Facebook
Twitter
IronDonDon
New Pleskian
Hi,
I installed a Litespeed extension and switched the server to LS, but WP toolkit security rules/settings for Apache do not work or work only partially if switched to LS.
Most of the rules that dont work are <LocationMatch> rules. LS ignores them, which makes security settings in /var/www/vhosts/system/DOMAIN/conf/httpd.conf obsolete. My knowlage of apache is very basic (moving from nginx to Litespeed), so I've replaced LocationMatch with FilesMatch, which had a positive effect with LS. Here are the rules which do not work with LS:
Also, # "Block author scans" part does not work both on Apache and LS. I would appreciate any help in solving this issue with WP toolkit. Is it acctually correct to replace LocationMatch with FilesMatch?
Thank you.
Regards, Alex
I installed a Litespeed extension and switched the server to LS, but WP toolkit security rules/settings for Apache do not work or work only partially if switched to LS.
Most of the rules that dont work are <LocationMatch> rules. LS ignores them, which makes security settings in /var/www/vhosts/system/DOMAIN/conf/httpd.conf obsolete. My knowlage of apache is very basic (moving from nginx to Litespeed), so I've replaced LocationMatch with FilesMatch, which had a positive effect with LS. Here are the rules which do not work with LS:
Apache config:
#extension wp-toolkit begin
# "Block unauthorized access to wp-config.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<Files wp-config.php>
Require all denied
</Files>
# "Block directory browsing"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<Directory "/var/www/vhosts/domain.example/httpdocs">
Options -Indexes
</Directory>
# "Forbid execution of PHP scripts in the wp-content/uploads directory"
# To remove this rule, revert this security measure for WordPress installation #1
<Directory "/var/www/vhosts/domain.example/httpdocs/wp-content/uploads">
<FilesMatch \.php$>
Require all denied
</FilesMatch>
</Directory>
# "Forbid execution of PHP scripts in the wp-includes directory"
# To remove this rule, revert this security measure for WordPress installation #1
<IfModule mod_rewrite.c>
<Directory "/var/www/vhosts/domain.example/httpdocs/wp-includes">
<FilesMatch \.php$>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !^/var/www/vhosts/domain\.example/httpdocs/wp\-includes/js/tinymce/wp\-tinymce\.php$ [NC]
RewriteRule .* - [NC,F,L]
</FilesMatch>
</Directory>
</IfModule>
# "Disable scripts concatenation for WordPress admin panel"
# To remove this rule, revert this security measure for WordPress installation #1
<Directory "/var/www/vhosts/domain.example/httpdocs/wp-admin">
<FilesMatch (load-styles|load-scripts)\.php$>
Require all denied
</FilesMatch>
</Directory>
# "Block author scans"
# To remove this rule, revert this security measure for WordPress installation #1
<IfModule mod_rewrite.c>
<Directory "/var/www/vhosts/domain.example/httpdocs">
RewriteEngine on
RewriteCond %{QUERY_STRING} author=\d+
RewriteCond %{REQUEST_FILENAME} !^/var/www/vhosts/domain\.example/httpdocs/wp\-admin/ [NC]
RewriteRule .* - [F,L]
</Directory>
</IfModule>
# "Block author scans"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<LocationMatch "(?i:(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html)))">
Require all denied
</LocationMatch>
# "Block access to potentially sensitive files"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<LocationMatch ".+\\.(?i:psd|log|cmd|exe|bat|csh|ini|sh)$">
Require all denied
</LocationMatch>
# "Disable PHP execution in cache directories"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<LocationMatch "(?i:.*/cache/.*\\.ph(?:p[345]?|t|tml))">
Require all denied
</LocationMatch>
# "Block access to .htaccess and .htpasswd"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<FilesMatch ^(?i:\.ht.*)$>
Require all denied
</FilesMatch>
# "Enable bot protection"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<IfModule mod_rewrite.c>
<Directory "/var/www/vhosts/domain.example/httpdocs">
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)" [NC]
RewriteRule .* - [F,L]
</Directory>
</IfModule>
#extension wp-toolkit endAlso, # "Block author scans" part does not work both on Apache and LS. I would appreciate any help in solving this issue with WP toolkit. Is it acctually correct to replace LocationMatch with FilesMatch?
Thank you.
Regards, Alex
