Increase the safety of his blog under Wordpress via the web.config file
fr:Accroître la sécurité de son blog sous Wordpress via le fichier web.config
en:Increase the safety of his blog under Wordpress via the web.config file
es:Aumentar la seguridad de su blog bajo Wordpress mediante el archivo web.config
pt:Aumentar a segurança do seu blog em Wordpress através do arquivo Web. config
it:Aumentare la sicurezza del suo blog in Wordpress tramite il file Web. config
nl:Verhoging van de veiligheid van zijn blog onder Wordpress via het bestand web.config
de:Erhöhen Sie die Sicherheit von seinem Blog unter Wordpress über die web.config-Datei
zh:增加安全的他通过 web.config 文件下 Wordpress 的博客
ar:زيادة سلامة مدونته تحت وورد عن طريق ملف web.config
ja:Web.config ファイルを介してワードプレスの下で彼のブログの安全性を高める
pl:Zwiększyć bezpieczeństwo swojego bloga na Wordpress przez plik web.config
ru:Повысить безопасность своего блога под Wordpress через файл web.config
ro:Creşte siguranţa lui blog în Wordpress prin fișierul web.config
he:להגביר את הבטיחות של הבלוג שלו תחת וורדפרס באמצעות הקובץ web. config
en:Increase the safety of his blog under Wordpress via the web.config file
he:להגביר את הבטיחות של הבלוג שלו תחת וורדפרס באמצעות הקובץ web. config
ru:Повысить безопасность своего блога под Wordpress через файл web.config
ja:Web.config ファイルを介してワードプレスの下で彼のブログの安全性を高める
ar:زيادة سلامة مدونته تحت وورد عن طريق ملف web.config
zh:增加安全的他通过 web.config 文件下 Wordpress 的博客
ro:Creşte siguranţa lui blog în Wordpress prin fișierul web.config
pl:Zwiększyć bezpieczeństwo swojego bloga na Wordpress przez plik web.config
de:Erhöhen Sie die Sicherheit von seinem Blog unter Wordpress über die web.config-Datei
nl:Verhoging van de veiligheid van zijn blog onder Wordpress via het bestand web.config
it:Aumentare la sicurezza del suo blog in Wordpress tramite il file Web. config
pt:Aumentar a segurança do seu blog em Wordpress através do arquivo Web. config
es:Aumentar la seguridad de su blog bajo Wordpress mediante el archivo web.config
fr:Accroître la sécurité de son blog sous Wordpress via le fichier web.config
This article has been created by an automatic translation software. You can view the article source here.
Introduction
The objective of this tutorial is to increase the safety of his blog powered by Wordpress using the web.config file for Microsoft IIS.
This guide is not for submission of complete safety but allows relatively straightforward, different solutions to enhance the security of your blog.
Reminders
Before digging into the heart of the matter, it may be necessary to remind some important things :
- opt for the automatic update of your Wordpress,
- limit plugins as much as possible and use maintained plugins
- limit templates by removing those who are not used /necessary and prefer sites "trusted " to download the themes of your blog
- use complex passwords (numbers, capital letters, special characters, etc.) and never use the same password
- check regularly the different connection logs (you will find an article in our Wiki : fr:Comment exploiter rapidement et facilement les journaux de connexion Windows ?)
- perform backups and verify the integrity of the latter.
Imporant
The following web.config file is, of course, to adapt according to your Wordpress configuration and parameters of the restriction to the level of IP addresses for access to the administration of your CMS is to adapt in consequence. On the other hand, the configuration file attached has been tested with Windows 2008 Server R 2/IIS 7.5. Changes may be required depending on your OS version /IIS.
Web.config
Below is the web.config file that will allow you to increase the security of your blog under Wordpress. The explanations are comments in the file between the tags .
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<defaultDocument>
<files>
<clear />
<add value="index.htm" />
<add value="index.html" />
<add value="index.php" />
</files>
</defaultDocument>
<security>
<requestFiltering>
<denyUrlSequences>
<add sequence="ofc_upload_image.php" />
<add sequence="timthumb.php" />
<add sequence="img.php" />
<add sequence="img_x.php" />
<add sequence="thumb.php" />
<add sequence="phpthumb.php" />
<add sequence="kontol.php" />
<add sequence="magic.php.png" />
<add sequence="food.php" />
<add sequence="ph.php" />
<add sequence="fragile.php" />
<add sequence="3xp.php" />
<add sequence="explore.php" />
<add sequence="shell.php" />
<add sequence="petx.php" />
<add sequence="dl-skin.php" />
<add sequence="direct_download.php" />
<add sequence="getfile.php" />
<add sequence="vito.php" />
<add sequence="upload_settings_image.php" />
<add sequence="saint.php" />
<add sequence="lunar.php" />
<add sequence="c99.php" />
<add sequence="r57.php" />
<add sequence="ekin0x.php" />
<add sequence="cmd.php" />
<add sequence="dq.php" />
<add sequence="tryag.php" />
</denyUrlSequences>
<filteringRules>
<filteringRule name="SQLi" scanUrl="true" scanQueryString="true">
<appliesTo>
<add fileExtension=".php" />
</appliesTo>
<denyStrings>
<clear />
<add string="--" />
<add string=";" />
<add string="/*" />
<add string="@" />
<add string="char" />
<add string="alter" />
<add string="begin" />
<add string="cast" />
<add string="create" />
<add string="cursor" />
<add string="declare" />
<add string="delete" />
<add string="drop" />
<add string="end" />
<add string="exec" />
<add string="fetch" />
<add string="insert" />
<add string="kill" />
<add string="open" />
<add string="select" />
<add string="sys" />
<add string="table" />
<add string="update" />
</denyStrings>
</filteringRule>
</filteringRules>
</requestFiltering>
</security>
<directoryBrowse enabled="false" />
<rewrite>
<rules>
<clear />
<rule name="AdminIPs" patternSyntax="ECMAScript">
<match url=".*" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
<add input="{REMOTE_ADDR}" pattern="10\.11\.12\.13" />
</conditions>
<serverVariables>
<set name="HTTP_X_AdminIPAllowed" value="yes" />
</serverVariables>
</rule>
<rule name="Restrict wp-login.php access" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{REQUEST_FILENAME}" pattern="wp-login.php" />
<add input="{HTTP_X_AdminIPAllowed}" pattern="yes" negate="true" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
</rules>
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
<rule name="Remove ETag">
<match serverVariable="RESPONSE_ETag" pattern=".+" />
<action type="Rewrite" value="" />
</rule>
</outboundRules>
</rewrite>
<httpProtocol>
<customHeaders>
<remove name="X-AspNet-Version" />
<remove name="X-AspNetMvc-Version" />
<remove name="X-Powered-By" />
<remove name="X-Powered-By-Plesk" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
Enable comment auto-refresher