The following commands will allow you to configure individual websites on an as needed basis to easily increase their security.
This includes blocking xmlrpc, load-scripts.php, php executing in wp content, block comments, block links opml, block trackbacks, and block the wp-admin upgrade and install file.
SSH into your server
To run them, you will need to SSH into your server. See the following guides to get started:
Generate your SSH Key:
Generate SSH Key on Windows with Putty
Generate SSH Key on Windows with Windows Subsystem for Linux
Generate SSH Key on Windows with Windows CMD/PowerShell
Add your SSH Key to GridPane:
Add/Remove an SSH Key to/from an Active GridPane Server
Connect to your server:
Connect to a GridPane server by SSH as Root user.
Configure your WordPress sites with GP CLI Commands
Enable/Disable XML RPC
WordPress has a file named xmlrpc.php. It’s really a legacy feature that allowed you to login and interact with your site by remote, enabling data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism. It was the WordPress API before the REST API, except far less useful or secure.
And in recent years it has become a real pest – being the primary target for malicious Bots to overload your server.
By default, XML-RPC is active on your WordPress sites. If you aren’t using it, you should disable it, but if you do this at the WordPress level only, then your server can still be overloaded with requests that go nowhere. Instead, let’s drop it at the Nginx level.
This CLI command creates the following include:
/var/www/{site.url}/nginx/disable-xmlrpc-main-context.confWhich contains Nginx configurations to:
– Deny Access to the xmlrpc.php
– Removes the X-Pingback header that WordPress adds
Disable XML-RPC with:
gp site {site.url} -disable-xmlrpcEnable it again with:
gp site {site.url} -enable-xmlrpcEnable/Disable Concatenating Load Scripts
WordPress has a feature that concatenates WP-Admin JS and CSS. While this may seem innocuous there are circumstances where this could be used to DoS a server, and in the age of HTTP/2 multiplexing, it isn’t really necessary.
More details can be found regarding CVE-2018-6389 here.
And a nice article by Bjørn Johanse regarding it here.
This CLI command creates the following include:
/var/www/{site.url}/nginx/disable-load-scripts-concatenation-main-context.confWhich contains Nginx configurations to:
– Deny access to ../wp-admin/load-scripts.php
– Deny access to ../wp-admin/load-styles.php
It also definest the following constant in your wp-config.php:
define('CONCATENATE_SCRIPTS', false);Enable with:
gp site {site.url} -disable-concatenate-load-scriptsDisable with:
gp site {site.url} -enable-concatenate-load-scriptsBlock/Unblock direct PHP script execution from wp-content and subdirectories.
Best practice should dictate that all WordPress PHP scripts are called directly by WordPress from within the loop. Assuming best practice is followed you can block PHP execution from all wp-content subdirectories with these CLI commands.
We already block php execution from wp-content/uploads/* so the recent zero day Elementor vulnerabilities would have been mitigated by default, but this command takes things one step further and will also disable direct PHP script execution from the web for any files within any plugin or mu-plugin.
Please be aware, some plugins actually want you to directly call from the web with cronjobs etc. Please ensure if you do so, to use the correct system user for the cronjob to ensure that sites remain isolated by PHP user.
If any plugin you use is allowing direct calling of a PHP script from within a plugin by third party web services – as opposed to using the recommended REST API methods to access WordPress, then the scripts will be being executed by the www-data server user, and will likewise not be isolated.
This CLI command creates the following include:
/var/www/{site.url}/nginx/disable-wp-content-php-main-context.confWhich contains Nginx configurations to:
– Deny access to ../wp-content/*.php
Block with:
gp site {site.url} -block-wp-content.phpUnblock with:
gp site {site.url} -unblock-wp-content.phpBlock/Unblock WordPress commenting.
Many WordPress sites are static and do not need commenting. You can disable commenting in WordPress, but you will still likely find some bots attempting to request your wp-comments-post.php root file.
If your site doesn’t require comments to be enabled, then it makes sense to drop requests to this file directly at the Nginx level.
This CLI command creates the following include:
/var/www/{site.url}/nginx/disable-wp-comments-post-main-context.confWhich contains Nginx configurations to:
– Deny Access to the wp-comments-post.php
Block with:
gp site {site.url} -block-wp-comments-post.phpUnblock with:
gp site {site.url} -unblock-wp-comments-post.phpBlock/Unblock WordPress OPML Links functionality
WordPress allows links to be imported or exported using the OPML format via the wp-links-opml.php file. Hitting this page presents an XML output and details of your WordPress installation. Somebad bots will try this page when exploring your site for information. If you are not using this feature, then we may as well disable it at the Nginx level.
This CLI command creates the following include:
/var/www/{site.url}/nginx/disable-wp-links-opml-main-context.confWhich contains Nginx configurations to:
– Deny Access to the wp-links-opml.php
Block with:
gp site {site.url} -block-wp-links-opml.phpUnblock with:
gp site {site.url} -unblock-wp-links-opml.phpBlock/Unblock wp-trackbacks.php
WordPress has a built in mechanism to allow trackbacks, notifications on your posts that someone has linked to them. Unfortunately trackbacks have, in the past, led to several MySQL injection vulnerabilities and if unguarded can lead to a lot of Spam. If you are not using this feature, then we may as well disable it at the Nginx level.
This CLI command creates the following include:
/var/www/{site.url}/nginx/disable-wp-trackbacks-main-context.confWhich contains Nginx configurations to:
– Deny Access to the wp-trackback.php
Block with:
gp site {site.url} -block-wp-trackbacks.phpUnblock with:
gp site {site.url} -unblock-wp-trackbacks.phpBlock/Unblock upgrade.php
This WordPress core file is used to manage upgrades of core. You can disable access to this file at the Nginx Level. Just remember to unblock whenever you need access to this file to upgrade. It is often used by Bots to identify a site as WordPress.
This CLI command creates the following include:
/var/www/{site.url}/nginx/block-upgrade-main-context.confWhich contains Nginx configurations to:
– Deny Access to the ../wp-admin/upgrade.php
Block with:
gp site {site.url} -block-upgrade.phpUnblock with:
gp site {site.url} -unblock-upgrade.phpBlock/Unblock install.php
This WordPress core file is used to install WordPress, but since we do that for you then is there any need? It is also used by Bots to identify a site as WordPress. If you aren’t needing to install WordPress, then you can disable it at the Nginx level. Sometimes during the management of your server, you might use this file for reinstalling WordPress, depending how you go about things, in such a case please remember to unblock the file.
This CLI command creates the following include:
/var/www/{site.url}/nginx/block-install-main-context.confWhich contains Nginx configurations to:
– Deny Access to the ../wp-admin/install.php
Block with:
gp site {site.url} -block-install.phpUnblock with:
gp site {site.url} -unblock-install.phpBETA CLI functions
The following functions are Beta and should not be used on any production server, but if you wish to help test them then they are provided for your use. They each have integrations beyond just Nginx and include some MU Plugin functionality.
These really are beta, you have been warned.
Disable Emoji
Disable with:
gp site {site.url} -disable-emojiRenable with:
gp site {site.url} -enable-emojiDisable RSS
Disable with:
gp site {site.url} -disable-rssRenable with:
gp site {site.url} -enable-rssDisable Username Enumeration
Disable with:
gp site {site.url} -disable-username-enumRenable with:
gp site {site.url} -enable-username-enumBlock WP Scan Agent
Disable with:
gp site {site.url} -block-wpscan-agentRenable with:
gp site {site.url} -unblock-wpscan-agentBlock WP Version
Disable with:
gp site {site.url} -disable-wp-versionRenable with:
gp site {site.url} -enable-wp-version