apache_conf WordPress安全
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了apache_conf WordPress安全相关的知识,希望对你有一定的参考价值。
## 1. Make updates as soon as possible
- This includes: WP core files, themes, plugins
## 2. Change your password every few weeks/months
## 3. Implement strong passwords
- Don't use **admin**
- Don't use your domain name
- Don't use common names like **administrator**, **demo**, **editor**, **author**, **login**, **support**, **test**, **user**, **username**, **etc**.
## 4. Choose trusted plugins that are hosted in the WordPress Plugin Directory
- Check their rating
- Active development (plugin version and when it was last updated)
## 5. Choose trusted plugins and delete any unused plugins/themes
## 6. Disable file editing in the Admin area
- Add `define('DISALLOW_FILE_EDIT', true);` in **wp-config.php**
## 7. Disable user registration
- If user registration is needed, look into **Registration Spam** plugins to prevent spam bots from registering
## 8. Protect the configuration file
- See **PROTECT WP-CONFIG** in htaccess file
## 9. Configure authentication keys in **wp-config.php**
- Can be changed as often as you'd like. The only drawback, is that every user will have to log back in.
## 10. Customize the database prefix
- Custom DB Prefix: `wp_s3CUr3_` (begin with 'wp', random character, end with underscore)
## 11. Disable directory views/listing
- See **DISABLE DIRECTORY VIEWS** in htaccess file
- You can also add an **index.html** or **index.php** file within the directory
## 12. Remove WP version numbers anywhere in the code
## 13. Disable error display
- Disable errors by setting values to false in **wp-config.php**
`define('WP_DEBUG', false);`
`define('WP_DEBUG_LOG', false);`
`define('WP_DEBUG_DISPLAY', false);`
`ini_set('display_errors', 'off');`
`define('DISALLOW_FILE_EDIT', 'true');`
## 14. Fight comment spam
- Download the **Akismet** plugin
## 15. Secure your login page
- Download the **WP Cerber** plugin
- Look into Two-factor Authentication plugins
## 16. Prevent author enumeration
- Typing **'?author=1'** in the WP root URL will display the WP username
- Change Display Name to **NOT** be your username. Change to First Name, Last Name, etc.
- Change blog permalinks to **not** display WP usernames for authors
- Look into **Stop User Enumeration** plugin
## 17. Implement a Firewall to block bad requests
- Download **BBQ: Block Bad Queries** by Jeff Starr
## 18. Block bad bots
- Download **WP Ban** plugin OR
- See **BLOCK BAD BOTS** in htaccess file
## 19. Stop hotlinking
- See **STOP HOTLINKING** in htaccess file
## 20. Protect the installation page
- Delete **install.php** after installing WP or setup an htaccess rule
## 21. Stop automated spam
- See **BLOCK SPAM** in htaccess file
- Check everything is working normally after implementing the htaccess code. If not, look for documentation https://perishablepress.com/6g/
## 22. Firewall your site
- See **6G FIREWALL/BLACKLIST** in htaccess file
## 23. Secure WP Admin
- Must be within **wp-admin** directory
- See **SECURE WP-ADMIN** in htaccess-wp-admin file
## 24. Secure Login page
- See **SECURE LOGIN PAGE** in htaccess file# SECURE WP-ADMIN
<FilesMatch ".*">
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Deny,Allow
Deny from all
# Insert your ip address(es) below (google: whats my ip)
Allow from 127.0.0.1
Allow from ::1
# Allow from YOUR_IP_ADDRESS
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
# Insert your ip address(es) below (google: whats my ip)
Require ip 127.0.0.1
Require ip ::1
# Require ip YOUR_IP_ADDRESS
</IfModule>
</FilesMatch># SECURE LOGIN PAGE
<Files wp-login.php>
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Deny,Allow
Deny from all
# Insert your ip address(es) below (google: whats my ip)
Allow from 127.0.0.1
Allow from ::1
# Allow from YOUR_IP_ADDRESS
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
# Insert your ip address(es) below (google: whats my ip)
Require ip 127.0.0.1
Require ip ::1
# Require ip YOUR_IP_ADDRESS
</IfModule>
</Files>
# 6G FIREWALL/BLACKLIST
# @ https://perishablepress.com/6g/
# 6G:[QUERY STRINGS]
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (eval\() [NC,OR]
RewriteCond %{QUERY_STRING} (127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{QUERY_STRING} (javascript:)(.*)(;) [NC,OR]
RewriteCond %{QUERY_STRING} (base64_encode)(.*)(\() [NC,OR]
RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)(.*)script(.*)(>|%3) [NC,OR]
RewriteCond %{QUERY_STRING} (\\|\.\.\.|\.\./|~|`|<|>|\|) [NC,OR]
RewriteCond %{QUERY_STRING} (boot\.ini|etc/passwd|self/environ) [NC,OR]
RewriteCond %{QUERY_STRING} (thumbs?(_editor|open)?|tim(thumb)?)\.php [NC,OR]
RewriteCond %{QUERY_STRING} (\'|\")(.*)(drop|insert|md5|select|union) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST METHOD]
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} ^(connect|debug|delete|move|put|trace|track) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REFERRERS]
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} ([a-z0-9]{2000}) [NC,OR]
RewriteCond %{HTTP_REFERER} (semalt.com|todaperfeita) [NC]
RewriteRule .* - [F]
</IfModule>
# 6G:[REQUEST STRINGS]
<IfModule mod_alias.c>
RedirectMatch 403 (?i)([a-z0-9]{2000})
RedirectMatch 403 (?i)(https?|ftp|php):/
RedirectMatch 403 (?i)(base64_encode)(.*)(\()
RedirectMatch 403 (?i)(=\\\'|=\\%27|/\\\'/?)\.
