Nginx Härtung¶

sudo nano /etc/nginx/snippets/deny-common.conf

# Dotfiles (außer ACME)
location ~ /\.(?!well-known)(.*)$ { deny all; }

# .env & Konsorten
location ~* (^|/)\.env { deny all; }
location ~* /(\.git|\.hg|\.svn|vendor|node_modules|backups?|backup)(/|$) { deny all; }

# WP- und PHP-Dev-Dateien, die oft gescannt werden
location ~* /(wp-cli\.php|wp-cli\.phar|wp-config\.php|readme\.html|license\.txt|composer\.(json|lock))$ { deny all; }
location ~* /(eval-stdin\.php|phpunit|autoload\.php)$ { deny all; }

sudo nano /etc/nginx/snippets/wordpress-hardening.conf

# XML-RPC hart abdrehen (falls nicht benötigt)
location = /xmlrpc.php { return 405; }

# Login-Drossel
location = /wp-login.php {
    limit_req zone=login burst=10 nodelay;
    try_files $uri $uri/ /index.php?$args;
}

# häufige User-Enumeration via REST blocken
location ~* ^/wp-json/wp/v2/users { return 403; }
location ~* ^/wp-json/bbp-api/v1/users { return 403; }
location ~* ^/wp-json/ldlms/v2/users { return 403; }

# ACME-Challenge weiterhin erlauben
location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    try_files $uri =404;
}

http {
    limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
}

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

server {
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
}