-
Notifications
You must be signed in to change notification settings - Fork 9
/
wordpress
88 lines (77 loc) · 3.17 KB
/
wordpress
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
try_files $uri $uri/ /index.php?$args;
#block common hacking tools used by script kiddies
if ($http_user_agent ~* (WPScan|havij|nmap|nessus|w3af|Jorgee|sqlmap|dirbuster|nikto|<script) ) {
return 403;
}
#block basic user names enumerations - for REST API used mu-plugin in extras
if ($args ~* "(?<!_)author="){ return 404; }
#block files with sensitive info, VCSs and xmlrpc.php (be careful, some plugins need it)
location ~ license\.txt|wp-config-sample\.php|.*readme\.html|.*readme\.txt|.*rss-functions\.php|\.htaccess|wp-config\.php|xmlrpc\.php|/\.(svn|git|hg|bzr|cvs) {
return 404;
}
#block direct access to .php files in uploads
location ~* wp-content/uploads/.*\.php$ {
deny all;
}
#allow only basic HTTP methods
#REST API usually needs more method - PATCH, PUT, DELETE - you can allow them for REST-API enpoint
#or you can use override by HTTP_X_HTTP_METHOD_OVERRIDE header or _method GET param
if ($request_method !~ ^(GET|HEAD|POST)$ ){
return 403;
}
#allow virtual robots.txt
location = /robots.txt {
try_files $uri /index.php?$args;
log_not_found off;
}
#block empty referers for login, ajax and comments
if ($uri ~* "(wp-comments-posts|wp-login|admin-ajax)\.php$") {
set $ref_block A;
}
if ($request_method = POST ) {
set $ref_block "${ref_block}B";
}
if ($http_referer = "") {
set $ref_block "${ref_block}C";
}
if ($ref_block = ABC) {
return 403;
}
#CVE-2018-6389 - load-scripts.php/load-styles.php - block lonq queries
if ($request_uri ~* "^/wp-admin/load-(scripts|styles)\.php\?.{1024,}$"){
return 403;
}
#block susspicious queries (based on iThemes Security blacklist)
set $susquery 0;
if ($args ~* "\.\./") { set $susquery 1; }
if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
if ($args ~* "wp-config.php") { set $susquery 1; }
if ($args ~* "etc/passwd") { set $susquery 1; }
if ($args ~* "boot.ini") { set $susquery 1; }
if ($args ~* "ftp:") { set $susquery 1; }
if ($args ~* "http:") { set $susquery 1; }
if ($args ~* "https:") { set $susquery 1; }
if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
if ($args ~* "base64_encode") { set $susquery 1; }
if ($args ~* "eval\(") { set $susquery 1; }
if ($args ~* "file_put_contents") { set $susquery 1; }
if ($args ~* "(%24&x)") { set $susquery 1; }
if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; }
if ($args ~* "(127.0)") { set $susquery 1; }
if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
if ($args ~* "(insert|concat|union|declare)") { set $susquery 1; }
if ($args ~* "^loggedout=true"){ set $susquery 0; }
if ($args ~* "^action=jetpack-sso"){ set $susquery 0; }
if ($args ~* "^action=rp"){ set $susquery 0; }
if ($http_cookie ~* "^.*wordpress_logged_in_.*$"){ set $susquery 0; }
if ($http_referer ~* "^http://maps.googleapis.com(.*)$"){ set $susquery 0; }
if ($susquery = 1) { return 403; }
##allow login page only from Czech Republic
#location ~ ^/(wp-login\.php) {
# include country-cz;
#}
#basic HTTP header for security
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;