Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Nginx Wordpress Security?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
drillsar
n00b
n00b


Joined: 08 Sep 2010
Posts: 26

PostPosted: Tue Jun 11, 2019 11:50 pm    Post subject: Nginx Wordpress Security? Reply with quote

I am trying to lockdown wordpress and the following configuration not working it blocks the whole admin..

Any other security I should use for Wordpress?
How do you deny access to wp-admin but allow admin-ajax,php?

Code:

location ~ ^/(wp-admin|wp-login\.php) { allow 111.111.111.111; deny all; }
location ~ ^/wp-admin/admin-ajax.php$ { allow all;  }
Back to top
View user's profile Send private message
drillsar
n00b
n00b


Joined: 08 Sep 2010
Posts: 26

PostPosted: Thu Jun 13, 2019 5:21 pm    Post subject: Reply with quote

I got it somewhat working but only if I add 192.168.1.1 so obviously something wrong with /etc/hosts or something else.

Code:
 Always allow plugins, etc, access to 'admin-ajax.php'
    location ~ /wp-admin/admin-ajax\.php$ {
        include /etc/nginx/fastcgi_params;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_read_timeout 300;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME /srv/giftboundgifts.com/html$fastcgi_script_name;

        allow all;
}

# Deny access to php files under the 'wp-admin' dir, and 'wp-login.php'
    location ~ (/wp-admin/.*\.php|wp-login\.php$) {
        include /etc/nginx/fastcgi_params;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_read_timeout 300;
        fastcgi_index index.php;
        fastcgi_param  SCRIPT_FILENAME /srv/giftboundgifts.com/html$fastcgi_script_name;

        allow 192.168.1.1;
        allow 192.168.1.242;
        deny all;
}

my /etc/hosts file my hostname is otto; my website is giftboundgifts.com

Code:
127.0.0.1       otto localhost
::1             localhost
192.168.1.242   otto.giftboundgifts.com otto
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13734

PostPosted: Fri Jun 14, 2019 1:59 am    Post subject: Re: Nginx Wordpress Security? Reply with quote

drillsar wrote:
I am trying to lockdown wordpress and the following configuration not working it blocks the whole admin..
What do the server logs say when this happens?
drillsar wrote:
Any other security I should use for Wordpress?
I'd start by changing the permissions for the Wordpress root directory to 0 (no access), then remounting the filesystem read-only for good measure. That should prevent malicious access, assuming your webserver respects filesystem permissions. It will have some negative effects on usability, but given the security history of Wordpress, I think it's a reasonable trade-off.
drillsar wrote:
I got it somewhat working but only if I add 192.168.1.1 so obviously something wrong with /etc/hosts or something else.
Please explain the connection here. The server should not be inspecting /etc/hosts when implementing its access control. However, it seems plausible that if you access the server on a private IP, it will see a private client IP and base its decision on that. The server access logs would confirm this.

[Edit: fixed the ordering of suggestions. The directory permissions cannot be changed if the filesystem is made read-only first.]
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum