Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 9 Nov 2017 09:25:21 +0000
From:      Mike Clarke <jmc-freebsd2@milibyte.co.uk>
To:        Eugeniy Khvastunov <khvastunov@gmail.com>
Cc:        FreeBSD <freebsd-questions@freebsd.org>
Subject:   Re: Drupal vs. Wordpress
Message-ID:  <20171109092521.402b00a8@curlew>
In-Reply-To: <CANqgRE0fYD8L7gJjXBCWVWJGtHyjaTvLZMHLJaGCz0PUXHonuA@mail.gmail.com>
References:  <BN6PR2001MB1730A47EF95BAE3873F370EA805B0@BN6PR2001MB1730.namprd20.prod.outlook.com> <6513DCC1-2044-4E78-9862-F15292E0D9DC@fjl.co.uk> <CANqgRE2_oN46RoXe2%2BnF=6_K_RLzHDm-oNwATSJouDxtwR2%2Bow@mail.gmail.com> <CANqgRE3_yd5MeijbgCe=eJU_RDca2DjFTBUJ0Zr%2BLhdC4WPB-g@mail.gmail.com> <CANqgRE0fYD8L7gJjXBCWVWJGtHyjaTvLZMHLJaGCz0PUXHonuA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, 9 Nov 2017 09:31:03 +0200
Eugeniy Khvastunov <khvastunov@gmail.com> wrote:

> How you securing you wp/joomla/drool?
> Maybe you can recommend some WAF or modules for Web server?

As far as Wordpress goes I regard Wordfence <https://wordpress.org/plugins/wordfence/>; as an essential security plugin. There's also some general advice on securing and hardening a Wordpress site at https://www.wordfence.com/learn/

I also add these .htaccess rules to deny access to certain files:

# BEGIN protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# END protect wp-config.php

# BEGIN protect temporary editor files
<files ~ "(\.swp|~)$">
order allow,deny
deny from all
</files>
# END protect temporary editor files

# BEGIN protect readme,txt
<files readme.txt>
order allow,deny
deny from all
</files>
# END protect readme,txt

# BEGIN restrict access to "includes" directories
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# END restrict access to "includes" directories

# Don't allow directory browsing
Options -Indexes

# Return "Not found" instead of "Forbidden"
ErrorDocument 403 /path-to/my/404.php

-- 
Mike Clarke

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171109092521.402b00a8>