Saya baru dari wordpress dan saya ingin meningkatkan keamanan multisite wordpress dengan menyembunyikan sumber daya non publik, misalnya. wp-admin, wp-config dll.
Pengaturan saya tampaknya berfungsi, tetapi saya tidak tahu apakah pengaturan ini dapat merusak sesuatu (fitur inti, plug-in populer, dll.)
- Apakah pengaturan saya baik secara umum?
- Pengaturan saya meningkatkan keamanan nyata atau saya membuang-buang waktu?
httpd-vhosts.conf (apache)
# Disallow public access php for .htaccess and .htpasswd files
<Files ".ht*">
Require all denied
</Files>
# Disallow public access for *.php files in upload directory
<Directory "/htdocs/wp-content/uploads/">
<Files "*.php">
deny from all
</Files>
</Directory>
# Disallow public access for...
<Files "wp-config.php">
order allow,deny
deny from all
</Files>
<Files "readme.html">
order allow,deny
deny from all
</Files>
<Files "license.html">
order allow,deny
deny from all
</Files>
<Files "license.txt">
order allow,deny
deny from all
</Files>
# Because we do not use any remote connections to publish on WP
<Files "xmlrpc.php">
order allow,deny
deny from all
</Files>
.htaccess
RewriteEngine On
RewriteBase /
# List of ACME company IP Address
SetEnvIf Remote_Addr "^127\.0\.0\." NETWORK=ACME
SetEnvIf Remote_Addr "^XX\.XX\.XX\.XX$" NETWORK=ACME
SetEnvIf Remote_Addr "^XX\.XX\.XX\.XX$" NETWORK=ACME
SetEnvIf Remote_Addr "^XX\.XX\.XX\.XX$" NETWORK=ACME
# Disallow access to wp-admin and wp-login.php
RewriteCond %{SCRIPT_FILENAME} !^(.*)admin-ajax\.php$ # allow fo admin-ajax.php
RewriteCond %{ENV:NETWORK} !^ACME$ # allow for ACME
RewriteCond %{SCRIPT_FILENAME} ^(.*)?wp-login\.php$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin\/
RewriteRule ^(.*)$ - [R=403,L]
# Block user enumeration
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ / [L,R=301]
# Block the include-only files.
# see: http://codex.wordpress.org/Hardening_WordPress (Securing wp-includes)
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
#RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] # Comment for Multisite
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
function.php
<?php
// Remove unnecessary meta tags
// <meta name="generator" content="WordPress 4.1" />
remove_action('wp_head', 'wp_generator');
// Disable WordPress Login Hints
function no_wordpress_errors(){
return 'GET OFF MY LAWN !! RIGHT NOW !!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );
wp-config.php
<?php
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
htaccess
security
configuration
ar099968
sumber
sumber
Jawaban:
Menggunakan
remove_action()
dapat menghapus tautan yang tidak perlu misalnya:sumber
Apakah Anda menjalankan situs Anda di cPanel?
Jika demikian, jelajahi panel kontrol Anda dan Anda akan melihat beberapa modul hebat.
Di bawah tab Advanced , cari indeks. Setelah Anda mengklik, Anda dapat menyesuaikan dan "menyembunyikan sumber non publik" dengan sangat mudah.
sumber