From owner-freebsd-questions@freebsd.org Thu Nov 9 09:33:06 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C784BE7038D for ; Thu, 9 Nov 2017 09:33:06 +0000 (UTC) (envelope-from jmc-freebsd2@milibyte.co.uk) Received: from outmx-028.london.gridhost.co.uk (outmx-028.london.gridhost.co.uk [95.142.156.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8AF697F3CF for ; Thu, 9 Nov 2017 09:33:06 +0000 (UTC) (envelope-from jmc-freebsd2@milibyte.co.uk) Received: from curlew.milibyte.co.uk (unknown [82.71.56.121]) (Authenticated sender: mailpool@milibyte.co.uk) by outmx-028.london.gridhost.co.uk (Postfix) with ESMTPA id 66CEF221BAA5D; Thu, 9 Nov 2017 09:18:03 +0000 (GMT) Received: from [192.168.1.13] (helo=curlew) by curlew.milibyte.co.uk with esmtp (Exim 4.89) (envelope-from ) id 1eCj5N-0000m9-L2; Thu, 09 Nov 2017 09:25:22 +0000 Date: Thu, 9 Nov 2017 09:25:21 +0000 From: Mike Clarke To: Eugeniy Khvastunov Cc: FreeBSD Message-ID: <20171109092521.402b00a8@curlew> In-Reply-To: References: <6513DCC1-2044-4E78-9862-F15292E0D9DC@fjl.co.uk> X-Mailer: Claws Mail 3.15.1 (GTK+ 2.24.31; amd64-portbld-freebsd11.0) MIME-Version: 1.0 X-SA-Exim-Connect-IP: 192.168.1.13 X-SA-Exim-Mail-From: jmc-freebsd2@milibyte.co.uk X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on curlew.lan X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Subject: Re: Drupal vs. Wordpress Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on curlew.milibyte.co.uk) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 09 Nov 2017 09:33:06 -0000 On Thu, 9 Nov 2017 09:31:03 +0200 Eugeniy Khvastunov wrote: > How you securing you wp/joomla/drool? > Maybe you can recommend some WAF or modules for Web server? As far as Wordpress goes I regard Wordfence as an essential security plugin. There's also some general advice on securing and hardening a Wordpress site at https://www.wordfence.com/learn/ I also add these .htaccess rules to deny access to certain files: # BEGIN protect wp-config.php order allow,deny deny from all # END protect wp-config.php # BEGIN protect temporary editor files order allow,deny deny from all # END protect temporary editor files # BEGIN protect readme,txt order allow,deny deny from all # END protect readme,txt # BEGIN restrict access to "includes" directories RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # END restrict access to "includes" directories # Don't allow directory browsing Options -Indexes # Return "Not found" instead of "Forbidden" ErrorDocument 403 /path-to/my/404.php -- Mike Clarke