如何在Nginx中重写WP-Security的规则?

时间:2014-01-04 作者:DrDinosaur

我在运行nginx的VPS上有一个WordPress网站。我已经安装了WP安全插件来提高我网站的安全性。将所有设置更改为我喜欢的设置后,一个弹出窗口通知我需要重写规则以保存更改。其中一部分写道“请参阅更好的WP安全仪表板,以获取您需要的重写规则列表。”可在此处找到重写规则列表:

# BEGIN Better WP Security
    # Begin HackRepair.com Blacklist
        if ($http_user_agent ~* "^BlackWidow"){ return 403; }
        if ($http_user_agent ~ "^Bolt"){ return 403; }
        if ($http_user_agent ~* "CazoodleBot"){ return 403; }
        if ($http_user_agent ~* "^ChinaClaw"){ return 403; }
        if ($http_user_agent ~* "^Custo"){ return 403; }
        if ($http_user_agent ~ "^Default"){ return 403; }
        if ($http_user_agent ~* "^DIIbot"){ return 403; }
        if ($http_user_agent ~* "^DISCo"){ return 403; }
        if ($http_user_agent ~* "discobot"){ return 403; }
        if ($http_user_agent ~* "^eCatch"){ return 403; }
        if ($http_user_agent ~* "ecxi"){ return 403; }
        if ($http_user_agent ~* "^EirGrabber"){ return 403; }
        if ($http_user_agent ~* "^EmailCollector"){ return 403; }
        if ($http_user_agent ~* "^EmailSiphon"){ return 403; }
        if ($http_user_agent ~* "^EmailWolf"){ return 403; }
        if ($http_user_agent ~* "^ExtractorPro"){ return 403; }
        if ($http_user_agent ~* "^EyeNetIE"){ return 403; }
        if ($http_user_agent ~* "^FlashGet"){ return 403; }
        if ($http_user_agent ~* "^GetRight"){ return 403; }
        if ($http_user_agent ~* "^GetWeb!"){ return 403; }
        if ($http_user_agent ~* "^Go!Zilla"){ return 403; }
        if ($http_user_agent ~* "^Go-Ahead-Got-It"){ return 403; }
        if ($http_user_agent ~* "^GrabNet"){ return 403; }
        if ($http_user_agent ~* "^Grafula"){ return 403; }
        if ($http_user_agent ~* "GT::WWW"){ return 403; }
        if ($http_user_agent ~* "heritrix"){ return 403; }
        if ($http_user_agent ~* "^HMView"){ return 403; }
        if ($http_user_agent ~* "HTTP::Lite"){ return 403; }
        if ($http_user_agent ~* "HTTrack"){ return 403; }
        if ($http_user_agent ~* "ia_archiver"){ return 403; }
        if ($http_user_agent ~* "IDBot"){ return 403; }
        if ($http_user_agent ~* "id-search"){ return 403; }
        if ($http_user_agent ~* "id-search.org"){ return 403; }
        if ($http_user_agent ~* "^InterGET"){ return 403; }
        if ($http_user_agent ~* "^InternetSeer.com"){ return 403; }
        if ($http_user_agent ~* "IRLbot"){ return 403; }
        if ($http_user_agent ~* "^Java"){ return 403; }
        if ($http_user_agent ~* "^JetCar"){ return 403; }
        if ($http_user_agent ~* "^larbin"){ return 403; }
        if ($http_user_agent ~* "^LeechFTP"){ return 403; }
        if ($http_user_agent ~* "libwww"){ return 403; }
        if ($http_user_agent ~* "libwww-perl"){ return 403; }
        if ($http_user_agent ~* "^Link"){ return 403; }
        if ($http_user_agent ~* "LinksManager.com_bot"){ return 403; }
        if ($http_user_agent ~* "linkwalker"){ return 403; }
        if ($http_user_agent ~* "lwp-trivial"){ return 403; }
        if ($http_user_agent ~* "^Maxthon$"){ return 403; }
        if ($http_user_agent ~* "MFC_Tear_Sample"){ return 403; }
        if ($http_user_agent ~* "^microsoft.url"){ return 403; }
        if ($http_user_agent ~ "Microsoft"){ return 403; }
        if ($http_user_agent ~* "^Mozilla.*Indy"){ return 403; }
        if ($http_user_agent ~* "^Mozilla.*NEWT"){ return 403; }
        if ($http_user_agent ~* "^MSFrontPage"){ return 403; }
        if ($http_user_agent ~* "^Navroad"){ return 403; }
        if ($http_user_agent ~* "^NearSite"){ return 403; }
        if ($http_user_agent ~* "^NetAnts"){ return 403; }
        if ($http_user_agent ~* "^NetSpider"){ return 403; }
        if ($http_user_agent ~* "^NetZIP"){ return 403; }
        if ($http_user_agent ~* "^Nutch"){ return 403; }
        if ($http_user_agent ~* "^Octopus"){ return 403; }
        if ($http_user_agent ~* "^PageGrabber"){ return 403; }
        if ($http_user_agent ~* "panscient.com"){ return 403; }
        if ($http_user_agent ~* "^pavuk"){ return 403; }
        if ($http_user_agent ~* "PECL::HTTP"){ return 403; }
        if ($http_user_agent ~* "^PeoplePal"){ return 403; }
        if ($http_user_agent ~* "^pcBrowser"){ return 403; }
        if ($http_user_agent ~* "PHPCrawl"){ return 403; }
        if ($http_user_agent ~* "PleaseCrawl"){ return 403; }
        if ($http_user_agent ~* "^psbot"){ return 403; }
        if ($http_user_agent ~* "^RealDownload"){ return 403; }
        if ($http_user_agent ~* "^ReGet"){ return 403; }
        if ($http_user_agent ~ "^Rippers"){ return 403; }
        if ($http_user_agent ~* "SBIder"){ return 403; }
        if ($http_user_agent ~* "^SeaMonkey$"){ return 403; }
        if ($http_user_agent ~* "^sitecheck.internetseer.com"){ return 403; }
        if ($http_user_agent ~* "^SiteSnagger"){ return 403; }
        if ($http_user_agent ~* "^SmartDownload"){ return 403; }
        if ($http_user_agent ~* "Snoopy"){ return 403; }
        if ($http_user_agent ~* "Steeler"){ return 403; }
        if ($http_user_agent ~* "^SuperBot"){ return 403; }
        if ($http_user_agent ~* "^SuperHTTP"){ return 403; }
        if ($http_user_agent ~* "^Surfbot"){ return 403; }
        if ($http_user_agent ~* "^tAkeOut"){ return 403; }
        if ($http_user_agent ~ "^Teleport"){ return 403; }
        if ($http_user_agent ~ "^Toata"){ return 403; }
        if ($http_user_agent ~* "URI::Fetch"){ return 403; }
        if ($http_user_agent ~* "urllib"){ return 403; }
        if ($http_user_agent ~* "User-Agent"){ return 403; }
        if ($http_user_agent ~* "^VoidEYE"){ return 403; }
        if ($http_user_agent ~* "webalta"){ return 403; }
        if ($http_user_agent ~* "^WebAuto"){ return 403; }
        if ($http_user_agent ~* "^[Ww]eb[Bb]andit"){ return 403; }
        if ($http_user_agent ~* "WebCollage"){ return 403; }
        if ($http_user_agent ~* "^WebCopier"){ return 403; }
        if ($http_user_agent ~* "^WebFetch"){ return 403; }
        if ($http_user_agent ~* "^WebLeacher"){ return 403; }
        if ($http_user_agent ~* "^WebReaper"){ return 403; }
        if ($http_user_agent ~* "^WebSauger"){ return 403; }
        if ($http_user_agent ~* "^WebStripper"){ return 403; }
        if ($http_user_agent ~* "^WebWhacker"){ return 403; }
        if ($http_user_agent ~* "^WebZIP"){ return 403; }
        if ($http_user_agent ~* "^Wget"){ return 403; }
        if ($http_user_agent ~* "^Widow"){ return 403; }
        if ($http_user_agent ~* "^WWW-Mechanize"){ return 403; }
        if ($http_user_agent ~* "^WWWOFFLE"){ return 403; }
        if ($http_user_agent ~* "zermelo"){ return 403; }
        if ($http_user_agent ~* "^Zeus"){ return 403; }
        if ($http_user_agent ~* "^Zeus.*Webster"){ return 403; }
        if ($http_user_agent ~* "ZyBorg"){ return 403; }
    # End HackRepair.com Blacklist

