Limit xmlrpc.php to only specific web clients

Xmlrpc.php is very common target of attacks. In most cases you don’t need xmlrpc, but if you use third-party apps like WordPress for iPhone or android or other editors, then xmlrpc is the one who communicates between them and your WordPress installation. If you’ll be using it, it can be good idea to limit access to it only from “browsers” that you are using to access it. In case bellow, I’m using iPhone WordPress app.

When access to xmlrpc.php via iphone app, you’ll see that access log looks like this:

[11/Jun/2017:19:45:08 +0200] "POST /xmlrpc.php HTTP/2.0" 200 462 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_2 like Mac OS X) AppleWebKit/603.2.4 (KHTML, like Gecko) Mobile/14F89 wp-iphone/7.7"

From this you can see that wp-iphone/7.7 is named as client. So this will be our key for nginx configuration. We’ll make rule that will only accept requests to xmlrpc.php from clients containing string “wp-iphone”. Other clients will be denied. This is not bulletproof of as web client can be easily spoofed, but it should block majority of attacks.

location = /xmlrpc.php {
if ($http_user_agent !~* "wp-iphone")
{
return 403;
}
include fastcgi_params;
fastcgi_pass 127.0.0.1:<your_php_fpm_port>;
}

Bulk TTL change in Directadmin

You may want to change TTL values for all domains and their DNS records on your Directadmin server. This can be done very easily. Here is how.

  • Go to templates directory.
    cd /usr/local/directadmin/data/templates
  • Directadmin’s default TTL value is 14400, so let’s say we want to change it to 300. You will have to edit template file named.db.
    sed -ie 's/14400/300/g' named.db
  • Rewrite all configuration files for each user
    echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue

Wait a minute or two, then check if user configs were rewrited with new values. Go to /etc/namedb and than open .db file of some domain. It should contain new TTL value.

cPanel – create directory alias on domain

Creating aliases on cpanel server is easy – for domains. But when you want to create directory alias for files outside of document root, there is no quick/click option in control panel. By directory alias I mean for example, http://mydomain.com/something. Where /something is directory that is outside of your document root – public_html of domain. Another example, you have domain mydomain.com and you want phpmyadmin to be accessible on http://mydomain.com/phpmyadmin, but phpmyadmin is installed outside of document root of  mydomain.com. You’ll need directory alias. Here is quick way to do it.

Continue Reading

Ultimate NGINX configuration for WordPress

Most of the sites that I created are based on WordPress. WordPress is great platform for your sites if you take a little care for it. different kind of abusive behavior on Wordpress systems is very common. Weak points are in most cases plugins, themes and outdated code in general. Many times people think, that security of their websites is all about hosting provider, firewalls… It’s true to some point. But one of the most fundamental steps to better WordPress security is up to the end-user. Take care of your site, update it regularly, use only good plugins and themes… It’s so important that you take care for regular updates and fixes. Also, try to use as least plugins as possible. If you are using only one theme, delete the ones that you don’t use. If you’ll  use theme downloaded from internet, only use themes from good providers.

NGINX in combination with good configuration and cache system can make your website lightning fast and super responsive. Memcached, Redis, Opcache are also great for optimizing your site. You definitely want to check into them too. W3 Total Cache plugin is great and easy to configure. More about this another time.

Continue Reading

© 2017 geegkytuts.net
Hosted by Hosterdam


About author