Often our servers are incorrectly configured, and can allow an attacker to get access to sensitive information that can compromise our WordPress website. None of the servers can be 100% secure but you can harden your server to a point to secure your WordPress website. I will be writing a blog post soon, listing all the major points to harden your server for maximum WordPress security.
For now, here are the steps on how you can prevent information disclosure in Plesk Onyx (nginx) based server.
- Login to your server as “root” user via ssh.
- Now you have to navigate to Plesk’s vhosts directory.
cd /etc/nginx/plesk.conf.d/vhosts
- Here you will find .conf file for the domains hosted on your server. You can edit a particular domain’s .conf file on which WordPress is installed and you want to secure against the information disclosure (substitute “mydomain.com” with your domain name).
nano mydomain.com.conf
- Scroll down to the part where you will find these codes. If you are using ssl for your website, you have to look for server part with both port* 80 and port* 443.
Server { listen ipaddress:port* ... ... location ~* wp-config.php { deny all; } location / { ... ... }
- You have to input this given code just before location ~* wp-config.php { deny all; }
## RebootInternet.com - Prevent information disclosure ## # Turn off directory indexing autoindex off; # Deny access to htaccess and other hidden files location ~ /\. { deny all; } # Deny access to wp-config.php file location = /wp-config.php { deny all; } # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders) location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ { deny all; } ## RebootInternet.com - End ##
- This is how your .conf file should look like after you input the given code.
Server { listen ipaddress:port ... ... ## RebootInternet.com - Prevent information disclosure ## # Turn off directory indexing autoindex off; # Deny access to htaccess and other hidden files location ~ /\. { deny all; } # Deny access to wp-config.php file location = /wp-config.php { deny all; } # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders) location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ { deny all; } ## RebootInternet.com - End ## location ~* wp-config.php { deny all; } location / { ... ... }
- Now simply reload nginx
service nginx reload
Once you have successfully completed all the above steps, important details of your WordPress installation will be prevented from unauthorized outside access.
I’m extremely impressed with your writing skills as well as with the layout on your blog.
Is this a paid theme or did you customize it yourself?
Either way keep up the nice quality writing, it is rare
to see a great blog like this one these days. http://laceydentist.blogspot.com/
Thiss blog was… how do I say it? Relevant!!
Finbally I have found somethin that helped me. Kudos!
Hi! This is my firstt comment here soo I just wanted to give a quick shout out and say I truly
enjoy reading through your articles. Can you recommend any other blogs/websites/forums that cover the same topics?
Thanks a lot!
Hi! I realize this is kind of off-topic but I needed to ask.
Does running a well-established website such as yours require a
large amount oof work? I’m brand new to operating a blog however I do
write iin my journal evey day. I’d like to start a blog so
I can easily share my experience and feelings
online. Please let me know if you havge any kind off suggestions
or tps for brand new aspirring blog owners. Appreciate it!
Very good blog post. I definitely appreciate this
site. Thanks!
Awesome article.