Learn about Centmin Mod LEMP Stack today
Register Now

Wordpress Never had to whitelist anything

Discussion in 'Blogs & CMS usage' started by Jon Snow, Feb 10, 2018.

  1. Jon Snow

    Jon Snow Active Member

    335
    55
    28
    Jun 30, 2017
    Ratings:
    +79
    Local Time:
    5:56 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    https://community.centminmod.com/threads/woocommerce-issue-and-question-about-whitelisting.13963/

    Read this thread...

    I installed Wordpress the same way with wpsecure.conf but I've never been affected by a plugin being blocked from working to have to whitelist each in a file.

    Code (Text):
    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    location ~* /(?:uploads|files)/.*\.php$ {
            deny all;
    }
    
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|Entries.*|Repository|Root|Tag|Template)$|\.php_
    {
            return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)\$ {
            return 444;
    }
    
    #disallow
        location ~* (roundcube|webdav|smtp|http\:|soap|w00tw00t) {
            return 444;
    }
    
    location ~ /(\.|wp-config\.php|readme\.html|license\.txt) { deny all; }

    I've never had problems like others here who reported that there plugins weren't working from using the auto-install wordpress feature from the centminmod menu.

    Am I doing something wrong or is this normal?
     
  2. eva2000

    eva2000 Administrator Staff Member

    33,733
    7,466
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,479
    Local Time:
    6:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    centmin.sh menu option 22 is more aggressive security wise with wordpress plugin directory restrictions so needs to whitelist wp plugins for them to work. If you installed wordpress manually, you wouldn't have such aggressive default security restrictions that's why as all wp plugins work without needing whitelisting
     
  3. Jon Snow

    Jon Snow Active Member

    335
    55
    28
    Jun 30, 2017
    Ratings:
    +79
    Local Time:
    5:56 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    But the thread starter installed wordpress himself so I'm confused why he had to whitelist his plugins :unsure:
     
  4. eva2000

    eva2000 Administrator Staff Member

    33,733
    7,466
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,479
    Local Time:
    6:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    There are some restrictions do exist in wpsecure include file though just not as many as in centmin.sh menu option 22.
     
  5. Jon Snow

    Jon Snow Active Member

    335
    55
    28
    Jun 30, 2017
    Ratings:
    +79
    Local Time:
    5:56 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    Alright. Are there any instructions to manually add all of the extra security stuff from centmin.sh menu option 22?

    I rather install scripts myself :p Can't get too lazy lol.
     
  6. eva2000

    eva2000 Administrator Staff Member

    33,733
    7,466
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,479
    Local Time:
    6:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    easiest way is on test vps install centmin mod 123.09beta01, and do a test centmin.sh menu option 22 run for intended domain corresponding with line domain name. Then copy over the wpsecure contents from test install to your live.
     
  7. Jon Snow

    Jon Snow Active Member

    335
    55
    28
    Jun 30, 2017
    Ratings:
    +79
    Local Time:
    5:56 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    So it's unique to each site or is it something I can just upload instead of the regular contents from here?
     
  8. eva2000

    eva2000 Administrator Staff Member

    33,733
    7,466
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,479
    Local Time:
    6:56 PM
    Nginx 1.13.x
    MariaDB 5.5
    the wpsecure file's contents is auto generated on the fly based on input/answers from users from prompted questions during centmin.sh menu option 22 run i.e. if wordpress is installed in subdirectory versus web root etc.
     
  9. Jon Snow

    Jon Snow Active Member

    335
    55
    28
    Jun 30, 2017
    Ratings:
    +79
    Local Time:
    5:56 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    Ah. I understand now. Thanks!
     
..