Re: httpd and Wordpress
+1 Wordpress must be installed on the desired path, if you are moving from previous scheme like site/wordpress to wordpress, you have a problem. Refer to wordpress manual and you find how to fix. The best bet is like Todd said: Deploy again. 2017-06-10 20:56 GMT-03:00 Todd : > What is in your httpd error log? > My guess is that WP is trying to pull some content from /wordpress which no > longer exists since you moved the docroot. > > My suggestion for having your WP site available without going to the > /wordpress URL is to redeploy the WordPress files to /var/www/html instead > of /var/www/html/wordpress. > Or add a 301 redirect from / to /wordpress > > On Sat, Jun 10, 2017 at 2:32 PM, Jan Betlach wrote: > > > Hi guys, > > > > I have a small problem with httpd and Wordpress. > > When I go to https://myipaddress I get "Access denied". If I go to > > https://myipaddress/wordpress, everything works as expected. > > I have tried to change the appropriate line in the httpd.conf to: > > root "/htdocs/wordpress". In that case the webpage is loaded, but in the > > "broken" form. > > > > My current httpd.conf: > > > > # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $ > > # Macros > > ext_addr="*" > > # Global Options > > # prefork 3 > > # Servers > > # A minimal default server > > server "default" { > > listen on $ext_addr port 80 > > listen on $ext_addr tls port 443 block return 301 "https:// > > $SERVER_NAME$REQUEST_URI" > > tls { > > key "/etc/ssl/private/server.key" > > certificate "/etc/ssl/server.crt" > > } > > directory { > > no auto index, index "index.php" > > } > > location "*.php" { > > fastcgi socket "/run/php-fpm.sock" > > } > > root "/htdocs" > > } > > # Include MIME types instead of the built-in ones > > types { > > include "/usr/share/misc/mime.types" > > } > > > > > > Any ideas where I am making a mistake? > > > > Thank you > > > > Jan > > >
Re: httpd and Wordpress
Hi, # Set a correct root path root "/htdocs/wordpress" # You can set max upload size to 513 M ( in bytes ) connection max request body 537919488 # You can protect files and dir location "/.*" { block } location "/ upload /*. php " { block } location "/ files /*. php " { block } # For any other PHP file location "/*. php *" { fastcgi socket "/ run / php - fpm . sock "} Ilyes Aiouaz Le 11/06/2017 à 00:56, Todd a écrit : > What is in your httpd error log? > My guess is that WP is trying to pull some content from /wordpress which no > longer exists since you moved the docroot. > > My suggestion for having your WP site available without going to the > /wordpress URL is to redeploy the WordPress files to /var/www/html instead > of /var/www/html/wordpress. > Or add a 301 redirect from / to /wordpress > > On Sat, Jun 10, 2017 at 2:32 PM, Jan Betlach wrote: > >> Hi guys, >> >> I have a small problem with httpd and Wordpress. >> When I go to https://myipaddress I get "Access denied". If I go to >> https://myipaddress/wordpress, everything works as expected. >> I have tried to change the appropriate line in the httpd.conf to: >> root "/htdocs/wordpress". In that case the webpage is loaded, but in the >> "broken" form. >> >> My current httpd.conf: >> >> # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $ >> # Macros >> ext_addr="*" >> # Global Options >> # prefork 3 >> # Servers >> # A minimal default server >> server "default" { >> listen on $ext_addr port 80 >> listen on $ext_addr tls port 443 block return 301 "https:// >> $SERVER_NAME$REQUEST_URI" >> tls { >> key "/etc/ssl/private/server.key" >> certificate "/etc/ssl/server.crt" >> } >> directory { >> no auto index, index "index.php" >> } >> location "*.php" { >> fastcgi socket "/run/php-fpm.sock" >> } >> root "/htdocs" >> } >> # Include MIME types instead of the built-in ones >> types { >> include "/usr/share/misc/mime.types" >> } >> >> >> Any ideas where I am making a mistake? >> >> Thank you >> >> Jan >> signature.asc Description: OpenPGP digital signature
Re: httpd and Wordpress
