| View previous topic :: View next topic |
| Author |
Message |
drillsar
n00b
Joined: 08 Sep 2010
Posts: 33
|
 Posted: Tue Jun 11, 2019 11:50 pm Post subject: Nginx Wordpress Security? |
 |
|
I am trying to lockdown wordpress and the following configuration not working it blocks the whole admin..
Any other security I should use for Wordpress?
How do you deny access to wp-admin but allow admin-ajax,php?
| Code: |
location ~ ^/(wp-admin|wp-login\.php) { allow 111.111.111.111; deny all; }
location ~ ^/wp-admin/admin-ajax.php$ { allow all; }
|
|
|
| Back to top |
|
 |
drillsar
n00b
Joined: 08 Sep 2010
Posts: 33
|
| Posted: Thu Jun 13, 2019 5:21 pm Post subject: |
|
|
I got it somewhat working but only if I add 192.168.1.1 so obviously something wrong with /etc/hosts or something else.
| Code: | Always allow plugins, etc, access to 'admin-ajax.php'
location ~ /wp-admin/admin-ajax\.php$ {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_read_timeout 300;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/giftboundgifts.com/html$fastcgi_script_name;
allow all;
}
# Deny access to php files under the 'wp-admin' dir, and 'wp-login.php'
location ~ (/wp-admin/.*\.php|wp-login\.php$) {
include /etc/nginx/fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_read_timeout 300;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /srv/giftboundgifts.com/html$fastcgi_script_name;
allow 192.168.1.1;
allow 192.168.1.242;
deny all;
}
|
my /etc/hosts file my hostname is otto; my website is giftboundgifts.com
| Code: | 127.0.0.1 otto localhost
::1 localhost
192.168.1.242 otto.giftboundgifts.com otto
|
|
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23062
|
| Posted: Fri Jun 14, 2019 1:59 am Post subject: Re: Nginx Wordpress Security? |
|
|
| drillsar wrote: | | I am trying to lockdown wordpress and the following configuration not working it blocks the whole admin.. |
What do the server logs say when this happens? | drillsar wrote: | | Any other security I should use for Wordpress? |
I'd start by changing the permissions for the Wordpress root directory to 0 (no access), then remounting the filesystem read-only for good measure. That should prevent malicious access, assuming your webserver respects filesystem permissions. It will have some negative effects on usability, but given the security history of Wordpress, I think it's a reasonable trade-off. | drillsar wrote: | | I got it somewhat working but only if I add 192.168.1.1 so obviously something wrong with /etc/hosts or something else. |
Please explain the connection here. The server should not be inspecting /etc/hosts when implementing its access control. However, it seems plausible that if you access the server on a private IP, it will see a private client IP and base its decision on that. The server access logs would confirm this.
[Edit: fixed the ordering of suggestions. The directory permissions cannot be changed if the filesystem is made read-only first.] |
|
| Back to top |
|
|
spica
Guru
Joined: 04 Jun 2021
Posts: 338
|
| Posted: Wed Jan 19, 2022 1:08 am Post subject: Re: Nginx Wordpress Security? |
|
|
| drillsar wrote: | I am trying to lockdown wordpress and the following configuration not working it blocks the whole admin..
Any other security I should use for Wordpress?
How do you deny access to wp-admin but allow admin-ajax,php?
| Code: |
location ~ ^/(wp-admin|wp-login\.php) { allow 111.111.111.111; deny all; }
location ~ ^/wp-admin/admin-ajax.php$ { allow all; }
|
|
1 ~ ^/(wp-admin|wp-login\.php) this will match anything starting with /wp-admin. This is where admin is blocked.
2 ~ ^/wp-admin/admin-ajax.php$ this will not be matched because it looks like location 1 takes precedence.
If you know the full path to the file try using exact match "=" – it has the highest priority. |
|
| Back to top |
|
|
|
Networking & Security
