Hello,
I have two questions (in one). Where we should to place kind of "firewall rules" and can we use original Apache syntax (or should be avoided "FilesMatch" part?)? Below are examples.
I have two questions (in one). Where we should to place kind of "firewall rules" and can we use original Apache syntax (or should be avoided "FilesMatch" part?)? Below are examples.
Apache config:
### START - [Security] Server file lock - Blocked access to ".ht" files
<FilesMatch "^\.ht">
Deny from all
</FilesMatch>
<FilesMatch "^\.ftp">
Deny from all
</FilesMatch>
<FilesMatch "^php.ini$">
Deny from all
</FilesMatch>
<FilesMatch "^\.well-known">
Allow from all
</FilesMatch>
### END Server file lock
### START - [Security] Mitigation CVE-2018-6389
<FilesMatch "load-(scripts|styles)\.php">
Deny from all
</FilesMatch>
### END Mitigation CVE-2018-6389
### START - [Security] XML-RPC blocking
<FilesMatch "xmlrpc\.php">
Deny from all
</FilesMatch>
### END XML-RPC blocking
### START - [Security] Do not execute files on Uploads
<FilesMatch "wp-content/uploads/(.+)\.php">
Deny from all
</FilesMatch>
### END Do not execute files on Uploads