Coduri .htaccess esentiale pentru securitate in WordPress

Fisierul .htaccess este o unealta puternica de configurat serverul web, iata setarile de baza pe care trebuie sa le faceti pentru a avea un WordPress cat mai securizat.

Opreste accesul la fisierul .htaccess din afara site-ului. Pentru a ne proteja de atacurile externe asupra acestui fisier putem folosi acest cod:

# Deny access to .htaccess and .htpasswd if in use
<FilesMatch "(\.htaccess)">
  Order deny,allow
  Deny from all
</FilesMatch>

Activare Browser Caching

## EXPIRES CACHING ##
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType text/html "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 1 month"
</IfModule>
## EXPIRES CACHING ##

Ban IP Permanent. Nu uitati sa schimbati adresele de acolo cu IP-urile pe care doriti sa le banati.

<Limit GET POST>
order allow,deny
deny from 123.456.78.9
deny from 987.654.32.1
allow from all
</Limit>

Blocarea fisierelor

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Protectie Wp-content. Folderul wo-content este unul dintre cele mai importante din wordpress pentru aici sunt salvate temele, plugin-urile, imaginile, fisierele de cache, etc.

Creati un fisier .htaccess separat cu codul de mai jos si uploadati-l in folderul wp-content:

Order deny,allow
 Deny from all
 <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
 Allow from all
 </Files>

PHP – Opreste afisarea erorilor

php_flag display_errors Off

HTTP Security Headers in WordPress

<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
#Header set Content-Security-Policy "default-src 'self' data:; object-src 'none'; child-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content"
</ifModule>

<IfModule mod_headers.c>
Header always set Permissions-Policy "geolocation=(), midi=(),sync-xhr=(),accelerometer=(), gyroscope=(), magnetometer=(), camera=(), fullscreen=(self)"
</IfModule>

 

Lasă un răspuns

Adresa ta de email nu va fi publicată. Câmpurile obligatorii sunt marcate cu *

Alte articole Populare