For a Caddy web server, add the wp-config.php path to the named matcher set described in the previous section. This will prevent access to wp-config.php in the webroot.
otherwise the directives would not block requests in sudirs e.g. /wp-includes/blocks/shortcodes.php. Case insensitivity also does not hurt in my opinion - but they don’t use the NC (no case) flag in their RewriteRules example. So if you wan’t to mimic that just leave out the (?i) in my example.
@bernd@Forza@francislavoie Thanks for your contributions. I understand the merits of using regular expressions, but before I make any change, I’d like you to consider the following questions:
For the average Caddyfile user, does the one-line path_regexp expression improve or reduce the clarity of the original two lines that it replaces? If you believe the latter, as I do, does the reduced clarity warrant the saving of one line in the Caddyfile? I’m not so sure, but I’m happy to be guided by your thoughts.
I think simple one liners are easier. I would, however, like some simple example on how to combine several matches. Perhaps better to deny all, and only allow specific files and folders?
Allow /includes/theme/*.css and so on?
I think there’s a lot that can be done to harden WordPress further. However, the purpose of this wiki article is only to provide Caddy equivalent code for the referenced WordPress article. If the WordPress article is updated to further harden WordPress, the intent is to reflect those changes here.
FWIW, as well as the lines in the OP above, my own matcher includes the three additional lines shown below:
With opt-out it’s harder to cover all cases, for example if some additional files were added that an attacker could use. With opt-in this ft can’t happen as easily. However the downside is of course that updated and such might break as you might now not allow some of their files to be served. Considering the use case of simplicity, opt-out is very.
which is why I tested path_regexp and went on to expression matchers.
Anyway. WordPress will by default not allow to upload PHP files. An attacker could try to circumvent this default setting by registering a callback to the upload_mimes filter (“Filters list of allowed mime types and file extensions.”) or find or exploit a problem in plugins that write content below wp-content/uploads/. Often times plugins need write access to other directories too and you need to protect those (e.g. GravityForms temporary uploads, many of the Caching-Plugins, image resizers, backup plugins or even logs of security plugins).
My personal preference is not to put everything in a onlineliner but rather to split the patterns over multiple lines along with comments so I remember for what reason a pattern exists.
You’ve raised a good point regarding the hierarchical nature of the uploads path.
@francislavoie Multiple path matchers are OR’ed together in a matcher set. Is this true also for a matcher set consisting of path and path_regexp matchers?
No I think it will be ANDed, which isn’t too useful. Expression matcher is probably the easiest approach to writing something that makes sense, if not a single path_regexp.
For now anyways. There’s definitely lots of room for improvement with matchers in Caddy but most of the ideas I’ve had are difficult to implement.
@bernd You’re right. A named matcher that utilises an expression matcher rather than a path matcher set is necessary for more sophisticated WordPress hardening.