0
Kayıt Ol

WordPress/WooCommerce Güvenlik Hakkında Sorum Var

1

88

  • 03-09-2023, 23:27:44
    #1
    gfo
    gfo
    Merhaba,

    WordPress/WooCommerce e-ticaret sitesinin güvenliği hakkında sorum var. Yardımcı olabilecek arkadaşları yoruma bekliyorum.

    Sitenin güvenliği sağlamam için yardımcı olabilir misiniz? Yaptıklarımı aşağıda anlatıyorum. Eğer eksiğim varsa veya yanlışım varsa lütfen düzeltiniz. Teşekkürler.

    Öncelikle eklenti olarak;

    - WordFence
    - Really Simple SSL (ücretli SSL var)

    Kullanıyorum. Sonrasında, cPanel/Softaculous tarafı ise şöyle;



    .htaccess tarafında ise;

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# Security Headers
<IfModule mod_headers.c>
    Header set X-XSS-Protection "0"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options "nosniff"
    Header always set Strict-Transport-Security "includeSubDomains; preload; max-age=63072000"
    # Header set Content-Security-Policy ...
    Header set Referrer-Policy "strict-origin-when-cross-origin"
    Header set Permissions-Policy "geolocation=(self 'https://www.x.com'), microphone=()"
</IfModule>

#BEGIN WP Security Ninja - Hide PHP version in header
    <IfModule mod_headers.c>
    Header unset X-Powered-By
    Header unset Server
    Header unset X-Pingback
    </IfModule>
#END WP Security Ninja - Hide PHP version in header

<Directory "/home/x/public_html/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
</IfModule>

# SOFTACULOUS Block .htaccess and .htpasswd
<FilesMatch ^(?i:\.ht.*)$>
    Require all denied
</FilesMatch>
# SOFTACULOUS Block .htaccess and .htpasswd End

# BEGIN LiteSpeed
<IfModule Litespeed>
SetEnv noabort 1
</IfModule>
# END LiteSpeed

# Wordfence WAF
<IfModule LiteSpeed>
php_value auto_prepend_file '/home/x/public_html/wordfence-waf.php'
</IfModule>
<IfModule lsapi_module>
php_value auto_prepend_file '/home/x/public_html/wordfence-waf.php'
</IfModule>
<Files ".user.ini">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order deny,allow
    Deny from all
</IfModule>
</Files>

# END Wordfence WAF

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://x.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://x.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.x.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.x.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https://x.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://x.com$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.x.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^https://www.x.com$      [NC]
RewriteRule .*\.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf|svg|ico|webp)$ https://www.x.com [R,NC]

# SOFTACULOUS Block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# SOFTACULOUS Block author scans End

# SOFTACULOUS Block directory browsing
Options -Indexes
# SOFTACULOUS Block directory browsing End

# SOFTACULOUS Block xmlrpc
<files xmlrpc.php>
    Require all denied
</files>
# SOFTACULOUS Block xmlrpc End

# SOFTACULOUS Block access sensitive files
<FilesMatch "^.*(((?:wp-config)\.(?:php|bak|swp))|php.ini|\.[hH][tT][aApP].*|((?:error_log|readme|license|changelog|-config|-sample)\.(?:php|md|log|txt|htm|html)))$">
    Require all denied
</FilesMatch>
# SOFTACULOUS Block access sensitive files End

# SOFTACULOUS Enable bot protection
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} (?:virusbot|spambot|evilbot|acunetix|BLEXBot|domaincrawler\.com|LinkpadBot|MJ12bot/v|majestic12\.co\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\s+Link\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests) [NC]
RewriteRule ^(.*)$ http://no.access/
# SOFTACULOUS Enable bot protection End
    Son olarak, siteyi açarken alan adını CloudFlare'a yönlendireceğim.

    Başka yapmam gereken neler var?

    Teşekkürler.
  • 03-09-2023, 23:39:04
    #2
    gfo
    gfo
    1-) FAIL: Check if upgrade.php file is accessible via HTTP on the default location. > upgrade.php is accessible via HTTP on the default location.
    2-) FAIL: Check if expose_php PHP directive is turned off. > expose_php PHP directive is turned on.

    Security Ninja'dan şu hataları aldığım için bunları da kapattım.

    <Files upgrade.php>
order allow,deny
deny from all
</Files>
    Diğeri php.ini 'den