智享笔记 1 禁止所有对/xmlrpc.php文件的访问
wordpress站点伪静态配置如下:
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}2 屏蔽对 /wp-includes/wlwmanifest.xml 文件的访问
wordpress站点伪静态配置如下:
location = /wp-includes/wlwmanifest.xml {
deny all;
access_log off;
log_not_found off;
}3 禁止Git目录的遍历攻击
wordpress站点伪静态配置如下:
location ~ /\.git {
deny all;
access_log off;
log_not_found off;
}4 禁止执行/shell.php
wordpress站点伪静态配置如下:
location = /shell.php {
deny all;
access_log off;
log_not_found off;
}5 禁止对敏感文件的访问
wordpress站点伪静态配置如下:
location ~* /wp-(config|admin|includes)/.*\.php$ {
deny all;
}6 限制对特定路径的访问
wordpress站点伪静态配置如下:
location ~* /(delchel|block-editor-plugin|zjxd)\.php$ {
deny all;
}7 禁止本地服务器请求:tpc-002.mach3builders.nl、www.wbtuintotaal.nl、www.offshorerotterdam.com、www.technischbedrijf.nl、www.stage-match.nl域名
server {
...
location / {
if ($host ~* (tpc-002.mach3builders.nl|www.wbtuintotaal.nl|www.offshorerotterdam.com|www.technischbedrijf.nl|www.stage-match.nl)) {
return 403;
}
if ($host ~* (.*\.mach3builders\.nl)) { return 403;
}
}
...
}7 设置只允许特定IP地址访问WordPress的wp-login.php页面
location = /wp-login.php {
allow xxx.xxx.xxx.xxx;
deny all;
}
