public static function filter_nginx_server_config_modification($modification) { $input = ITSEC_Modules::get_settings('system-tweaks'); if ($input['protect_files']) { $modification .= "\n"; $modification .= "\t# " . __('Protect System Files - Security > Settings > System Tweaks > System Files', 'better-wp-security') . "\n"; $modification .= "\tlocation ~ /\\.ht { deny all; }\n"; $modification .= "\tlocation ~ wp-config.php { deny all; }\n"; $modification .= "\tlocation ~ readme.html { deny all; }\n"; $modification .= "\tlocation ~ readme.txt { deny all; }\n"; $modification .= "\tlocation ~ /install.php { deny all; }\n"; $modification .= "\tlocation ^wp-includes/(.*).php { deny all; }\n"; $modification .= "\tlocation ^/wp-admin/includes(.*)\$ { deny all; }\n"; } // Rewrite Rules for Disable PHP in Uploads if ($input['uploads_php']) { require_once $GLOBALS['itsec_globals']['plugin_dir'] . 'core/lib/class-itsec-lib-utility.php'; $dir = ITSEC_Lib_Utility::get_relative_upload_url_path(); if (!empty($dir)) { $dir = preg_quote($dir); $modification .= "\n"; $modification .= "\t# " . __('Disable PHP in Uploads - Security > Settings > System Tweaks > Uploads', 'better-wp-security') . "\n"; $modification .= "\tlocation ^{$dir}/(.*).php(.?) { deny all; }\n"; } } // Apache rewrite rules for disable http methods if ($input['request_methods']) { $modification .= "\n"; $modification .= "\t# " . __('Filter Request Methods - Security > Settings > System Tweaks > Request Methods', 'better-wp-security') . "\n"; $modification .= "\tif (\$request_method ~* \"^(TRACE|DELETE|TRACK)\") { return 403; }\n"; } // Process suspicious query rules if ($input['suspicious_query_strings']) { $modification .= "\n"; $modification .= "\t# " . __('Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings', 'better-wp-security') . "\n"; $modification .= "\tset \$susquery 0;\n"; $modification .= "\tif (\$args ~* \"\\.\\./\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"\\.(bash|git|hg|log|svn|swp|cvs)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"etc/passwd\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"boot.ini\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"ftp:\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"http:\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"https:\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(<|%3C).*script.*(>|%3E)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"mosConfig_[a-zA-Z_]{1,21}(=|%3D)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"base64_encode\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(%24&x)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(127.0)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(globals|encode|localhost|loopback)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(request|insert|concat|union|declare)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args !~ \"^loggedout=true\") { set \$susquery 0; }\n"; $modification .= "\tif (\$args !~ \"^action=jetpack-sso\") { set \$susquery 0; }\n"; $modification .= "\tif (\$args !~ \"^action=rp\") { set \$susquery 0; }\n"; $modification .= "\tif (\$http_cookie !~ \"^.*wordpress_logged_in_.*\$\") { set \$susquery 0; }\n"; $modification .= "\tif (\$http_referer !~ \"^http://maps.googleapis.com(.*)\$\") { set \$susquery 0; }\n"; $modification .= "\tif (\$susquery = 1) { return 403; } \n"; } // Process filtering of foreign characters if ($input['non_english_characters']) { $modification .= "\n"; $modification .= "\t# " . __('Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters', 'better-wp-security') . "\n"; $modification .= "\tif (\$args ~* \"(%0|%A|%B|%C|%D|%E|%F)\") { return 403; }\n"; } return $modification; }
public function filter_nginx_server_config_modification( $modification ) { $input = get_site_option( 'itsec_tweaks' ); if ( true === $input['protect_files'] ) { $modification .= "\n"; $modification .= "\t# " . __( 'Protect System Files - Security > Settings > System Tweaks > System Files', 'it-l10n-ithemes-security-pro' ) . "\n"; $modification .= "\tlocation ~ /\.ht { deny all; }\n"; $modification .= "\tlocation ~ wp-config.php { deny all; }\n"; $modification .= "\tlocation ~ readme.html { deny all; }\n"; $modification .= "\tlocation ~ readme.txt { deny all; }\n"; $modification .= "\tlocation ~ /install.php { deny all; }\n"; $modification .= "\tlocation ^wp-includes/(.*).php { deny all; }\n"; $modification .= "\tlocation ^/wp-admin/includes(.*)$ { deny all; }\n"; } if ( 2 == $input['disable_xmlrpc'] ) { $modification .= "\n"; $modification .