• The APS Catalog has been deprecated and removed from all Plesk Obsidian versions.
    Applications already installed from the APS Catalog will continue working. However, Plesk will no longer provide support for APS applications.
  • Please be aware: with the Plesk Obsidian 18.0.78 release, the support for the ngx_pagespeed.so module will be deprecated and removed from the sw-nginx package.

Plesk+LiteSpeedENT+WP Tookit rules

IronDonDon

IronDonDon

New Pleskian
Hi,

I installed a Litespeed extension and switched the server to LS, but WP toolkit security rules/settings for Apache do not work or work only partially if switched to LS.
Most of the rules that dont work are <LocationMatch> rules. LS ignores them, which makes security settings in /var/www/vhosts/system/DOMAIN/conf/httpd.conf obsolete. My knowlage of apache is very basic (moving from nginx to Litespeed), so I've replaced LocationMatch with FilesMatch, which had a positive effect with LS. Here are the rules which do not work with LS:
Apache config: 
        #extension wp-toolkit begin
        # "Block unauthorized access to wp-config.php"
        # To remove this rule, revert this security measure on each WordPress installation on this domain
        <Files wp-config.php>
            Require all denied
        </Files>

        # "Block directory browsing"
        # To remove this rule, revert this security measure on each WordPress installation on this domain
        <Directory "/var/www/vhosts/domain.example/httpdocs">
            Options -Indexes
        </Directory>

        # "Forbid execution of PHP scripts in the wp-content/uploads directory"
        # To remove this rule, revert this security measure for WordPress installation #1
        <Directory "/var/www/vhosts/domain.example/httpdocs/wp-content/uploads">
            <FilesMatch \.php$>
                Require all denied
            </FilesMatch>
        </Directory>

        # "Forbid execution of PHP scripts in the wp-includes directory"
        # To remove this rule, revert this security measure for WordPress installation #1
        <IfModule mod_rewrite.c>
            <Directory "/var/www/vhosts/domain.example/httpdocs/wp-includes">
                <FilesMatch \.php$>
                    RewriteEngine on
                    RewriteCond %{REQUEST_FILENAME} !^/var/www/vhosts/domain\.example/httpdocs/wp\-includes/js/tinymce/wp\-tinymce\.php$ [NC]
                    RewriteRule .* - [NC,F,L]
                </FilesMatch>
            </Directory>
        </IfModule>

        # "Disable scripts concatenation for WordPress admin panel"
        # To remove this rule, revert this security measure for WordPress installation #1
        <Directory "/var/www/vhosts/domain.example/httpdocs/wp-admin">
            <FilesMatch (load-styles|load-scripts)\.php$>
                Require all denied
            </FilesMatch>
        </Directory>

        # "Block author scans"
        # To remove this rule, revert this security measure for WordPress installation #1
        <IfModule mod_rewrite.c>
            <Directory "/var/www/vhosts/domain.example/httpdocs">
                RewriteEngine on
                RewriteCond %{QUERY_STRING} author=\d+
                RewriteCond %{REQUEST_FILENAME} !^/var/www/vhosts/domain\.example/httpdocs/wp\-admin/ [NC]
                RewriteRule .* - [F,L]
            </Directory>
        </IfModule>

        # "Block author scans"
        # To remove this rule, revert this security measure on each WordPress installation on this domain
        <LocationMatch "(?i:(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html)))">
            Require all denied
        </LocationMatch>

        # "Block access to potentially sensitive files"
        # To remove this rule, revert this security measure on each WordPress installation on this domain
        <LocationMatch ".+\\.(?i:psd|log|cmd|exe|bat|csh|ini|sh)$">
            Require all denied
        </LocationMatch>

        # "Disable PHP execution in cache directories"
        # To remove this rule, revert this security measure on each WordPress installation on this domain
        <LocationMatch "(?i:.*/cache/.*\\.ph(?:p[345]?|t|tml))">
            Require all denied
        </LocationMatch>

        # "Block access to .htaccess and .htpasswd"
        # To remove this rule, revert this security measure on each WordPress installation on this domain
        <FilesMatch ^(?i:\.ht.*)$>
            Require all denied
        </FilesMatch>

        # "Enable bot protection"
        # To remove this rule, revert this security measure on each WordPress installation on this domain
        <IfModule mod_rewrite.c>
            <Directory "/var/www/vhosts/domain.example/httpdocs">
                RewriteEngine on
                RewriteCond %{HTTP_USER_AGENT} "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)" [NC]
                RewriteRule .* - [F,L]
            </Directory>
        </IfModule>
        #extension wp-toolkit end

Also, # "Block author scans" part does not work both on Apache and LS. I would appreciate any help in solving this issue with WP toolkit. Is it acctually correct to replace LocationMatch with FilesMatch?

Thank you.
Regards, Alex
 
You must log in or register to reply here.

Similar threads

D
Question Managing Bot/Crawler Attacks on wp-login Across Multiple Plesk Servers - Your Solutions?
Replies
7
Views
3K
danim
D
S
Issue WP Toolkit update broke update rules?
Replies
4
Views
3K
Soulstudio
S
T
Issue Host settings and htaccess behavior in nginx proxy mode
Replies
3
Views
5K
Peter Debik
P
Lenny
Resolved Seeking Assistance with API Communication Issues via SSL on Plesk
Replies
4
Views
6K
Lenny
Lenny
E
Installing a New WP site, issues with .htaccess and wp-config
Replies
2
Views
5K
theplaza
T
Back
Top