wo/cli/templates/wpcommon.mustache

# WordPress COMMON SETTINGS - WO v3.9.7
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
# Limit access to avoid brute force attack
location = /wp-login.php {
    limit_req zone=one burst=1 nodelay;
    include fastcgi_params;
    fastcgi_pass {{upstream}};
}
# Prevent DoS attacks on wp-cron
location = /wp-cron.php {
    limit_req zone=two burst=1 nodelay;
    include fastcgi_params;
    fastcgi_pass {{upstream}};
}
# Prevent Dos attacks with xmlrpc.php
location = /xmlrpc.php {
    limit_req zone=two burst=1 nodelay;
    include fastcgi_params;
    fastcgi_pass {{upstream}};
}
# Disable wp-config.txt
location = /wp-config.txt {
    deny all;
    access_log off;
    log_not_found off;
}
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
    try_files $uri $uri/ /index.php?$args @robots;
    access_log off;
    log_not_found off;
}
# fallback for robots.txt with default wordpress rules
location @robots {
    return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
    location ~ \.(png|jpe?g)$ {
        add_header Vary "Accept-Encoding";
        more_set_headers 'Access-Control-Allow-Origin : *';
        add_header Cache-Control "public, no-transform";
        access_log off;
        log_not_found off;
        expires max;
        try_files $uri$webp_suffix $uri =404;
    }
    location ~* \.(php|gz|log|zip|tar|rar|xz)$ {
        #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers
        deny all;
    }
}
# webp rewrite rules for EWWW testing image
location /wp-content/plugins/ewww-image-optimizer/images {
    location ~ \.(png|jpe?g)$ {
        add_header Vary "Accept-Encoding";
        more_set_headers 'Access-Control-Allow-Origin : *';
        add_header Cache-Control "public, no-transform";
        access_log off;
        log_not_found off;
        expires max;
        try_files $uri$webp_suffix $uri =404;
    }
    location ~ \.php$ {
    #Prevent Direct Access Of PHP Files From Web Browsers
        deny all;
    }
}
# enable gzip on static assets - php files are forbidden
location /wp-content/cache {
# Cache css & js files
    location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
        more_set_headers 'Access-Control-Allow-Origin : *';
        access_log off;
        log_not_found off;
        expires 30d;
    }
    location ~ \.php$ {
        #Prevent Direct Access Of PHP Files From Web Browsers
        deny all;
    }
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
    deny all;
}
Implement `--wprocket` * cleanup templates by using variables * add configuration for wp-rocket * update mapping for wp-rocket 2019-08-05 19:17:59 +02:00			`# WordPress COMMON SETTINGS - WO v3.9.7`
Refactored 2018-11-13 21:55:59 +01:00			`# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE`
			`# Limit access to avoid brute force attack`
			`location = /wp-login.php {`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`limit_req zone=one burst=1 nodelay;`
			`include fastcgi_params;`
Implement `--wprocket` * cleanup templates by using variables * add configuration for wp-rocket * update mapping for wp-rocket 2019-08-05 19:17:59 +02:00			`fastcgi_pass {{upstream}};`
Refactored 2018-11-13 21:55:59 +01:00			`}`
Add mime.types template and xmlrpc.php rate limiter 2019-09-02 12:20:20 +02:00			`# Prevent DoS attacks on wp-cron`
			`location = /wp-cron.php {`
			`limit_req zone=two burst=1 nodelay;`
			`include fastcgi_params;`
			`fastcgi_pass {{upstream}};`
			`}`
			`# Prevent Dos attacks with xmlrpc.php`
			`location = /xmlrpc.php {`
			`limit_req zone=two burst=1 nodelay;`
			`include fastcgi_params;`
			`fastcgi_pass {{upstream}};`
			`}`
Refactored 2018-11-13 21:55:59 +01:00			`# Disable wp-config.txt`
			`location = /wp-config.txt {`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`deny all;`
			`access_log off;`
			`log_not_found off;`
			`}`
Robots.txt fix and changelog update 2019-06-17 00:45:12 +02:00			`location = /robots.txt {`
			`# Some WordPress plugin gererate robots.txt file`
			`# Refer #340 issue`
			`try_files $uri $uri/ /index.php?$args @robots;`
			`access_log off;`
			`log_not_found off;`
			`}`
			`# fallback for robots.txt with default wordpress rules`
			`location @robots {`
Add ProFTPd setup 2019-07-19 13:47:29 +02:00			`return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";`
Robots.txt fix and changelog update 2019-06-17 00:45:12 +02:00			`}`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`# webp rewrite rules for jpg and png images`
