On Mar 23, 2015, at 11:15 PM, Steve Holdoway wrote:

> Well, I'm going for the multiple levels of protection approach, but am
> trying to mate that with a 'simple to maintain' methodology.
>
> So, yes I'd like to do both, but without being heavy-handed on the
> website owners.


I understand the frustration of this. You don't need to have compromised software to be affected by it. Once someone finds out you have wordpress installed, you become subject to a lot of attacks and random POSTs -- as scripters try to exploit known issues.

If you can do this -- one of the simplest things to do is to put as much of the wordpress "dashboard" behind a httpauth block in nginx, and disable POST everywhere but there. I've seen some large properties heavily configure wordpress to run on "admin.example.com" behind heavy auth, and then have "public.domain.com" simply handle GET requests.

That may not work on your setup though. If you're using the internal wordpress comments tool or any of their api/web hooks, you'd need to open up those urls to POST -- but you can limit it to something arbitrarily small (e.g. 1k or less)

There are also a few integration how-tos for using nginx with fail2ban.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx