Deny some stupid stuff:
# Don't fill up the log with favicon and robots.txt
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}