What is in your httpd error log? My guess is that WP is trying to pull some content from /wordpress which no longer exists since you moved the docroot. My suggestion for having your WP site available without going to the /wordpress URL is to redeploy the WordPress files to /var/www/html instead of /var/www/html/wordpress. Or add a 301 redirect from / to /wordpress On Sat, Jun 10, 2017 at 2:32 PM, Jan Betlach wrote: > Hi guys, > > I have a small problem with httpd and Wordpress. > When I go to https://myipaddress I get "Access denied". If I go to > https://myipaddress/wordpress, everything works as expected. > I have tried to change the appropriate line in the httpd.conf to: > root "/htdocs/wordpress". In that case the webpage is loaded, but in the > "broken" form. > > My current httpd.conf: > > # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $ > # Macros > ext_addr="*" > # Global Options > # prefork 3 > # Servers > # A minimal default server > server "default" { > listen on $ext_addr port 80 > listen on $ext_addr tls port 443 block return 301 "https:// > $SERVER_NAME$REQUEST_URI" > tls { > key "/etc/ssl/private/server.key" > certificate "/etc/ssl/server.crt" > } > directory { > no auto index, index "index.php" > } > location "*.php" { > fastcgi socket "/run/php-fpm.sock" > } > root "/htdocs" > } > # Include MIME types instead of the built-in ones > types { > include "/usr/share/misc/mime.types" > } > > > Any ideas where I am making a mistake? > > Thank you > > Jan >
httpd and Wordpress
Hi guys, I have a small problem with httpd and Wordpress. When I go to https://myipaddress I get "Access denied". If I go to https://myipaddress/wordpress, everything works as expected. I have tried to change the appropriate line in the httpd.conf to: root "/htdocs/wordpress". In that case the webpage is loaded, but in the "broken" form. My current httpd.conf: # $OpenBSD: httpd.conf,v 1.16 2016/09/17 20:05:59 tj Exp $ # Macros ext_addr="*" # Global Options # prefork 3 # Servers # A minimal default server server "default" { listen on $ext_addr port 80 listen on $ext_addr tls port 443 block return 301 "https:// $SERVER_NAME$REQUEST_URI" tls { key "/etc/ssl/private/server.key" certificate "/etc/ssl/server.crt" } directory { no auto index, index "index.php" } location "*.php" { fastcgi socket "/run/php-fpm.sock" } root "/htdocs" } # Include MIME types instead of the built-in ones types { include "/usr/share/misc/mime.types" } Any ideas where I am making a mistake? Thank you Jan
Re: httpd and wordpress
A very select few security-focused plugins are worth keeping around, like WordFence. Every plugin, theme and add-on is additional attack surface, and some popular plugins and themes have a horrifying track record with regard to security. WordPress core has gotten a lot better recently, but there are still some whopper vulnerabilities disclosed on occasion. For most people, I recommend giving it lenient enough file permissions that it can automatically apply its own updates. The most severe WP vulnerabilities are Remote Code [Inclusion|Execution]. Disallowing _www write access to the document root isn't going to save you from those, but allowing write access and enabling automatic updates means critical patches are applied faster than you'd normally be able to do it yourself. I have experimented in my development environment with a "split installation" where two different virtual hosts entries serve WP from two different document roots but are pointed to the same database: A full-blown normal install on 127.0.0.1 that you access through something such as an SSH dynamic proxy, then a copied, locked-down install on the public IP address. The locked-down install doesn't even have wp-admin, and uses database credentials that are limited to SELECT queries only. This took a lot of extra work to keep maintained, and updates applied to, and obviously things like user-login and comments won't work on the public-facing site. I'm not convinced this experiment is worth the hassle, because if you're that paranoid, you're likely already looking at static-site generators and getting away from WP by any means possible. On