Установка базового стека
apt update && apt upgrade -y
apt install -y nginx mariadb-server \
php8.4-fpm php8.4-mysql php8.4-xml php8.4-curl \
php8.4-gd php8.4-mbstring php8.4-zip unzip curl
Создание базы данных WordPress
mysql_secure_installation
CREATE DATABASE wp_example CHARACTER SET utf8mb4;
CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'STRONG_PASSWORD';
GRANT ALL PRIVILEGES ON wp_example.* TO 'wp_user'@'localhost';
FLUSH PRIVILEGES;
Установка WordPress
cd /var/www
wget https://wordpress.org/latest.zip
unzip latest.zip
mv wordpress example-site.ru
chown -R www-data:www-data /var/www/example-site.ru
Конфигурация wp-config.php
cp wp-config-sample.php wp-config.php
nano wp-config.php
define('DB_NAME', 'wp_example');
define('DB_USER', 'wp_user');
define('DB_PASSWORD', 'STRONG_PASSWORD');
define('DB_HOST', 'localhost');
SALT-ключи
curl -s https://api.wordpress.org/secret-key/1.1/salt/
Полностью заменить блок AUTH_KEY … NONCE_SALT.
Автообновления безопасности WordPress
define( 'WP_AUTO_UPDATE_CORE', 'minor' );
Конфигурация Nginx (HTTPS)
server {
server_name example-site.ru www.example-site.ru;
root /var/www/example-site.ru;
index index.php index.html;
client_max_body_size 10G;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.4-fpm.sock;
}
location ~ /\. {
deny all;
}
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/example-site.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example-site.ru/privkey.pem;
}
Получение SSL-сертификата Let’s Encrypt
apt install -y certbot python3-certbot-nginx
certbot --nginx -d example-site.ru -d www.example-site.ru
Автообновление:
systemctl enable certbot.timer
Защита WordPress (рекомендованный минимум)
Закрыть xmlrpc.php
location = /xmlrpc.php {
deny all;
}
Ограничить wp-admin по IP
location ^~ /wp-admin/ {
allow 192.168.100.0/24;
deny all;
index index.php;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.4-fpm.sock;
}
}
wp-login rate limit
limit_req_zone $binary_remote_addr zone=wp_login:10m rate=10r/m;
location = /wp-login.php {
limit_req zone=wp_login burst=20 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php8.4-fpm.sock;
}
Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
Fail2Ban для Nginx + WordPress
apt install -y fail2ban
[nginx-wordpress]
enabled = true
filter = nginx-wordpress
logpath = /var/log/nginx/access.log
maxretry = 5
bantime = 1h
Скрытие версии WordPress (MU-plugin)
mkdir -p wp-content/mu-plugins
nano wp-content/mu-plugins/hardening.php
<?php
remove_action('wp_head', 'wp_generator');
add_filter('the_generator', '__return_empty_string');
Разрешение загрузки .exe (только для администраторов)
add_filter('upload_mimes', function ($mimes) {
if (current_user_can('administrator')) {
$mimes['exe'] = 'application/octet-stream';
}
return $mimes;
});
Добавить комментарий