public static function filter_nginx_server_config_modification($modification)
{
require_once $GLOBALS['itsec_globals']['plugin_dir'] . 'core/lib/class-itsec-lib-utility.php';
$input = ITSEC_Modules::get_settings('system-tweaks');
$wp_includes = WPINC;
if ($input['protect_files']) {
$config_file = ITSEC_Lib::get_htaccess();
if (0 === strpos($config_file, ABSPATH)) {
$config_file = '/' . substr($config_file, strlen(ABSPATH));
} else {
$config_file = '/nginx.conf';
}
$modification .= "\n";
$modification .= "\t# " . __('Protect System Files - Security > Settings > System Tweaks > System Files', 'better-wp-security') . "\n";
$modification .= "\tlocation = /wp-admin/install\\.php { deny all; }\n";
$modification .= "\tlocation = {$config_file} { deny all; }\n";
$modification .= "\tlocation ~ /\\.htaccess\$ { deny all; }\n";
$modification .= "\tlocation ~ /readme\\.html\$ { deny all; }\n";
$modification .= "\tlocation ~ /readme\\.txt\$ { deny all; }\n";
$modification .= "\tlocation ~ /wp-config.php\$ { deny all; }\n";
$modification .= "\tlocation ~ ^/wp-admin/includes/ { deny all; }\n";
if (!is_multisite() || !get_site_option('ms_files_rewriting')) {
// nginx can only reliably block PHP files in wp-includes if requests to wp-includes/ms-files.php are
// not required. This is because there is no skip directive as Apache has.
$modification .= "\tlocation ~ ^/{$wp_includes}/[^/]+\\.php\$ { deny all; }\n";
}
$modification .= "\tlocation ~ ^/{$wp_includes}/js/tinymce/langs/.+\\.php\$ { deny all; }\n";
$modification .= "\tlocation ~ ^/{$wp_includes}/theme-compat/ { deny all; }\n";
}
// Rewrite Rules for Disable PHP in Uploads
if ($input['uploads_php']) {
$dir = ITSEC_Lib_Utility::get_relative_upload_url_path();
if (!empty($dir)) {
$dir = preg_quote($dir);
$modification .= "\n";
$modification .= "\t# " . __('Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads', 'better-wp-security') . "\n";
$modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n";
}
}
// Rewrite Rules for Disable PHP in Plugins
if ($input['plugins_php']) {
$dir = ITSEC_Lib_Utility::get_relative_url_path(WP_PLUGIN_URL);
if (!empty($dir)) {
$dir = preg_quote($dir);
$modification .= "\n";
$modification .= "\t# " . __('Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins', 'better-wp-security') . "\n";
$modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n";
}
}
// Rewrite Rules for Disable PHP in Themes
if ($input['themes_php']) {
$dir = ITSEC_Lib_Utility::get_relative_url_path(get_theme_root_uri());
if (!empty($dir)) {
$dir = preg_quote($dir);
$modification .= "\n";
$modification .= "\t# " . __('Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes', 'better-wp-security') . "\n";
$modification .= "\tlocation ~ ^/{$dir}/.*\\.(?:php[1-7]?|pht|phtml?|phps)\$ { deny all; }\n";
}
}
// Apache rewrite rules for disable http methods
if ($input['request_methods']) {
$modification .= "\n";
$modification .= "\t# " . __('Filter Request Methods - Security > Settings > System Tweaks > Request Methods', 'better-wp-security') . "\n";
$modification .= "\tif ( \$request_method ~* ^(TRACE|DELETE|TRACK)\$ ) { return 403; }\n";
}
// Process suspicious query rules
if ($input['suspicious_query_strings']) {
$modification .= "\n";
$modification .= "\t# " . __('Filter Suspicious Query Strings in the URL - Security > Settings > System Tweaks > Suspicious Query Strings', 'better-wp-security') . "\n";
$modification .= "\tset \$susquery 0;\n";
$modification .= "\tif ( \$args ~* \"\\.\\./\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"\\.(bash|git|hg|log|svn|swp|cvs)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"etc/passwd\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"boot\\.ini\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"ftp:\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"https?:\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"(<|%3C)script(>|%3E)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"mosConfig_[a-zA-Z_]{1,21}(=|%3D)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"base64_decode\\(\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"%24&x\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"127\\.0\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"(globals|encode|localhost|loopback)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"(request|insert|concat|union|declare)\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~* \"%[01][0-9A-F]\" ) { set \$susquery 1; }\n";
$modification .= "\tif ( \$args ~ \"^loggedout=true\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$args ~ \"^action=jetpack-sso\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$args ~ \"^action=rp\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$http_cookie ~ \"wordpress_logged_in_\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$http_referer ~* \"^https?://maps\\.googleapis\\.com/\" ) { set \$susquery 0; }\n";
$modification .= "\tif ( \$susquery = 1 ) { return 403; }\n";
}
// Process filtering of foreign characters
if ($input['non_english_characters']) {
$modification .= "\n";
$modification .= "\t# " . __('Filter Non-English Characters - Security > Settings > System Tweaks > Non-English Characters', 'better-wp-security') . "\n";
$modification .= "\tif (\$args ~* \"%[A-F][0-9A-F]\") { return 403; }\n";
}
return $modification;
}
/**
* Returns the directory path to the uploads directory relative to the site root.
*
* @since 1.16.1
*
* @return string|bool The upload directory relative path or false if the path could not be determined.
*/
public static function get_relative_upload_url_path()
{
$upload_dir_details = wp_upload_dir();
return ITSEC_Lib_Utility::get_relative_url_path($upload_dir_details['baseurl']);
}
