Wordpress

Ambiente avaliado:  Debian 11 + PHP7.4 + NGINX + Wordpress 5.8.2

PACOTES

# apt install nginx mariadb-server php7.4 php7.4-cli php7.4-fpm php7.4-mysql php7.4-json php7.4-opcache php7.4-mbstring php7.4-xml php7.4-gd php7.4-curl vim ssh ntpdate

MariaDB

# mysql -u root -p

> CREATE DATABASE WordPress CHARACTER SET utf8mb4 COLLATE utf8mb4_general_ci;

> GRANT ALL ON WordPress.* TO WordPressUser@'localhost' IDENTIFIED BY 'senha';

> FLUSH PRIVILEGES;

> exit

# mkdir /resource

# cd /resource

# systemctl stop mariadb.service

# mv /var/lib/mysql /resource

# vi /etc/mysql/mariadb.conf.d/50-server.cnf

datadir = /resource/mysql

skip-name-resolve

# systemctl start mariadb.service

NGINX

# cd /resource

# wget https://br.wordpress.org/latest-pt_BR.tar.gz

# tar zvxf latest-pt_BR.tar.gz

# chown www-data.www-data -R wordpress/

# chmod  775 -R /resource/wordpress/

# vi /etc/nginx/sites-available/wordpress.conf

server {

    listen 80;

    server_name www.domain.com;

    root /resource/wordpress;

    index index.php;

    # log files

    access_log /var/log/nginx/wordpress.access.log;

    error_log /var/log/nginx/wordpress.error.log;

    location = /favicon.ico {

        log_not_found off;

        access_log off;

    }

    location = /robots.txt {

        allow all;

        log_not_found off;

        access_log off;

    }

    location / {

        try_files $uri $uri/ /index.php?$args;

    }

    location ~ \.php$ {

        include snippets/fastcgi-php.conf;

        fastcgi_pass unix:/run/php/php7.4-fpm.sock;

    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {

        expires max;

        log_not_found off;

    }

}

# ln -s /etc/nginx/sites-available/wordpress.conf /etc/nginx/sites-enabled/wordpress.conf

# rm /etc/nginx/sites-enabled/default

Ajuste o php.ini

# vi /etc/php/7.4/fpm/php.ini

upload_max_filesize = 128M

post_max_size = 128M

memory_limit = 256M

max_execution_time = 300

max_input_time = 300

# systemctl restart nginx.service php7.4-fpm.service

Lets encrypt   -   Avaliar

# Redirect HTTP -> HTTPS

server {

listen 80;

server_name www.sample.com sample.com;

include snippets/letsencrypt.conf;

return 301 https://sample.com$request_uri;

}

# Redirect WWW -> NON-WWW

server {

listen 443 ssl http2;

server_name www.sample.com;

ssl_certificate /etc/letsencrypt/live/sample.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/sample.com/privkey.pem;

ssl_trusted_certificate /etc/letsencrypt/live/sample.com/chain.pem;

include snippets/ssl.conf;

return 301 https://sample.com$request_uri;

}

server {

#listen 443 ssl http2;

server_name sample.com;

root /resource/wordpress;

index index.php;

# SSL parameters

ssl_certificate /etc/letsencrypt/live/sample.com/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/sample.com/privkey.pem;

ssl_trusted_certificate /etc/letsencrypt/live/sample.com/chain.pem;

include snippets/ssl.conf;

include snippets/letsencrypt.conf;

SECURITY  -  Avaliar

# vi /etc/nginx/sites-available/wordpress.conf

autoindex off;

location ~* /xmlrpc.php$ {

    allow 172.0.1.1;

    deny all;

}

if ($request_method !~ ^(GET|POST)$ ) {

    return 444;

}

location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {

    deny all;

    access_log off;

    log_not_found off;

}

location ~ /\.(svn|git)/* {

    deny all;

    access_log off;

    log_not_found off;

}

location ~ /\.ht {

    deny all;

    access_log off;

    log_not_found off;

}

location ~ /\.user.ini { 

    deny all; 

    access_log off;

    log_not_found off;

}

set $comment_flagged 0;

set $comment_request_method 0;

set $comment_request_uri 0;

set $comment_referrer 1;

if ($request_method ~ "POST"){

    set $comment_request_method 1;

}

if ($request_uri ~ "/wp-comments-post\.php$"){

    set $comment_request_method 1;

}

if ($http_referer !~ "^https?://(([^/]+\.)?site\.com|jetpack\.wordpress\.com/jetpack-comment)(/|$)"){

    set $comment_referrer 0;

}

set $comment_flagged "${comment_request_method}${comment_request_uri}${comment_referrer}";

if ($comment_flagged = "111") {

    return 403;

}

location ~ \wp-login.php$ {

    limit_req zone=WPRATELIMIT;

}

# vi /etc/nginx/conf.d/limit_request.conf

limit_req_zone $binary_remote_addr zone=WPRATELIMIT:10m rate=2r/s;

# vi /etc/nginx/nginx.conf

http {

...

##

# Security

##

add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

add_header X-Xss-Protection "1; mode=block" always;

add_header X-Frame-Options "SAMEORIGIN" always;

add_header X-Content-Type-Options "nosniff" always;

add_header Referrer-Policy "origin-when-cross-origin" always;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

##Hide the nginx version.

server_tokens off;

##Hide the PHP version.

fastcgi_hide_header X-Powered-By;

proxy_hide_header X-Powered-By;

}

# nginx -t

# systemctl restart nginx.service php7.4-fpm.service

Link: 1 / 2 / 3 / 4 / 5 / 6

#default-src 'self' https://*.google-analytics.com https://*.googleapis.com https://*.gstatic.com https://*.gravatar.com https://*.w.org data: 'unsafe-inline' 'unsafe-eval';

#default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';

#location ~ ^/(?!(blog)/?) { 

#    deny all;

#    access_log off;

#    log_not_found off;

#}