Facebook
TwitterPoggenpower
New Pleskian
Following Security Measures are not restricted to the word press base path like others, which cause false positives if other software like nextcould is installed on the same server:
Block access to sensitive files
Enable bot protection
Block access to potentially sensitive files
E.g.
should look like:
There are already a lot of rules that have this condition:
In Tools like nextclould request to "readme.txt" or "changelog.md" are absolutely valid and won't mean someone is doing evil things.
WordPress Toolkit version: 4.10.2-4121
Bye
Thomas
Block access to sensitive files
Enable bot protection
Block access to potentially sensitive files
E.g.
location ~* "(?:wp-config\.bak|\.wp-config\.php\.swp|(?:readme|license|changelog|-config|-sample)\.(?:php|md|txt|htm|html))"should look like:
location ~* "^/YOURWPROOT/.*(?:wp-config\.bak|\.wp-config\.php\.swp|(?:readme|license|changelog|-config|-sample)\.(?:php|md|txt|htm|html))"There are already a lot of rules that have this condition:
Code:
#extension wp-toolkit begin
location ~* "^(?:/YOURWPROOT/)wp-content/uploads/.*\.php" { deny all; }
location ~* "^(?:/YOURWPROOT/)wp-includes/(?!js/tinymce/wp\-tinymce\.php$).*\.php" {
deny all;
}
location ~* "^(?:/YOURWPROOT/)wp-admin/(load-styles|load-scripts)\.php" { deny all; }
if ($http_referer !~* "^$|^https?://(.*\.)?(schmu\.net|google\.com)(:|/|$)") {
rewrite "^(?:/YOURWPROOT/)wp-content/uploads/.*\.(gif|png|jpeg|jpg|svg)$" "/YOURWPROOT/fake-hotlink-stub" last;
}In Tools like nextclould request to "readme.txt" or "changelog.md" are absolutely valid and won't mean someone is doing evil things.
WordPress Toolkit version: 4.10.2-4121
Bye
Thomas
