WordPress 禁止访问网站核心 PHP 文件,提高安全性

2022-03-24 14:17:54 浏览数 (3)

WordPress 用的是 PHP 语言,禁止访客访问网站核心 PHP 文件能提高安全性。我们以 Nginx 的配置文件为例,来详细说明如何安全配置:禁用某些目录执行 PHP。

代码语言:javascript复制
server {
 
listen 80;
server_name website.com;
# Redirect non-www to www (website.com -> www.website.com)
return 301 http://www.$server_name$request_uri;
}
 
server {
 
    listen 80;
    server_name www.website.com;
    access_log /var/www/website.com/logs/access.log main;
    error_log /var/www/website.com/logs/error.log warn;
    root /var/www/website.com/public/htdocs;
    index index.html index.htm index.php;
 
# 日志不记录 robots.txt
    location = /robots.txt {
        log_not_found off;
        access_log off;
    }
 
# 如果没有 favicon 文件则退出并返回 204 (没有错误内容)
 
    location ~* /favicon.ico$ {
        try_files $uri =204;
        expires max;
        log_not_found off;
        access_log off;
    }
 
# 以下格式文件日志不需要记录
 
    location ~* .(js|css|png|jpg|jpeg|bmp|gif|ico)$ {
        expires max;
        log_not_found off;
        access_log off;
        # Send the all shebang in one fell swoop
        tcp_nodelay off;
        # Set the OS file cache
        open_file_cache max=1000 inactive=120s;
        open_file_cache_valid 45s;
        open_file_cache_min_uses 2;
        open_file_cache_errors off;
    }
 
    # http://wiki.nginx.org/WordPress
    # 设置静态地址必须要添加的配置
    # 如果你后台添加了固定链接,则需要添加以下配置
 
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
 
# 禁止访问 htaccess 文件
 
    location ~ /. {
        deny  all;
    }
 
# nocgi cgi等可执行的,不允许
 
    location ~* .(pl|cgi|py|sh|lua)$ {
            return 444;
    }
 
#禁止访问 wp-config.php install.php 文件
 
    location = /wp-config.php {
            deny all;
    }
 
    location = /wp-admin/install.php {
        deny all;
    }
 
# 禁止访问 /wp-content/ 目录的 php 格式文件 (包含子目录)
 
    location ~* ^/wp-content/.*.(php|phps)$ {
        deny all;
    }
 
# 允许内部分  wp-includes 目录的 .php 文件 
 
    location ~* ^/wp-includes/.*.(php|phps)$ {
        internal;
    }
 
 
# 禁止访问 /wp-content/ 目录的以下文件格式 (包含子目录)
 
    location ~* ^/wp-content/.*.(txt|md|exe)$ {
        deny all;
    }
 
# 禁止uploads、images目录下面的所有php、jsp访问
    location ~ ^/(uploads|images)/.*.(php|php5|jsp)$ {
        deny all;
        #return 403;
    }
 
# 禁止访问目录 /conf/*
 
    location ^~ /conf/ {
        deny all;
    }
 
    # 注意:上述/conf/后面的斜杠不能少,否则所有以conf开头的目录或文件都将禁止访问。
 
 
 
## 禁止访问任何目录下的.sql文件,禁止浏览器访问
 
 
    location ~.*.sql {
        deny all;
    }
 
    # 这样,任一目录的sql文件都不会被用户访问到了。 
 
 
# 处理 .php 文件
 
    location ~ .php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(. .php)(/. )$;
        include /etc/nginx/fastcgi_params;
        fastcgi_connect_timeout 180s;
        fastcgi_send_timeout 180s;
        fastcgi_read_timeout 180s;
        fastcgi_intercept_errors on;
        fastcgi_max_temp_file_size 0;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_index index.php;
    }
 
# 限制登陆和管理IP地址
 
    location ~ ^/(wp-admin|wp-login.php) {
        allow 1.2.3.4;
        deny all;
 
        ## 下面是fastcgi 方式
        index               index.php index.html index.htm;
        fastcgi_index       index.php;
        fastcgi_pass        127.0.0.1:9000;
        include             fastcgi.conf;
 
        ## 下面是代理方式的设置
        proxy_pass  http://apachebackend;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
 
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  }
 
# wordpress 重写规则
 
    rewrite ^/sitemap_index.xml$ /index.php?sitemap=1 last;
    rewrite ^/([^/] ?)-sitemap([0-9] )?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
 
    # Add trailing slash to */wp-admin requests
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;
 
 
# 403页面配置
 
    error_page 403 http://cdn-home.mimvp.com/404.html;      # 指定CDN页面
 
    error_page 403 404.html;      # 指定当前项目根目录下的404.html文件 
}

0 人点赞