    location ~ /\\.ht { deny all; }
    location ~ wp-config.php { deny all; }
    location ~ readme.html { deny all; }
    location ~ readme.txt { deny all; }
    location ~ /install.php { deny all; }
    set $susquery 0;
    set $rule_2 0;
    set $rule_3 0;
    rewrite ^wp-includes/(.*).php /not_found last;
    rewrite ^/wp-admin/includes(.*)$ /not_found last;
    if ($request_method ~* "^(TRACE|DELETE|TRACK)"){ return 403; }
    if ($args ~* "\\.\\./") { set $susquery 1; }
    if ($args ~* ".(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
    if ($args ~* "etc/passwd") { set $susquery 1; }
    if ($args ~* "boot.ini") { set $susquery 1; }
    if ($args ~* "ftp:") { set $susquery 1; }
    if ($args ~* "http:") { set $susquery 1; }
    if ($args ~* "https:") { set $susquery 1; }
    if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
    if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
    if ($args ~* "base64_encode") { set $susquery 1; }
    if ($args ~* "(%24&x)") { set $susquery 1; }
    if ($args ~* "(\\[|\\]|\\(|\\)|<|>|ê|\\"|;|\\?|\\*|=$)"){ set $susquery 1; }
    if ($args ~* "(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;|%24&x)"){ set $susquery 1; }
    if ($args ~* "(127.0)") { set $susquery 1; }
    if ($args ~* "(%0|%A|%B|%C|%D|%E|%F)") { set $susquery 1; }
    if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
    if ($args ~* "(request|select|insert|concat|union|declare)") { set $susquery 1; }
    if ($http_cookie !~* "wordpress_logged_in_" ) {
        set $susquery 2$susquery;
        set $rule_2 1;
        set $rule_3 1;
    }
    if ($args !~ "^loggedout=true") { set $susquery 3$susquery; }
    if ($susquery = 4321) { return 403; }
    rewrite ^/login/?$ /wp-login.php?nw61e1jrijsnetr1xokgx redirect;
    if ($rule_2 = 1) { rewrite ^/totalaccess/?$ /wp-login.php?nw61e1jrijsnetr1xokgx&redirect_to=/wp-admin/ redirect; }
    if ($rule_2 = 0) { rewrite ^/totalaccess/?$ /wp-admin/?nw61e1jrijsnetr1xokgx redirect; }
    rewrite ^/register/?$ /wp-login.php?nw61e1jrijsnetr1xokgx&action=register redirect;
    if ($uri !~ "^(.*)admin-ajax.php") { set $rule_3 2$rule_3; }
    if ($http_referer !~* wp-admin ) { set $rule_3 3$rule_3; }
    if ($http_referer !~* wp-login.php ) { set $rule_3 4$rule_3; }
    if ($http_referer !~* login ) { set $rule_3 5$rule_3; }
    if ($http_referer !~* totalaccess ) { set $rule_3 6$rule_3; }
    if ($http_referer !~* register ) { set $rule_3 7$rule_3; }
    if ($args !~ "^action=logout") { set $rule_3 8$rule_3; }
    if ($args !~ "^nw61e1jrijsnetr1xokgx") { set $rule_3 9$rule_3; }
    if ($args !~ "^action=rp") { set $rule_3 0$rule_3; }
    if ($args !~ "^action=register") { set $rule_3 a$rule_3; }
    if ($args !~ "^action=postpass") { set $rule_3 b$rule_3; }
    if ($rule_3 = ba0987654321) {
        rewrite ^(.*/)?wp-login.php /not_found redirect;
        rewrite ^/wp-admin(.*)$ /not_found redirect;
    }
# END Better WP Security
我不确定插件的更改是否真的生效,因为我自己用这些规则修改了任何文件。我问了一下,在谷歌上搜索了一下,但找不到答案。因此,我只是想知道如何“重写”这些规则,以确保安全性正确到位。

