I’m using WordPress with the Better WP Security
plugin.
This plugin offers an option which doesn’t allow bots or anyone to log in at /wp-admin
or /wp-login
.
Instead, it requires that you visit a particular URL, say /secret-area
, and from there it will redirect you to the following URL (notice the long key it appends):
/wp-admin?h28g8y28kknkwh28h3&redirect_to=/wp-admin/
That way bots that are scanning can’t find the common WordPress login paths.
The problem is that, when I have Varnish enabled, when I visit /secret-area
the page tries to redirect to the following URL (which obviously doesn’t work):
example.com:8080/wp-login.php?h28g8y28kknkwh28h3&redirect_to=/wp-admin/
So it adds port 8080
which is what nginx is listening on as a backend.
The only thing I can imagine is that the Nginx config that the Better WP Security
plugin wants you to add doesn’t take into account nginx not running on port 80…
So, I’m wondering if maybe you can see some problem with these rules? The part in question is near the bottom:
# BEGIN Better WP Security
set $susquery 0;
set $rule_2 0;
set $rule_3 0;
if ($request_method ~* "^(TRACE|DELETE|TRACK)"){ return 403; }
location /wp-comments-post.php {
valid_referers novalidreferrers;
set $rule_0 0;
if ($request_method ~ "POST"){ set $rule_0 1$rule_0; }
if ($invalid_referer) { set $rule_0 2$rule_0; }
if ($http_user_agent ~ "^$"){ set $rule_0 3$rule_0; }
if ($rule_0 = "3210") { return 403; }
} if ($args ~* "../") { set $susquery 1; }
if ($args ~* ".(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
if ($args ~* "etc/passwd") { set $susquery 1; }
if ($args ~* "boot.ini") { set $susquery 1; }
if ($args ~* "ftp:") { set $susquery 1; }
if ($args ~* "http:") { set $susquery 1; }
if ($args ~* "https:") { set $susquery 1; }
if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
if ($args ~* "base64_encode") { set $susquery 1; }
if ($args ~* "(%24&x)") { set $susquery 1; }
if ($args ~* "([|]|(|)|<|>|ê|"|;|?|*|=$)"){ set $susquery 1; }
if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; }
if ($args ~* "(127.0)") { set $susquery 1; }
if ($args ~* "(%0|%A|%B|%C|%D|%E|%F)") { set $susquery 1; }
if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
if ($args ~* "(request|select|insert|concat|union|declare)") { set $susquery 1; }
if ($http_cookie !~* "wordpress_logged_in_" ) {
set $susquery 2$susquery;
set $rule_2 1;
set $rule_3 1;
}
if ($args !~ "^loggedout=true") { set $susquery 3$susquery; }
if ($susquery = 4321) { return 403; }
rewrite ^/login/?$ /wp-login.php?h28g8y28kknkwh28h3 redirect;
if ($rule_2 = 1) { rewrite ^/admin/?$ /wp-login.php?h28g8y28kknkwh28h3&redirect_to=/wp-admin/ redirect; }
if ($rule_2 = 0) { rewrite ^/admin/?$ /wp-admin/?h28g8y28kknkwh28h3 redirect; }
rewrite ^/register/?$ /wp-login.php?h28g8y28kknkwh28h3&action=register redirect;
if ($uri !~ "^(.*)admin-ajax.php") { set $rule_3 2$rule_3; }
if ($http_referer !~* wp-admin ) { set $rule_3 3$rule_3; }
if ($http_referer !~* wp-login.php ) { set $rule_3 4$rule_3; }
if ($http_referer !~* login ) { set $rule_3 5$rule_3; }
if ($http_referer !~* admin ) { set $rule_3 6$rule_3; }
if ($http_referer !~* register ) { set $rule_3 7$rule_3; }
if ($args !~ "^action=logout") { set $rule_3 8$rule_3; }
if ($args !~ "^h28g8y28kknkwh28h3") { set $rule_3 9$rule_3; }
if ($args !~ "^action=rp") { set $rule_3 0$rule_3; }
if ($args !~ "^action=register") { set $rule_3 a$rule_3; }
if ($args !~ "^action=postpass") { set $rule_3 b$rule_3; }
if ($rule_3 = ba0987654321) {
rewrite ^(.*/)?wp-login.php /not_found redirect;
rewrite ^/wp-admin(.*)$ /not_found redirect;
}
# END Better WP Security
Such a simple solution………………… these are the moments I live for.
For anyone else who has the same problem:
port_in_redirect off;
Put that in your nginx config in your server block. Presto, all redirects work now with varnish and nginx.