= "\t# " . __( 'Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC', 'it-l10n-ithemes-security-pro' ) . "\n"; $modification .= "\tlocation ~ xmlrpc.php { deny all; }\n"; } // Rewrite Rules for Disable PHP in Uploads if ( true === $input['uploads_php'] ) { require_once( trailingslashit( $GLOBALS['itsec_globals']['plugin_dir'] ) . 'core/lib/class-itsec-lib-utility.php' ); $dir = ITSEC_Lib_Utility::get_relative_upload_url_path(); if ( ! empty( $dir ) ) { $dir = preg_quote( $dir ); $modification .= "\n"; $modification .= "\t# " . __( 'Disable PHP in Uploads - Security > Settings > System Tweaks > Uploads', 'it-l10n-ithemes-security-pro' ) . "\n"; $modification .= "\tlocation ^$dir/(.*).php(.?) { deny all; }\n"; } } // Apache rewrite rules for disable http methods if ( true == $input['request_methods'] ) { $modification .= "\n"; $modification .= "\t# " . __( 'Filter Request Methods - Security > Settings > System Tweaks > Request Methods', 'it-l10n-ithemes-security-pro' ) . "\n"; $modification .= "\tif (\$request_method ~* \"^(TRACE|DELETE|TRACK)\") { return 403; }\n"; } // Process suspicious query rules if ( true == $input['suspicious_query_strings'] ) { $modification .= "\n"; $modification .= "\t# " . __( 'Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings', 'it-l10n-ithemes-security-pro' ) . "\n"; $modification .= "\tset \$susquery 0;\n"; $modification .= "\tif (\$args ~* \"\\.\\./\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"\.(bash|git|hg|log|svn|swp|cvs)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"etc/passwd\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"boot.ini\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"ftp:\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"http:\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"https:\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(<|%3C).*script.*(>|%3E)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"mosConfig_[a-zA-Z_]{1,21}(=|%3D)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"base64_encode\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(%24&x)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(127.0)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(globals|encode|localhost|loopback)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args ~* \"(request|insert|concat|union|declare)\") { set \$susquery 1; }\n"; $modification .= "\tif (\$args !~ \"^loggedout=true\") { set \$susquery 0; }\n"; $modification .= "\tif (\$args !~ \"^action=jetpack-sso\") { set \$susquery 0; }\n"; $modification .= "\tif (\$args !~ \"^action=rp\") { set \$susquery 0; }\n"; $modification .= "\tif (\$http_cookie !~ \"^.*wordpress_logged_in_.*\$\") { set \$susquery 0; }\n"; $modification .= "\tif (\$http_referer !~ \"^http://maps.googleapis.com(.*)\$\") { set \$susquery 0; }\n"; $modification .= "\tif (\$susquery = 1) { return 403; } \n"; } // Process filtering of foreign characters if ( true == $input['non_english_characters'] ) { $modification .= "\n"; $modification .= "\t# " . __( 'Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters', 'it-l10n-ithemes-security-pro' ) . "\n"; $modification .= "\tif (\$args ~* \"(%0|%A|%B|%C|%D|%E|%F)\") { return 403; }\n"; } // Process Comment spam rules if ( true == $input['comment_spam'] ) { $valid_referers = $this->get_valid_referers( 'nginx' ); $modification .= "\n"; $modification .= "\t# " . __( 'Reduce Comment Spam - Security > Settings > System Tweaks > Comment Spam', 'it-l10n-ithemes-security-pro' ) . "\n"; $modification .= "\t# " . __( 'Help reduce spam', 'it-l10n-ithemes-security-pro' ) . "\n"; $modification .= "\tlocation /wp-comments-post.php {\n"; $modification .= "\t\tlimit_except POST { deny all; }\n"; $modification .= "\t\tif (\$http_user_agent ~ \"^$\") { return 403; }\n"; if ( ! empty( $valid_referers ) && ! in_array( '*', $valid_referers ) ) { $modification .= "\t\tvalid_referers " . implode( ' ', $valid_referers ) . ";\n"; $modification .= "\t\tif (\$invalid_referer) { return 403; }\n"; } $modification .= "\t}\n"; } return $modification; }
public static function filter_nginx_server_config_modification($modification) { require_once $GLOBALS['itsec_globals']['plugin_dir'] . 'core/lib/class-itsec-lib-utility.php'; $input = ITSEC_Modules::get_settings('system-tweaks'); $wp_includes = WPINC; if ($input['protect_files']) { $config_file = ITSEC_Lib::get_htaccess(); if (0 === strpos($config_file, ABSPATH)) { $config_file = '/' . substr($config_file, strlen(ABSPATH)); } else { $config_file = '/nginx.conf'; } $modification .= "\n"; $modification .= "\t# " . __('Protect System Files - Security > Settings > System Tweaks > System Files', 'better-wp-security') . "\n"; $modification .= "\tlocation = /wp-admin/install\\.php { deny all; }\n"; $modification .= "\tlocation = {$config_file} { deny all; }\n"; $modification .= "\tlocation ~ /\\.htaccess\$ { deny all; }\n"; $modification .= "\tlocation ~ /readme\\.html\$ { deny all; }\n"; $modification .= "\tlocation ~ /readme\\.txt\$ { deny all; }\n"; $modification .= "\tlocation ~ /wp-config.php\$ { deny all; }\n"; $modification .= "\tlocation ~ ^/wp-admin/includes/ { deny all; }\n"; if (!is_multisite() || !get_site_option('ms_files_rewriting')) { // nginx can only reliably block PHP files in wp-includes if requests to wp-includes/ms-files.php are // not required. This is because there is no skip directive as Apache has. $modification .= "\tlocation ~ ^/{$wp_includes}/[^/]+\\.php\$ { deny all; }\n"; } $modification .= "\tlocation ~ ^/{$wp_includes}/js/tinymce/langs/.+\\.php\$ { deny all; }\n"; $modification .= "\tlocation ~ ^/{$wp_includes}/theme-compat/ { deny all; }\n"; } // Rewrite Rules for Disable PHP in Uploads if ($input['uploads_php']) { $dir = ITSEC_Lib_Utility::get_relative_upload_url_path(); if (!empty($dir)) { $dir = preg_quote($dir); $modification .= "\n"; $modification .= "\t# " . __('Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads', 'better-wp-security') . "\n"; $modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n"; } } // Rewrite Rules for Disable PHP in Plugins if ($input['plugins_php']) { $dir = ITSEC_Lib_Utility::get_relative_url_path(WP_PLUGIN_URL); if (!empty($dir)) { $dir = preg_quote($dir); $modification .= "\n"; $modification .= "\t# " . __('Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins', 'better-wp-security') . "\n"; $modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n"; } } // Rewrite Rules for Disable PHP in Themes if ($input['themes_php']) { $dir = ITSEC_Lib_Utility::get_relative_url_path(get_theme_root_uri()); if (!empty($dir)) { $dir = preg_quote($dir); $modification .= "\n"; $modification .= "\t# " . __('Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes', 'better-wp-security') . "\n"; $modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n"; } } // Apache rewrite rules for disable http methods if ($input['request_methods']) { $modification .= "\n"; $modification .= "\t# " . __('Filter Request Methods - Security > Settings > System Tweaks > Request Methods', 'better-wp-security') . "\n"; $modification .= "\tif ( \$request_method ~* ^(TRACE|DELETE|TRACK)\$ ) { return 403; }\n"; } // Process suspicious query rules if ($input['suspicious_query_strings']) { $modification .= "\n"; $modification .= "\t# " . __('Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings', 'better-wp-security') . "\n"; $modification .= "\tset \$susquery 0;\n"; $modification .= "\tif ( \$args ~* \"\\.\\./\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"\\.(bash|git|hg|log|svn|swp|cvs)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"etc/passwd\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"boot\\.ini\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"ftp:\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"https?:\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"(<|%3C)script(>|%3E)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"mosConfig_[a-zA-Z_]{1,21}(=|%3D)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"base64_decode\\(\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"%24&x\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"127\\.0\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"(globals|encode|localhost|loopback)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"(request|insert|concat|union|declare)\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~* \"%[01][0-9A-F]\" ) { set \$susquery 1; }\n"; $modification .= "\tif ( \$args ~ \"^loggedout=true\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$args ~ \"^action=jetpack-sso\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$args ~ \"^action=rp\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$http_cookie ~ \"wordpress_logged_in_\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$http_referer ~* \"^https?://maps\\.googleapis\\.com/\" ) { set \$susquery 0; }\n"; $modification .= "\tif ( \$susquery = 1 ) { return 403; }\n"; } // Process filtering of foreign characters if ($input['non_english_characters']) { $modification .= "\n"; $modification .= "\t# " . __('Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters', 'better-wp-security') . "\n"; $modification .= "\tif (\$args ~* \"%[A-F][0-9A-F]\") { return 403; }\n"; } return $modification; }