-
-
Notifications
You must be signed in to change notification settings - Fork 132
/
wordpress.inc.conf
120 lines (107 loc) · 4.52 KB
/
wordpress.inc.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
#
# Deny access to WordPress core and plugin and theme files.
#
# VERSION :3.2.0
# PERMISSION :0644
# LOCATION :/etc/apache2/conf-available/wordpress.inc.conf
# VARIABLE :DOCUMENT_ROOT
# VARIABLE :WORDPRESS_ROOT_URL
# VARIABLE :WORDPRESS_UPLOADS_URL
# @FIXME Switch to <FilesMatch> ?
# Root files and en_US, hu_HU documents (no dollar sign at the end)
# - wp-config.php
# - wp-config-sample.php
# - wp-blog-header.php
# - wp-load.php
# - wp-settings.php
# - license.txt
# - readme.html
# - licenc.txt
# - olvasdel.html
<LocationMatch "^${WORDPRESS_ROOT_URL}(licenc\.txt|olvasdel\.html|license\.txt|readme\.html|wp-(config|config-sample|blog-header|load|settings)\.php)">
Require all denied
</LocationMatch>
# Prevent running WordPress cron from the web
<LocationMatch "^${WORDPRESS_ROOT_URL}wp-cron\.php">
Require all denied
</LocationMatch>
# Site-wide `readme.txt` and `license.txt` (no root, no dollar sign)
<LocationMatch "(?i)(readme\.txt|license\.txt)">
Require all denied
</LocationMatch>
# Plugins and themes `*.php` (no root, no dollar sign)
<LocationMatch "/(mu-plugins|plugins|themes)/.*\.php">
Require all denied
</LocationMatch>
# Exclude custom entry points created by poorly written plugins and themes
# # zgrep -E "/wp-content/\S+\.php.+ HTTP/" /var/log/apache2/*access*.log*
# <LocationMatch "^/static/plugins/a-plugin/entry-point\.php$">
# Require all granted
# </LocationMatch>
# Uploads `*.php` (no dollar sign)
<LocationMatch "^${WORDPRESS_UPLOADS_URL}.*\.php">
Require all denied
</LocationMatch>
# WP-admin `install.php`
<Location "${WORDPRESS_ROOT_URL}wp-admin/install.php">
Require all denied
</Location>
# WP-admin `setup-config.php`
<Location "${WORDPRESS_ROOT_URL}wp-admin/setup-config.php">
Require all denied
</Location>
# WP-admin `admin-functions.php`
<Location "${WORDPRESS_ROOT_URL}wp-admin/admin-functions.php">
Require all denied
</Location>
# WP-admin `includes/*` (no trailing slash)
<Location "${WORDPRESS_ROOT_URL}wp-admin/includes">
Require all denied
</Location>
# WP-includes `*.php` (no root, no dollar sign)
<LocationMatch "/wp-includes/.*\.php">
# Deny first
Require all denied
</LocationMatch>
<LocationMatch "^${WORDPRESS_ROOT_URL}wp-includes/ms-files\.php$">
Require all granted
</LocationMatch>
<LocationMatch "^${WORDPRESS_ROOT_URL}wp-includes/js/tinymce/wp-mce-help\.php$">
Require all granted
</LocationMatch>
<LocationMatch "^${WORDPRESS_ROOT_URL}wp-includes/js/tinymce/wp-tinymce\.php$">
Require all granted
</LocationMatch>
<Directory "${DOCUMENT_ROOT}">
RewriteEngine On
# Merge with vhost configuration
# "Rules inherited from the parent scope are applied after rules specified in the child scope."
RewriteOptions Inherit
# Stop request from schema graph
RewriteCond "%{QUERY_STRING}" "=s={search_term_string}"
RewriteRule "^" - [R=400,END]
# Some crawlers normalize the trailing slash
RewriteCond %{HTTP_USER_AGENT} "(MJ12bot|DomainCrawler|GrapeshotCrawler|PetalBot|VelenPublicWebCrawler)"
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule "^([^.]*[^/.])$" "/$1/" [R=permanent,L]
# # WP-CONTENT == DOCUMENT-ROOT
# # Keep real directory secret (no anchors)
# RewriteCond %{REQUEST_URI} "/wordpress-core"
# RewriteRule "^" - [R=400,END]
# # Prevent redirect loop on wp-admin
# RewriteRule "^wp-admin$" "/wp-admin/" [R=permanent,END]
# RewriteRule "^wp-admin/$" "/wordpress-core/wp-admin/index.php" [END]
# # Everything beginning with "wp-" is a WordPress core file
# RewriteCond %{REQUEST_FILENAME} !-f
# RewriteCond %{REQUEST_FILENAME}%{PATH_INFO} "^(.+/)(wp-.+/wp-.+)$" [OR]
# RewriteCond %{REQUEST_FILENAME}%{PATH_INFO} "^(.+/)(wp-.+)$" [OR]
# RewriteCond %{REQUEST_FILENAME}%{PATH_INFO} "^(.+/)(xmlrpc\.php)$"
# RewriteCond "%1wordpress-core/%2" -f
# # XML-RPC is the only one not beginning with "wp-"
# RewriteRule "^(xmlrpc\.php|wp-.+)$" "/wordpress-core/$1" [END]
# Core permalinks (no leading slash)
RewriteRule "^index\.php$" - [END]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule "^" "/index.php" [END]
</Directory>