Increase the security of his blog in Wordpress via the web.config file

From EN Ikoula wiki
⧼vector-jumptonavigation⧽ ⧼vector-jumptosearch⧽


This article has been created by an automatic translation software. You can view the article source here.

fr:Accroître la sécurité de son blog sous Wordpress via le fichier web.config he:להגביר את הבטיחות של הבלוג שלו תחת וורדפרס באמצעות הקובץ web. config ro:Creşte siguranţa lui blog în Wordpress prin fișierul web.config ru:Повысить безопасность своего блога под Wordpress через файл web.config pl:Zwiększyć bezpieczeństwo swojego bloga na Wordpress przez plik web.config ja:Web.config ファイルを介してワードプレスの下で彼のブログの安全性を高める ar:زيادة سلامة مدونته تحت وورد عن طريق ملف web.config zh:增加安全的他通过 web.config 文件下 Wordpress 的博客 de:Erhöhen Sie die Sicherheit von seinem Blog unter Wordpress über die web.config-Datei nl:Verhoging van de veiligheid van zijn blog onder Wordpress via het bestand web.config it:Aumentare la sicurezza del suo blog in Wordpress tramite il file Web. config pt:Aumentar a segurança do seu blog em Wordpress através do arquivo Web. config es:Aumentar la seguridad de su blog bajo Wordpress mediante el archivo web.config en:Increase the safety of his blog under Wordpress via the web.config file

Introduction

The goal of this tutorial is to increase the Security his blog powered by Wordpress using the Microsoft IIS web.config file.

This guide has no claims to ensure a complete Security but allows, in relatively simple, different solutions to strengthen the Security of your blog.


Reminders

Before getting into the heart of the matter, it may be necessary to remind some important things :

  • opt for the automatic update of your Wordpress
  • limit plugins as much as possible and use maintained plugins
  • limit templates by removing those who are not used/necessary and prefer sites "Trust" to download the themes of your blog
  • use complex passwords (numbers, capital letters, special characters, etc.) and never use the same password
  • check regularly the different logs of connection (you will find an article in our Wiki : Comment exploiter rapidement et facilement les journaux de connexion Windows ?)
  • effectuez des backups et vérifiez l'intégrité de ces dernières.


Important

The following web.config file is, obviously, to adapt according to your Wordpress configuration and parameters of the restriction to the level of IP addresses for access to the administration of your CMS is to adapt accordingly. On the other hand, the configuration file attached was tested with with Windows 2008 Server R2/IIS 7.5. Changes may be required depending on the version of your operating system/IIS.

Web.config

Below is the web.config file that will allow you to increase the Security your blog under Wordpress. The explanations are in comments in the file between tags.!-- et -->.

<?xml version="1.0" encoding="UTF-8"?> <configuration> 

   <system.webServer>
       <defaultDocument>
           <files>
               <clear />
               <add value="index.htm" />
               <add value="index.html" />
               <add value="index.php" />
           </files>
       </defaultDocument>

       <security>
           <requestFiltering>
               <denyUrlSequences>
                   <add sequence="ofc_upload_image.php" />
                   <add sequence="timthumb.php" />
                   <add sequence="img.php" />
                   <add sequence="img_x.php" />
                   <add sequence="thumb.php" />
                   <add sequence="phpthumb.php" />
                   <add sequence="kontol.php" />
                   <add sequence="magic.php.png" />
                   <add sequence="food.php" />
                   <add sequence="ph.php" />
                   <add sequence="fragile.php" />
                   <add sequence="3xp.php" />
                   <add sequence="explore.php" />
                   <add sequence="shell.php" />
                   <add sequence="petx.php" />
                   <add sequence="dl-skin.php" />
                   <add sequence="direct_download.php" />
                   <add sequence="getfile.php" />
                   <add sequence="vito.php" />
                   <add sequence="upload_settings_image.php" />
                   <add sequence="saint.php" />
                   <add sequence="lunar.php" />
                   <add sequence="c99.php" />
                   <add sequence="r57.php" />
                   <add sequence="ekin0x.php" />
                   <add sequence="cmd.php" />
                   <add sequence="dq.php" />
                   <add sequence="tryag.php" />
               </denyUrlSequences>

               <filteringRules>
                   <filteringRule name="SQLi" scanUrl="true" scanQueryString="true">
                       <appliesTo>
                           <add fileExtension=".php" />
                       </appliesTo>
                       <denyStrings>

<clear /> <add string="--" /> <add string=";" /> <add string="/*" /> <add string="@" /> <add string="char" /> <add string="alter" /> <add string="begin" /> <add string="cast" /> <add string="create" /> <add string="cursor" /> <add string="declare" /> <add string="delete" /> <add string="drop" /> <add string="end" /> <add string="exec" /> <add string="fetch" /> <add string="insert" /> <add string="kill" /> <add string="open" /> <add string="select" /> <add string="sys" /> <add string="table" /> <add string="update" /> 

                       </denyStrings>
                   </filteringRule>
               </filteringRules>
           </requestFiltering>
       </security>

       <directoryBrowse enabled="false" />

       <rewrite>
           <rules>
               <clear />
               <rule name="AdminIPs" patternSyntax="ECMAScript">
                   <match url=".*" />
                   <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                       <add input="{REMOTE_ADDR}" pattern="10\.11\.12\.13" />
                   </conditions>
                   <serverVariables>
                       <set name="HTTP_X_AdminIPAllowed" value="yes" />
                   </serverVariables>
               </rule>
               <rule name="Restrict wp-login.php access" stopProcessing="true">
                   <match url=".*" />
                   <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                       <add input="{REQUEST_FILENAME}" pattern="wp-login.php" />
                       <add input="{HTTP_X_AdminIPAllowed}" pattern="yes" negate="true" />
                   </conditions>
                   <action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
               </rule>
           </rules>

           <outboundRules rewriteBeforeCache="true">
               <rule name="Remove Server header">
                   <match serverVariable="RESPONSE_Server" pattern=".+" />
                   <action type="Rewrite" value="" />
               </rule>
               <rule name="Remove ETag">
                   <match serverVariable="RESPONSE_ETag" pattern=".+" />
                   <action type="Rewrite" value="" />
               </rule>
           </outboundRules>
       </rewrite>
       <httpProtocol>
           <customHeaders>

<remove name="X-AspNet-Version" /> <remove name="X-AspNetMvc-Version" /> <remove name="X-Powered-By" />

<remove name="X-Powered-By-Plesk" /> 

           </customHeaders>
       </httpProtocol>
   </system.webServer>

</configuration>


You are not allowed to post comments.

Retrieved from "https://en-wiki.ikoula.com/index.php?title=Increase_the_security_of_his_blog_in_Wordpress_via_the_web.config_file&oldid=8869"