All In One Vulnerability: Full Path Disclosure

Sharing code. See Headers, SQL, WP Includes and Wp Admin and Uploads. If you want, you can add these in your Next Update.

Protect wp-admin directory, .htaccess in wp-admin:

# First protect this htaccess
<files .htaccess>
order allow,deny
deny from all
</files>

<FilesMatch "\.(css|js|jpg|jpeg|gif|png)$">
  Order Allow,Deny
  Allow from All
  Satisfy Any
</FilesMatch>
 
<Files admin-ajax.php>
  Order Allow,Deny
  Allow from All
  Satisfy Any
</Files>

# Protect wp-admin by IP Address
order deny,allow
allow from 00.0.00.00 
deny from all

Protect uploads with this, .htaccess in uploads directory:

# First protect this htaccess
<files .htaccess>
order allow,deny
deny from all
</files>

# Secure uploads directory
<Files ~ ".*\..*">
	Order Allow,Deny
	Deny from all
</Files>
<FilesMatch "\.(jpg|jpeg|jpe|gif|png|pdf|mp4|mpeg|mp3)$">
	Order Deny,Allow
	Allow from all
</FilesMatch>

This code for uploads is util if you are using buddypress or bbpress + rtmedia (or whatever media uploader for users).

• This reply was modified 8 years, 2 months ago by livingflame.
• This reply was modified 8 years, 2 months ago by livingflame.

FULL HEADERS:

# Protect Headers and 
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header always append X-Frame-Options SAMEORIGIN
# Header Content-Security-Policy
Header set X-Content-Security-Policy "allow 'self';"

OTHER CODE:

# Tell the browser to attempt the HTTPS version first
Header add Strict-Transport-Security "max-age=157680000"

# Disable server signature
Header set ServerSignature "Off"
Header set ServerTokens "Prod"

# Control Cross-Domain Policies
Header set X-Permitted-Cross-Domain-Policies "master-only"

Hey! How are you?
Please, check this.
https://www.ads-software.com/plugins/wp-hide-security-enhancer/

(@chesio)