RedirectMatch 403 (?i)/(\$(\&)?|\*|\"|\.|,|&|&?)/?$
RedirectMatch 403 (?i)(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")
RedirectMatch 403 (?i)(~|`|<|>|:|;|,|%|\\|\s|\{|\}|\[|\]|\|)
RedirectMatch 403 (?i)/(=|\$&|_mm|cgi-|etc/passwd|muieblack)
RedirectMatch 403 (?i)(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)
RedirectMatch 403 (?i)\.(aspx?|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rar|rdf)$
RedirectMatch 403 (?i)/(^$|(wp-)?config|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell)\.php
</IfModule>
# 6G:[USER AGENTS]
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent ([a-z0-9]{2000}) bad_bot
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) bad_bot
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=bad_bot
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env bad_bot
</RequireAll>
</IfModule>
</IfModule>
# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
Order Allow,Deny
Allow from All
# uncomment/edit/repeat next line to block IPs
# Deny from 123.456.789
</Limit>
# BLOCK BAD BOTS
<IfModule mod_setenvif.c>
SetEnvIfNoCase User-Agent (archive.org|binlar|casper|checkpriv|choppy|clshttp|cmsworld|diavol|dotbot|extract|feedfinder|flicky|g00g1e|harvest|heritrix|httrack|kmccrew|loader|miner|nikto|nutch|planetwork|postrank|purebot|pycurl|python|seekerspider|siclab|skygrid|sqlmap|sucker|turnit|vikspider|winhttp|xxxyy|youda|zmeu|zune) badbot
# Add any other list of bad bots you can find
SetEnvIfNoCase User-Agent (BadBotUserAgentString|nastybot) badbot
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order Allow,Deny
Allow from all
Deny from env=badbot
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
<RequireAll>
Require all Granted
Require not env badbot
</RequireAll>
</IfModule>
</IfModule>
# BLOCK PROXY VISITS
# http://m0n.co/02
# http://m0n.co/03
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F]
</IfModule>
# BLOCK SPAM
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_REFERER} !example.com [NC]
RewriteCond %{REQUEST_URI} /wp-comments-post\.php [NC]
RewriteRule .* - [F,L]
</IfModule>
# STOP HOTLINKING
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?example\.com [NC]
RewriteCond %{REQUEST_FILENAME} !hotlink.gif [NC]
# Add as many file types as you'd like
RewriteRule \.(gif|jpe?g?|png|zip)$ /hotlink.gif [NC,F,L]
</IfModule>
# DISABLE DIRECTORY VIEWS
Options -Indexes
# SECURE LOOSE FILES
# http://m0n.co/04
<IfModule mod_alias.c>
RedirectMatch 403 (?i)(^#.*#|~)$
RedirectMatch 403 (?i)/readme\.(html|txt)
RedirectMatch 403 (?i)\.(ds_store|well-known)
RedirectMatch 403 (?i)/wp-config-sample\.php
RedirectMatch 403 (?i)\.(7z|bak|bz2|com|conf|dist|fla|git|inc|ini|log|old|psd|rar|tar|tgz|save|sh|sql|svn|swo|swp)$
</IfModule>
# PROTECT WP-CONFIG
<Files wp-config.php>
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</Files>
# SECURE INSTALL PAGE
<Files install.php>
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
</IfModule>
# Apache >= 2.3
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</Files>
# Block the include-only files.
# https://codex.wordpress.org/Hardening_WordPress#Hardening_Recommendations
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress
# ...
以上是关于apache_conf WordPress安全的主要内容,如果未能解决你的问题,请参考以下文章
apache_conf Wordpress快速减少垃圾和安全性......
apache_conf .htaccess为WordPress考虑安全性
apache_conf 使用这些.htaccess添加更安全的WordPress