			`# try to load alternative image.png.webp before image.png`
			`location /wp-content/uploads {`
			`location ~ \.(png\|jpe?g)$ {`
			`add_header Vary "Accept-Encoding";`
Fix CORS header * additional security directives 2019-09-25 00:27:31 +02:00			`more_set_headers 'Access-Control-Allow-Origin : *';`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`add_header Cache-Control "public, no-transform";`
			`access_log off;`
			`log_not_found off;`
			`expires max;`
			`try_files $uri$webp_suffix $uri =404;`
			`}`
Updating configuration (#197) #### Added - [ACME] Display warning about sudo usage when issuing certificate with DNS API validation (require `sudo -E`) #### Changed - [ACME] Resolve domain IP over HTTPS with Cloudflare DNS Resolver - [CORE] Cement Framework updated to v2.10.2 - [SITE] database name = 0 to 16 characters from the site name + 4 randomly generated character - [SITE] database user = 0 to 12 characters from the site name + 4 randomy generated character - [STACK] Improve sysctl tweak deployment #### Fixed - [SITE] https redirection missing on subdomains sites - Issues with digitalocean mariadb repository - Cement Framework output handler issues - [CLEAN] check if Nginx is installed before purging fastcgi or opcache 2019-11-11 19:06:11 +01:00			`location ~* \.(php\|gz\|log\|zip\|tar\|rar\|xz)$ {`
Fix CORS header * additional security directives 2019-09-25 00:27:31 +02:00			`#Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers`
Add ProFTPd setup 2019-07-19 13:47:29 +02:00			`deny all;`
			`}`
			`}`
			`# webp rewrite rules for EWWW testing image`
			`location /wp-content/plugins/ewww-image-optimizer/images {`
			`location ~ \.(png\|jpe?g)$ {`
			`add_header Vary "Accept-Encoding";`
Fix CORS header * additional security directives 2019-09-25 00:27:31 +02:00			`more_set_headers 'Access-Control-Allow-Origin : *';`
Add ProFTPd setup 2019-07-19 13:47:29 +02:00			`add_header Cache-Control "public, no-transform";`
			`access_log off;`
			`log_not_found off;`
			`expires max;`
			`try_files $uri$webp_suffix $uri =404;`
			`}`
			`location ~ \.php$ {`
Updating configuration (#197) #### Added - [ACME] Display warning about sudo usage when issuing certificate with DNS API validation (require `sudo -E`) #### Changed - [ACME] Resolve domain IP over HTTPS with Cloudflare DNS Resolver - [CORE] Cement Framework updated to v2.10.2 - [SITE] database name = 0 to 16 characters from the site name + 4 randomly generated character - [SITE] database user = 0 to 12 characters from the site name + 4 randomy generated character - [STACK] Improve sysctl tweak deployment #### Fixed - [SITE] https redirection missing on subdomains sites - Issues with digitalocean mariadb repository - Cement Framework output handler issues - [CLEAN] check if Nginx is installed before purging fastcgi or opcache 2019-11-11 19:06:11 +01:00			`#Prevent Direct Access Of PHP Files From Web Browsers`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`deny all;`
			`}`
			`}`
Update templates 2019-08-08 08:40:03 +02:00			`# enable gzip on static assets - php files are forbidden`
			`location /wp-content/cache {`
			`# Cache css & js files`
			`location ~* \.(?:css(\.map)?\|js(\.map)?\|.html)$ {`
Fix CORS header * additional security directives 2019-09-25 00:27:31 +02:00			`more_set_headers 'Access-Control-Allow-Origin : *';`
Update templates 2019-08-08 08:40:03 +02:00			`access_log off;`
			`log_not_found off;`
			`expires 30d;`
			`}`
			`location ~ \.php$ {`
Fix `wo upgrade` 2019-08-20 13:53:41 +02:00			`#Prevent Direct Access Of PHP Files From Web Browsers`
Update templates 2019-08-08 08:40:03 +02:00			`deny all;`
			`}`
			`}`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`# Deny access to any files with a .php extension in the uploads directory`
			`# Works in sub-directory installs and also in multisite network`
			`# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)`
			`location ~* /(?:uploads\|files)/.*\.php$ {`
			`deny all;`
Refactored 2018-11-13 21:55:59 +01:00			`}`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`# mitigate DoS attack CVE with WordPress script concatenation`
			`# add the following line to wp-config.php`
			`# define( 'CONCATENATE_SCRIPTS', false );`
			`location ~ \/wp-admin\/load-(scripts\|styles).php {`
Refactored 2018-11-13 21:55:59 +01:00			`deny all;`
			`}`