404

README.md

@@ -0,0 +1,42 @@
+# Plugin for attacks mitigation
+
+## Install plugin and enable (force update also)
+
+```
+wp plugin install --activate https://s.getcloud.info/nexos/mitigation/archive/mitigation-0.04.zip --force
+```
+
+## Enable nginx mitigations
+
+Go to vhost configuration and include mitigation/nginx.conf from this plugin.
+
+For example if plugin is at /home/mysite.com/wp-content/plugins/mitigation add following code to nginx conf at server block:
+
+```
+server {
+  server_name mysite.com;
+  ...
+  include /home/mysite.com/wp-content/plugins/mitigation/nginx.conf;
+...
+}
+```
+
+## Remove "Server: nginx" at http headers
+
+```
+apt install libnginx-mod-http-headers-more-filter
+```
+
+Edit /etc/nginx/nginx.conf at http block:
+
+```
+http {
+    more_set_headers "Server: Unicef";
+    ...
+```
+
+Y después:
+
+```
+service nginx reload
+```

mitigation.php

@@ -2,7 +2,7 @@
 /**
  * Plugin Name: Mitigation
  * Description: A WordPress plugin with a main class for initialization methods.
- * Version: 1.0.0
+ * Version: 0.0.5
  * Author: Your Name
  * Text Domain: mitigation
  */
@@ -20,7 +20,7 @@ class Mitigation {
     /**
      * Plugin version
      */
-    const VERSION = '1.0.0';
+    const VERSION = '0.05';
     
     /**
      * Single instance of the class
@@ -49,7 +49,8 @@ class Mitigation {
     public function init() {
         // Hook into WordPress init
         add_action('init', [$this, 'on_init']);
-        add_action('wp_loaded', array($this, 'on_wp_loaded'));
+        add_action('wp_loaded', [$this, 'on_wp_loaded']);
+        
     }
 
     public function run($actions)
@@ -82,6 +83,7 @@ class Mitigation {
             'remove_wp_generator',
         ];
         $this->run($actions);
+        add_filter('et_get_theme_version', [$this, 'remove_divi_version']);
     }
 
     public function login_error_mask()
@@ -91,9 +93,16 @@ class Mitigation {
         });
     }
 
+    public function remove_divi_version() {
+        return '';
+    }
+
     public function remove_wp_generator()
     {
         remove_action( 'wp_head', 'wp_generator' );
+        remove_action( 'wp_head', 'wc_generator' );
+        remove_action( 'wp_head', 'wlwmanifest_link' );
+        remove_action( 'wp_head', 'rsd_link' );
     }
 
     public function mitigation_remove_footer_shake()

nginx.conf

@@ -1,17 +1,23 @@
 location ~ ^/(wp-cron\.php|wp-config\.php|install\.php|xmlrpc\.php|config\.php|configuration\.php|\.env|\.git/|\.svn/|\.log$) {
     # deny all;
-    # return 404;
+    return 404;
-    rewrite ^(.*)$ /error-404/ redirect;
+    # rewrite ^(.*)$ /error-404/ redirect;
+    # add_header X-Status 404;
+    # rewrite ^(.*)$ /error-404/ last;
 }
 
+error_page 404 /error-404/;
+
 location ~ (LICENSE|\.md$|license\.txt|\.htaccess|readme\.html|readme\.txt) {
     log_not_found off;
     access_log off;
-    rewrite ^(.*)$ /error-404/ redirect;
+    return 404;
+    # rewrite ^(.*)$ /error-404/ last;
 }
 
 location ~* ^/wp-json/wp/v2/users(/.*)?$ {
-    rewrite ^(.*)$ /error-404/ redirect;
+    return 404;
+    # rewrite ^(.*)$ /error-404/ last;
 }
 
 # Direct PHP File Access 
@@ -37,4 +43,3 @@ location ~* /xmlrpc.php$ {
     allow 192.0.0.0/16;
     deny all;
 }
-