WordPress Configurations
WordPress Configurations
EC2 Menu
EC2 Menu
WordPress Configurations
These are a few configurations that can help. Examples using the primary domain name under /var/www/html.
First download wordpress.zip for your country to /home/ec2-user and unzip it. (Assuming ec2-user here.)
[Assuming you unzipped WordPress into /home/ec2-user...] cd /home/ec2-user cd wordpress cp -pR * /var/www/hmtl cp -pR * /var/www/html/aws
Fix the Apache permissions – as per my install notes, for /var/www/html:
[I use a shell script called chdir.sh with permission of 777:]
cd /var/www
chown apache html
chgrp apache html
chmod 2775 html cd /var/www/html vi chdir.sh #!/bin/sh chown -R apache * chgrp -R apache * find . -type d -exec chmod 2775 {} \; find . -type f -exec chmod 0664 {} \; if [ -f “./.htaccess” ] ; then chown apache .htaccess chgrp apache .htaccess chmod 664 .htaccess fi chmod 777 *.sh chown root chdir.sh chgrp root chdir.sh chmod 770 chdir.sh exit [Save and exit. Now execute the script:] chmod 777 chdir.sh ./chdir.sh ls -la
Always run the chdir.sh script when manually adding any files under /var/www/hmtl.
The httpd.conf file, etc. will have been previously configured, as per my other articles.
Remember that your browser may have old caching to clear if issues.
If problems with the Wordfence plugin, see if you need a special section in the Wordfence stanza for current PHP version (use php -v to see your version)
<IfModule mod_php8.c>
php_value auto_prepend_file '/var/www/html/wordfence-waf.php'
</IfModule>Some wp-config.php settings you can append:
define('WP_MEMORY_LIMIT', '256M');
define('DISALLOW_FILE_EDIT', true);
define( 'ALLOW_UNFILTERED_UPLOADS', true );
define('DISABLE_WP_CRON', true);
define( 'WPMS_ON', true );
define( 'WPMS_SMTP_PASS', 'YOUR AMAZON IAM SMTP PRIVATE KEY' );
[The WPMS_ entries help if using the WordPress SMTP plugin]
Some .htaccess settings that can help. Always backup your file first.
In this example I show more restrictions around using your own static IP address. (Use your own, or leave out the stanzas mentioned.) Also note that these extra IP address stanzas add the domain IP address.
[Use your own IP addresses and domain name. yyyyyy = the domain A record, and xxxxxx your own IP]
[The .htaccess file can use # for any comments. sudo su to have root access.]
[The disable PHP sections below may need removal if conflicted with plugins.]
[I first show some <files entries for any ip address, and exampled of caching. If you use a caching plugin, do not incldue this section.]
set -o vi
export EXINIT='set noautoindent'
cd /var/www/hmtl
cp -p .htaccess .htaccess.o
vi .htaccess
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://MYDOMAIN.COM/$1 [R,L]
# IF USING IP2LOCATION
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^RU$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^UA$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^TW$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^CN$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^IR$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^HU$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^IR$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^IQ$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^KP$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^PL$
RewriteRule ^(.*)$ https://google.com.au [L]
RewriteCond %{ENV:IP2LOCATION_COUNTRY_SHORT} ^TR$
RewriteRule ^(.*)$ https://google.com.au [L]
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} Mb2345Browser|LieBaoFast|zh-CN|MicroMessenger|zh_CN|Kinza|Datanyze|serpstatbot|spaziodati|OPPO\sA33|AspiegelBot|aspiegel|PetalBot [NC]
RewriteRule ^ - [F,L]
Options -Indexes
RewriteRule ^wp-admin/install\.php$ - [F]
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]
# Disable PHP in Uploads
RewriteRule ^wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
# Disable PHP in Plugins
RewriteRule ^wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
# Disable PHP in Themes
RewriteRule ^wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)$ - [NC,F]
# Filter Suspicious Query Strings in the URL
RewriteCond %{QUERY_STRING} https?: [OR]
RewriteCond %{QUERY_STRING} (<|%3C)script(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_decode\( [NC,OR]
RewriteCond %{QUERY_STRING} %24&x [NC,OR]
RewriteCond %{QUERY_STRING} (encode|localhost|loopback) [NC,OR]
RewriteCond %{QUERY_STRING} (concat|insert|union|declare) [NC,OR]
RewriteCond %{QUERY_STRING} %[01][0-9A-F] [NC]
RewriteCond %{QUERY_STRING} !^loggedout=true
RewriteCond %{QUERY_STRING} !^action=jetpack-sso
RewriteCond %{QUERY_STRING} !^action=rp
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in_
RewriteCond %{HTTP_REFERER} !^http://maps\.googleapis\.com
RewriteRule ^.* - [F]
# Filter Non-English Characters
RewriteCond %{QUERY_STRING} %[A-F][0-9A-F] [NC]
RewriteRule ^.* - [F]
RewriteCond %{HTTP_USER_AGENT} facebookexternalhit [NC,OR]
RewriteCond %{HTTP_USER_AGENT} facebook [NC,OR]
RewriteCond %{HTTP_USER_AGENT} AWS [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Nimbostratus-Bot [NC]
RewriteRule .* - [F]
# RewriteCond %{HTTP_REFERER} security.ipip.net [NC]
# RewriteRule .* - [F]
<files .htaccess>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
</files>
<files readme.html>
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
</IfModule>
</files>
# Disable Directory Browsing
Options -Indexes
# cache
<IfModule mod_mime.c>
AddType text/css .css
AddType text/x-component .htc
AddType application/x-javascript .js
AddType application/javascript .js2
AddType text/javascript .js3
AddType text/x-js .js4
AddType video/asf .asf .asx .wax .wmv .wmx
AddType video/avi .avi
AddType image/avif .avif
AddType image/avif-sequence .avifs
AddType image/bmp .bmp
AddType application/java .class
AddType video/divx .divx
AddType application/msword .doc .docx
AddType application/vnd.ms-fontobject .eot
AddType application/x-msdownload .exe
AddType image/gif .gif
AddType application/x-gzip .gz .gzip
AddType image/x-icon .ico
AddType image/jpeg .jpg .jpeg .jpe
AddType image/webp .webp
AddType application/json .json
AddType application/vnd.ms-access .mdb
AddType audio/midi .mid .midi
AddType video/quicktime .mov .qt
AddType audio/mpeg .mp3 .m4a
AddType video/mp4 .mp4 .m4v
AddType video/mpeg .mpeg .mpg .mpe
AddType video/webm .webm
AddType application/vnd.ms-project .mpp
AddType application/x-font-otf .otf
AddType application/vnd.ms-opentype ._otf
AddType application/vnd.oasis.opendocument.database .odb
AddType application/vnd.oasis.opendocument.chart .odc
AddType application/vnd.oasis.opendocument.formula .odf
AddType application/vnd.oasis.opendocument.graphics .odg
AddType application/vnd.oasis.opendocument.presentation .odp
AddType application/vnd.oasis.opendocument.spreadsheet .ods
AddType application/vnd.oasis.opendocument.text .odt
AddType audio/ogg .ogg
AddType video/ogg .ogv
AddType application/pdf .pdf
AddType image/png .png
AddType application/vnd.ms-powerpoint .pot .pps .ppt .pptx
AddType audio/x-realaudio .ra .ram
AddType image/svg+xml .svg .svgz
AddType application/x-shockwave-flash .swf
AddType application/x-tar .tar
AddType image/tiff .tif .tiff
AddType application/x-font-ttf .ttf .ttc
AddType application/vnd.ms-opentype ._ttf
AddType audio/wav .wav
AddType audio/wma .wma
AddType application/vnd.ms-write .wri
AddType application/font-woff .woff
AddType application/font-woff2 .woff2
AddType application/vnd.ms-excel .xla .xls .xlsx .xlt .xlw
AddType application/zip .zip
</IfModule>
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType text/css A31536000
ExpiresByType text/x-component A31536000
ExpiresByType application/x-javascript A31536000
ExpiresByType application/javascript A31536000
ExpiresByType text/javascript A31536000
ExpiresByType text/x-js A31536000
ExpiresByType video/asf A31536000
ExpiresByType video/avi A31536000
ExpiresByType image/avif A31536000
ExpiresByType image/avif-sequence A31536000
ExpiresByType image/bmp A31536000
ExpiresByType application/java A31536000
ExpiresByType video/divx A31536000
ExpiresByType application/msword A31536000
ExpiresByType application/vnd.ms-fontobject A31536000
ExpiresByType application/x-msdownload A31536000
ExpiresByType image/gif A31536000
ExpiresByType application/x-gzip A31536000
ExpiresByType image/x-icon A31536000
ExpiresByType image/jpeg A31536000
ExpiresByType image/webp A31536000
ExpiresByType application/json A31536000
ExpiresByType application/vnd.ms-access A31536000
ExpiresByType audio/midi A31536000
ExpiresByType video/quicktime A31536000
ExpiresByType audio/mpeg A31536000
ExpiresByType video/mp4 A31536000
ExpiresByType video/mpeg A31536000
ExpiresByType video/webm A31536000
ExpiresByType application/vnd.ms-project A31536000
ExpiresByType application/x-font-otf A31536000
ExpiresByType application/vnd.ms-opentype A31536000
ExpiresByType application/vnd.oasis.opendocument.database A31536000
ExpiresByType application/vnd.oasis.opendocument.chart A31536000
ExpiresByType application/vnd.oasis.opendocument.formula A31536000
ExpiresByType application/vnd.oasis.opendocument.graphics A31536000
ExpiresByType application/vnd.oasis.opendocument.presentation A31536000
ExpiresByType application/vnd.oasis.opendocument.spreadsheet A31536000
ExpiresByType application/vnd.oasis.opendocument.text A31536000
ExpiresByType audio/ogg A31536000
ExpiresByType video/ogg A31536000
ExpiresByType application/pdf A31536000
ExpiresByType image/png A31536000
ExpiresByType application/vnd.ms-powerpoint A31536000
ExpiresByType audio/x-realaudio A31536000
ExpiresByType image/svg+xml A31536000
ExpiresByType application/x-shockwave-flash A31536000
ExpiresByType application/x-tar A31536000
ExpiresByType image/tiff A31536000
ExpiresByType application/x-font-ttf A31536000
ExpiresByType application/vnd.ms-opentype A31536000
ExpiresByType audio/wav A31536000
ExpiresByType audio/wma A31536000
ExpiresByType application/vnd.ms-write A31536000
ExpiresByType application/font-woff A31536000
ExpiresByType application/font-woff2 A31536000
ExpiresByType application/vnd.ms-excel A31536000
ExpiresByType application/zip A31536000
</IfModule>
<IfModule mod_deflate.c>
<IfModule mod_filter.c>
AddOutputFilterByType DEFLATE text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/html text/richtext text/plain text/xsd text/xsl text/xml image/bmp application/java application/msword application/vnd.ms-fontobject application/x-msdownload image/x-icon application/json application/vnd.ms-access video/webm application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.presentation application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text audio/ogg application/pdf application/vnd.ms-powerpoint image/svg+xml application/x-shockwave-flash image/tiff application/x-font-ttf application/vnd.ms-opentype audio/wav application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel
<IfModule mod_mime.c>
# DEFLATE by extension
AddOutputFilter DEFLATE js css htm html xml
</IfModule>
</IfModule>
</IfModule>
<FilesMatch "\.(css|htc|less|js|js2|js3|js4|CSS|HTC|LESS|JS|JS2|JS3|JS4)$">
FileETag MTime Size
<IfModule mod_headers.c>
Header unset Set-Cookie
</IfModule>
</FilesMatch>
<FilesMatch "\.(html|htm|rtf|rtx|txt|xsd|xsl|xml|HTML|HTM|RTF|RTX|TXT|XSD|XSL|XML)$">
FileETag MTime Size
</FilesMatch>
<FilesMatch "\.(asf|asx|wax|wmv|wmx|avi|avif|avifs|bmp|class|divx|doc|docx|eot|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|webp|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|webm|mpp|otf|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|ogv|pdf|png|pot|pps|ppt|pptx|ra|ram|svg|svgz|swf|tar|tif|tiff|ttf|ttc|_ttf|wav|wma|wri|woff|woff2|xla|xls|xlsx|xlt|xlw|zip|ASF|ASX|WAX|WMV|WMX|AVI|AVIF|AVIFS|BMP|CLASS|DIVX|DOC|DOCX|EOT|EXE|GIF|GZ|GZIP|ICO|JPG|JPEG|JPE|WEBP|JSON|MDB|MID|MIDI|MOV|QT|MP3|M4A|MP4|M4V|MPEG|MPG|MPE|WEBM|MPP|OTF|_OTF|ODB|ODC|ODF|ODG|ODP|ODS|ODT|OGG|OGV|PDF|PNG|POT|PPS|PPT|PPTX|RA|RAM|SVG|SVGZ|SWF|TAR|TIF|TIFF|TTF|TTC|_TTF|WAV|WMA|WRI|WOFF|WOFF2|XLA|XLS|XLSX|XLT|XLW|ZIP)$">
FileETag MTime Size
<IfModule mod_headers.c>
Header unset Set-Cookie
</IfModule>
</FilesMatch>
<IfModule mod_headers.c>
Header set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>
# end cache
This is the optional section using yyyyyy and xxxxxx – domain ip, and your static ip
<Files wp-login.php> order deny,allow allow from yyyyyy xxxxxx deny from all </Files> <Files xmlrpc.php> order deny,allow allow from xxxxxx allow from yyyyyy deny from all </Files> <Files wp-cron.php> order deny,allow allow from yyyyyy xxxxxx deny from all </Files> <Files admin-ajax.php> order allow,deny allow from all satisfy any </Files> <Files wp-config.php> Order allow,deny allow from yyyyyy xxxxxx Deny from all </Files> <Files error_log> Order allow,deny allow from yyyyyy xxxxxx Deny from all </Files> <files .htaccess> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> <files readme.html> <IfModule mod_authz_core.c> Require all denied </IfModule> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> </files> allow from all
You can also restrict any access to the word “admin” with your IP address, such as mydomain.com/wp-admin or /wp-login.php:
(replace the XXX fields with your own IP)
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_URI} ^(.*)admin(.*)$
RewriteCond %{REMOTE_ADDR} !^XXX\.XXX\.XXX\.XXX$
RewriteRule .* / [R=302,L]
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_URI} ^(.*)login(.*)$
RewriteCond %{REMOTE_ADDR} !^XXX\.XXX\.XXX\.XXX$
RewriteRule .* / [R=302,L]
</IfModule>