WordPress

From Jon's Wiki
Revision as of 01:17, 21 May 2018 by Johnno (talk | contribs)

Enable user-plugin installation by allowing write access to wp-content/{plugins,themes} and configure:

# in wp-config.php
define('FS_METHOD', 'direct');

Other nifty things:

  • CLI, wp-cli.org
  • Security scanner, wpscan.org
  • LetsEncrypt SSL everywhere CSP, Strict Transport, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Access-Control-Allow-Origin, Referrer-Policy etc.
  • gzip + WP SuperCache = win

Deny some stupid stuff:

# Don't fill up the log with favicon and robots.txt
location = /favicon.ico {
    log_not_found off;
    access_log off;
}
location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
    deny all;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}