2 个回复
最合适的回答,由SO网友:birgire 整理而成

Please try this:

1) 将重写规则保存到文件:/absolute/path/to/wp_security.conf.

2) 然后将其包含在NginX配置文件中,并带有以下行:

           include /absolute/path/to/wp_security.conf;
并将其置于服务器上下文中:

server {
           #... cut ...       

           ##
           # include the Better WP Security configuration file
           ##
           include /absolute/path/to/wp_security.conf;

           location / {
                        try_files  $uri $uri/ /index.php?$args;
           }

           #... cut ...           
}
3) 记住重新加载NginX:

nginx -t && service nginx reload
4) 您可以轻松测试的内容之一是这一部分:

location ~ readme.html { deny all; }
激活此规则时,应拒绝访问readme.html 尝试在浏览器中查看文件时:

403

SO网友:Another WP Trouble Shooter

我相信不久前我看到了这篇文章,并测试了你的重写规则。有一条规则我必须提醒你。生产线

 if ($http_user_agent ~* "^**Custo**"){ return 403; }
最终禁用自定义。WordPress中的php文件。如果用户试图在仪表板中自定义主题(就个人而言,在WP中进行的任何自定义都有点危险),它将显示为已损坏或缺少css。

结束
标签: security   nginx   小码农  

相关推荐

使用Nginx在W3Total缓存中启用Minify

我在使用W3TC插件启用minify时遇到了一个问题。我正在使用一个LEMP堆栈和cloudfront作为CDN,除了minify之外,所有这些功能都可以正常工作。为了在WP I中启用花式permaplinks,添加了/index.php?q=$uri&$args 到try_files 在线站点可用,现在所有的永久链接都是/index.php/postname/ 我认为这可能与这些错误有关。