Using Caddy to harden WordPress

Caddy equivalent code for specific sections of the WordPress support article Hardening WordPress .

Securing wp-includes #

For a Caddy web server, use a named matcher set to secure the include paths while still allowing access to ms-files.php for multisite.

    @forbidden {
        not path /wp-includes/ms-files.php
        path /wp-admin/includes/*.php
        path /wp-includes/*.php
    }
    respond @forbidden "Access denied" 403

Securing wp-config.php #

For a Caddy web server, add the wp-config.php path to the named matcher set described in the previous section. This will prevent access to wp-config.php in the webroot.

        path /wp-config.php
Credits and References

Credits

@Whitestrake @francislavoie for their contributions within the development reference.

References

  1. Hardening WordPress
  2. Development: Using Caddy to harden WordPress
2 Likes