Sun, Jun 4, 2017 at 4:34 PM, flipchan wrote: > Delete ALL readme and don't install plugins > > On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjat > wrote: > >Hi there, > > > > > >well if it would be up to me I would skip wordpress for good but well > >it's not my decition. > > > >So I was wondering if there is some recommendations on what to block in > > > >the httpd.conf and what file permissions to use. > > > >For now I have: > > > >- like wordpress suggest 0755 on dirs and 0644 on files > > > >- wp-config.php setting to 0400 is not going to work at all I need at > >least a 0644 or nothing shows up > > > >- in http.conf I blocked /wp_content , /wp-content /uploads/*.php, > >/wp-includes, /wp-includes/*.php and /wp-admin > > > > > >so if there is something I can do further to harden things just let me > >know :) > > > > > >advice is most apreciated > > > > > >Regards > > > > > >-- > >Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > > > >G+H Webservice GbR Gorzolla, Herrmann > >Königsbrücker Str. 70, 01099 Dresden > > > >http://www.ghweb.de > >fon: +49 351 8107220 fax: +49 351 8107227 > > > >Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! > >Before you print it, think about your responsibility and commitment to > >the ENVIRONMENT > > -- > Take Care Sincerely flipchan layerprox dev
Re: httpd and wordpress
Delete ALL readme and don't install plugins On June 3, 2017 9:52:13 PM GMT+02:00, Markus Rosjat wrote: >Hi there, > > >well if it would be up to me I would skip wordpress for good but well >it's not my decition. > >So I was wondering if there is some recommendations on what to block in > >the httpd.conf and what file permissions to use. > >For now I have: > >- like wordpress suggest 0755 on dirs and 0644 on files > >- wp-config.php setting to 0400 is not going to work at all I need at >least a 0644 or nothing shows up > >- in http.conf I blocked /wp_content , /wp-content /uploads/*.php, >/wp-includes, /wp-includes/*.php and /wp-admin > > >so if there is something I can do further to harden things just let me >know :) > > >advice is most apreciated > > >Regards > > >-- >Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de > >G+H Webservice GbR Gorzolla, Herrmann >Königsbrücker Str. 70, 01099 Dresden > >http://www.ghweb.de >fon: +49 351 8107220 fax: +49 351 8107227 > >Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! >Before you print it, think about your responsibility and commitment to >the ENVIRONMENT -- Take Care Sincerely flipchan layerprox dev
Re: httpd and wordpress
On 06/03/17 20:52, Markus Rosjat wrote: Hi there, well if it would be up to me I would skip wordpress for good but well it's not my decition. So I was wondering if there is some recommendations on what to block in the httpd.conf and what file permissions to use. For now I have: - like wordpress suggest 0755 on dirs and 0644 on files - wp-config.php setting to 0400 is not going to work at all I need at least a 0644 or nothing shows up - in http.conf I blocked /wp_content , /wp-content /uploads/*.php, /wp-includes, /wp-includes/*.php and /wp-admin so if there is something I can do further to harden things just let me know :) advice is most apreciated Regards Running WPScan[1] against your WordPress installation can be useful to check that your WordPress install isn't too full of holes. Cheers Fred [1]https://github.com/wpscanteam/wpscan
httpd and wordpress
Hi there, well if it would be up to me I would skip wordpress for good but well it's not my decition. So I was wondering if there is some recommendations on what to block in the httpd.conf and what file permissions to use. For now I have: - like wordpress suggest 0755 on dirs and 0644 on files - wp-config.php setting to 0400 is not going to work at all I need at least a 0644 or nothing shows up - in http.conf I blocked /wp_content , /wp-content /uploads/*.php, /wp-includes, /wp-includes/*.php and /wp-admin so if there is something I can do further to harden things just let me know :) advice is most apreciated Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT