Hello,
I’ve been using hestia for 2 months and I really like it, but I’ve been having problems with wordpress and conf files that need to use .htaccess
My installation was nginx+php-fpm and I would like to change it to nginx+apache+php-fpm so I can use .htaccess
From what I read in other topics, it is always recommended to reinstall the entire system but I found a topic talking about using the migrate_ngnix_apache_nginx-php-fpm.sh file to convert from apache+nginx to nginx+php_fpm.
So I ask if I couldn’t use this file to do the reverse and change to nginx+apache+php_fpm
Could the parameters below be changed for this to happen?
Remove apache2 from config
sed -i “/^WEB_PORT/d” $HESTIA/conf/hestia.conf
sed -i “/^WEB_SSL/d” $HESTIA/conf/hestia.conf
sed -i “/^WEB_SSL_PORT/d” $HESTIA/conf/hestia.conf
sed -i “/^WEB_RGROUPS/d” $HESTIA/conf/hestia.conf
sed -i “/^WEB_SYSTEM/d” $HESTIA/conf/hestia.conf
Remove nginx(proxy) from config
sed -i “/^PROXY_PORT/d” $HESTIA/conf/hestia.conf
sed -i “/^PROXY_SSL_PORT/d” $HESTIA/conf/hestia.conf
sed -i “/^PROXY_SYSTEM/d” $HESTIA/conf/hestia.conf
So in theory, if I set this information and manually follow the configuration steps that start at #------------------------------------------------ ---------#
.htaccess in 2023 in my personal opinion - extremely bad practice.
Can you please upload .htaccess to check what exactly required to be changed? Maybe we can help you with nginx template for the setting that you’re looking.
Switching from very fast nginx + php-fpm to very slow apache - bad move in my opinion.
I totally agree. That’s why I installed the server only with nginx.
but I’m having some problems with two sites, which use a lot of plugins in wordpress. another bad practice, but we won’t waste time here. and users complain about the lack of .htaccess support
I already thought about setting up another server with just apache+nginx for these cases
an example of .htaccess is below, it seems to be something specific that the user wants to use or is just pointing this out as a problem. the site works normally. but the user says no. before the website was on cpanel hosting.
This is my personal opinion.
Please do not use that crap. This is not about security. It’s obscurity.
That you can manually do with nginx, and location rules.
Changing logic to admin panel page.
Adding captcha on that page
Restriction maximum connections to this page location
Turning off completely comments via plugin for WP
Properly finding a good wordpress nginx config.
If you wanna protection against attacks/hacks do not use nulled or old unknown plugins/themes. Use in front of you website some kind of professional WAF. Naxsi/owasp waf for apache, or nginx, etc. Or purchase suciri WAF.
As I said, I think it’s more the developer’s implication with the nginx environment
On hestia I already created a template for wordpress that uses 7G Firewall 7G Firewall | Perishable Press
I have a cloudlinux server with wp-toolkit applied on some clients.
The security settings, which are used in nginx and apache and I adapted in a new template for wordpress that are in hestia
nginx
# "Block access to wp-config.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* wp-config.php { deny all; }
# "Block access to xmlrpc.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* xmlrpc.php { deny all; }
# "Forbid execution of PHP scripts in the wp-content/uploads directory"
# To remove this rule, revert this security measure for WordPress installation #110
location ~* "^(?:/)wp-content/uploads/.*\.php" { deny all; }
# "Forbid execution of PHP scripts in the wp-includes directory"
# To remove this rule, revert this security measure for WordPress installation #110
location ~* "^(?:/)wp-includes/(?!js/tinymce/wp\-tinymce\.php$).*\.php" {
deny all;
}
# "Block author scans"
# To remove this rule, revert this security measure for WordPress installation #110
if ($query_string ~ "author=\d+") {
rewrite "^/(?!wp-admin/)" "/fake-author-scan" last;
}
# "Disable PHP execution in cache directories"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* ".*/cache/.*\.ph(?:p[345]?|t|tml)" {
access_log off;
log_not_found off;
deny all;
}
# "Block author scans"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location = /fake-author-scan {
internal;
deny all;
}
# "Block access to sensitive files"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* "(?:wp-config\.bak|\.wp-config\.php\.swp|(?:readme|license|changelog|-config|-sample)\.(?:php|md|txt|htm|html))" {
return 403;
}
# "Block access to potentially sensitive files"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* ".*\.(?:psd|log|cmd|exe|bat|csh|ini|sh)$" {
return 403;
}
# "Block access to .htaccess and .htpasswd"
# To remove this rule, revert this security measure on each WordPress installation on this domain
location ~* /\.ht {
deny all;
}
