Want more timely Centmin Mod News Updates?
Become a Member

Beta Branch update tools/autoprotect.sh custom akismet wordpress plugin nginx rules

Discussion in 'Centmin Mod Github Commits' started by eva2000, Jul 19, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    30,947
    6,915
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,413
    Local Time:
    8:56 AM
    Nginx 1.13.x
    MariaDB 5.5
    update tools/autoprotect.sh custom akismet wordpress plugin nginx rules

    update both tools/autoprotect.sh and inc/wpsetup.inc centmin.sh menu option 22 wp_secure include file rules for akismet wordpress plugin to use nginx rules to whitelist css and png files but protect the /akismet directory and akismet.php file from public access

    Continue reading...

    123.09beta01 branch
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,947
    6,915
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,413
    Local Time:
    8:56 AM
    Nginx 1.13.x
    MariaDB 5.5
    This update is to fix @GamerJota's reported issues with centmin.sh menu option 22 auto installed wordpress install's extra security via tools/autoprotect.sh and akismet wordpress plugin at Wordpress - Akismet JS and CSS - Forbidden? | Centmin Mod Community

    Testing out some updates to centmin mod 123.09beta01's tools/autoprotect.sh to auto detect akismet and add additional whitelisting rules

    before the tools/autoprotect.sh updates = 403 permission denied vs 200 status ok
    Code (Text):
    cat /usr/local/nginx/conf/autoprotect/domain8.com/autoprotect-domain8.com.conf
    # /home/nginx/domains/domain8.com/public/wp-content/plugins/akismet
    location ~* ^/wp-content/plugins/akismet/ { deny all; }
    # /home/nginx/domains/domain8.com/public/wp-content/plugins/sucuri-scanner
    location ~* ^/wp-content/plugins/sucuri-scanner/ { deny all; }
    

    Code (Text):
    [root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/
    HTTP/1.1 403 Forbidden
    Date: Mon, 18 Jul 2016 18:34:11 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 162
    Connection: keep-alive
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    [root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/_inc/akismet.css
    HTTP/1.1 403 Forbidden
    Date: Mon, 18 Jul 2016 18:34:33 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 162
    Connection: keep-alive
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    [root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/_inc/img/logo-full-2x.png
    HTTP/1.1 403 Forbidden
    Date: Mon, 18 Jul 2016 18:34:48 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 162
    Connection: keep-alive
    Server: nginx centminmod
    X-Powered-By: centminmod
    

    after tools/autoprotect.sh update
    Code (Text):
    [root@centos7 akismet]# cat /usr/local/nginx/conf/autoprotect/domain8.com/autoprotect-domain8.com.conf
    # /home/nginx/domains/domain8.com/public/wp-content/plugins/akismet
    
    location ~ ^/wp-content/plugins/akismet/ {
      location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)$ { allow all; }
      location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)$ { allow all; }
      location ~* /wp-content/plugins/akismet/.*\.php$ {
        include /usr/local/nginx/conf/php.conf;
        allow 127.0.0.1;
        deny all;
      }
    }
    
    # /home/nginx/domains/domain8.com/public/wp-content/plugins/sucuri-scanner
    location ~* ^/wp-content/plugins/sucuri-scanner/ { deny all; }
    

    Code (Text):
    [root@centos7 akismet]#
    curl -I http://domain8.com/wp-content/plugins/akismet/
    HTTP/1.1 403 Forbidden
    Date: Mon, 18 Jul 2016 19:57:45 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 162
    Connection: keep-alive
    Server: nginx centminmod
    X-Powered-By: centminmod
    
    [root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/_inc/akismet.css   
    HTTP/1.1 200 OK
    Date: Mon, 18 Jul 2016 19:54:44 GMT
    Content-Type: text/css
    Content-Length: 8748
    Last-Modified: Mon, 18 Jul 2016 18:27:00 GMT
    Connection: keep-alive
    Vary: Accept-Encoding
    ETag: "578d1f74-222c"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes
    
    [root@centos7 akismet]# curl -I http://domain8.com/wp-content/plugins/akismet/_inc/img/logo-full-2x.png
    HTTP/1.1 200 OK
    Date: Mon, 18 Jul 2016 19:54:46 GMT
    Content-Type: image/png
    Content-Length: 4970
    Last-Modified: Mon, 18 Jul 2016 18:27:00 GMT
    Connection: keep-alive
    ETag: "578d1f74-136a"
    Server: nginx centminmod
    X-Powered-By: centminmod
    Accept-Ranges: bytes
    
     
    Last edited: Jul 19, 2016
    • Like Like x 1
  3. eva2000

    eva2000 Administrator Staff Member

    30,947
    6,915
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,413
    Local Time:
    8:56 AM
    Nginx 1.13.x
    MariaDB 5.5
    If you are using Centmin Mod 123.09beta01, updating to latest code via outlined methods would update tools/autoprotect.sh and then you just manually run it once or wait until the cronjob does it for you to update the changes.

    manually run the tools/autoprotect.sh script once after centmin mod menu option 23 updating
    Code (Text):
    /usr/local/src/centminmod/tools/autoprotect.sh
    

    via the cron listed below
    Code (Text):
    crontab -l
    11 */23 * * * /usr/local/src/centminmod/tools/autoprotect.sh 2>/dev/null
    0 */4 * * * /usr/bin/cminfo_updater 2>/dev/null
    */15 * * * * sleep 285s ; wget -O - -q -t 1 http://domain8.com/wp-cron.php?doing_wp_cron=1 > /dev/null 2>&1
    0 */8 * * * sleep 105s ;/root/tools/wp_updater_domain8.com.sh 2>/dev/null
    


    Upgrading Centmin Mod Code to Latest Version



    Getting Started Guide step 19 outlines also how to keep Centmin Mod code updated or how to switch version branches.

    Centmin Mod LEMP stack's script code is constantly updated for improvements, bug fixes and security fixes so keeping the Centmin Mod code up to date is important. With Centmin Mod 1.2.3-eva2000.08) (123.08stable) and higher releases, a newly added centmin.sh menu option 23 allows much easier code updates and version branch swicthing via Git backed environment you can setup. For full details read the following links:
     
  4. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    6:56 AM
    latest
    latest
    If I remove the akismet plugin, can I do away with this autoprotect script?
     
  5. eva2000

    eva2000 Administrator Staff Member

    30,947
    6,915
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,413
    Local Time:
    8:56 AM
    Nginx 1.13.x
    MariaDB 5.5
    what do you mean ? autoprotect.sh protects more than just akismet... it protects any and all php web app directories where .htaccess deny from all was relied on to prevent public access but nginx doesn't support .htaccess so autoprotect.sh tries to auto convert .htaccess to nginx rewrite deny all rules.

    when you remove akismet plugin, the next autoprotect.sh scheduled cron run will detect that akismet is gone and remove the rules specific to only akismet directories from the autoprotect include file. That's why autoprotect.sh is run as a cronjob so it can auto detect newly added or removed php related web directories/apps

    autoprotect.sh outlined at Beta Branch - autoprotect.sh - apache .htaccess check & migration to nginx deny all | Centmin Mod Community
     
    • Informative Informative x 1