# "Enable bot protection"
# To remove this rule, revert this security measure on each WordPress installation on this domain
if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\.com|LinkpadBot|MJ12bot/v|majestic12\.co\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\s+Link\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") {
return 403;
}
# WordPress permalink
# To remove this rule, add "wordpressPermalinkHandlingFeature = false" in the [ext-wp-toolkit] section of panel.ini
# then reconfigure the current domain
set $sef_entry_point /;
if ($uri ~* "^/") {
set $sef_entry_point "/index.php?$args";
}
location @wpt_permalinks_fallback {
try_files $uri $sef_entry_point;
}
error_page 404 = @wpt_permalinks_fallback;
error_page 405 = @wpt_permalinks_fallback;
apache
# "Block access to wp-config.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<Files wp-config.php>
Require all denied
</Files>
# "Block access to xmlrpc.php"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<Files xmlrpc.php>
Require all denied
</Files>
# "Forbid execution of PHP scripts in the wp-content/uploads directory"
# To remove this rule, revert this security measure for WordPress installation #110
<Directory "/home/client/public_html/wp-content/uploads">
<FilesMatch \.php$>
Require all denied
</FilesMatch>
</Directory>
# "Forbid execution of PHP scripts in the wp-includes directory"
# To remove this rule, revert this security measure for WordPress installation #110
<IfModule mod_rewrite.c>
<Directory "/home/client/public_html/wp-includes">
<FilesMatch \.php$>
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !^/home/client/public_html/wp\-includes/js/tinymce/wp\-tinymce\.php$ [NC]
RewriteRule .* - [NC,F,L]
</FilesMatch>
</Directory>
</IfModule>
# "Block author scans"
# To remove this rule, revert this security measure for WordPress installation #110
<IfModule mod_rewrite.c>
<Directory "/home/client/public_html">
RewriteEngine on
RewriteCond %{QUERY_STRING} author=\d+
RewriteCond %{REQUEST_FILENAME} !^/home/client/public_html/wp\-admin/ [NC]
RewriteRule .* - [F,L]
</Directory>
</IfModule>
# "Block access to sensitive files"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<LocationMatch "(?i:(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html)))">
Require all denied
</LocationMatch>
# "Block access to potentially sensitive files"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<LocationMatch ".+\\.(?i:psd|log|cmd|exe|bat|csh|ini|sh)$">
Require all denied
</LocationMatch>
# "Disable PHP execution in cache directories"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<LocationMatch "(?i:.*/cache/.*\\.ph(?:p[345]?|t|tml))">
Require all denied
</LocationMatch>
# "Block access to .htaccess and .htpasswd"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<FilesMatch ^(?i:\.ht.*)$>
Require all denied
</FilesMatch>
# "Enable bot protection"
# To remove this rule, revert this security measure on each WordPress installation on this domain
<IfModule mod_rewrite.c>
<Directory "/home/client/public_html">
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)" [NC]
RewriteRule .* - [F,L]
</Directory>
</IfModule>
as a guy from mmorpg/online games scene, where all my games targets of ddos/hacks/etc I wish to add few cents and recommendations, you can follow or ignore them.
Your best friend: goaccess & instant notificaiton & debug/profiler tools.
Usually this is more than enough to identify & prevent any hacks attempts. Most of them (i do talk about 99%) has the same scenario and idea in background.
Some big slice of hacks - auto-scans for plugins list with pre-defined URI paths.
If you have your own website, just a few websites that must long-run try to switch wp-content to something neutral. But make sure that all your plugins compatible with this switch.
Such stupid, very stupid method - totally breaks auto-scanners.
Because they getting 404/403 errors while scanning in auto-mode, and do not launch any other queries to your server.
The most dangerous queries that you can filter to your web-server related to sql commands.
SELECT, INSERT, UPDATE, INTO OUTFILE, etc.
But this is some kind of paranoia stuff.
php-fpm pools per website with correct user & chrooted folder of the PATH where website stored with proper user ACL.
Disable several most dangerous php functions
Use goaccess to analyze what is going on
sometimes obscurity works, especially for big things like WP.
notifications for what is going on (related to logs) can solve & prevent tons of attemts to hack your website. Time to time just compress logs, remove duplicates, and try to analyze methods how your app tried to be hacked.
But all of that works only on a single website. For single website. This is my personal experience. My own, i do not advice to do like me. Just try to build your own strategy. It’s hard, but once you done - you done it for a long time.
I dunno how organize/scale all of that for all types of apps… Really. Each app individual.