Как настроить безопасные Headers
Как проводятся XSS-атаки на ваш сайт через уязвимости в Ads
Как настроить Content Security Policy + pdf
Блог о продвижении сайтов. Заметки по SEO для личного использования и экспериментов в поиске.
Сетка CSS-Grid
https://tympanus.net/codrops/css_reference/grid/#section_grid-lines
https://www.w3.org/TR/2011/WD-css3-grid-layout-20110407/
Create Button
https://tympanus.net/Development/CreativeButtons/
Media Queries
https://tympanus.net/codrops/css_reference/media-queries/
Media Queries Level 4
https://www.w3.org/TR/mediaqueries-4/#media-types
Модуль макета таблицы сетки CSS Уровень 1
Редакторский проект, 24 марта 2017 г.
https://drafts.csswg.org/css-grid/#order-accessibility
https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Grid_Layout
Полное руководство по CSS-сетке
https://tympanus.net/codrops/css_reference/grid/#section_grid-container
Основные понятия компоновки сетки
https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Grid_Layout/Basic_Concepts_of_Grid_Layout
Области шаблона сетки
https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_Grid_Layout/Grid_Template_Areas
Реализация общих макетов с использованием CSS Grid Layout
Hardening Recommendations
Caution: The following recommendations are for server administrators with knowledge of how these files work. If you do not feel comfortable with these suggestions, we recommend using a website firewall that includes virtual hardening instead.
4.1 - Basic .htaccess Configurations
The .htaccess file is what most vendors will modify when they say they are hardening your environment.
This critical configuration file is specific for web servers running on Apache. If you’re running your WordPress instance on a LAMP stack using Apache, then we recommend hardening your site by updating your .htaccess file with the following rules.
Note
Some of the rules below are dependant on the version of Apache you are running. In those cases, we have included instructions for both versions 2.2 and 2.4 of Apache Server.
/.HTACCESS
Rule Explanation
Rewrite Rule:
This rule is generated by WordPress if it has write access to your server, most notably to fix issues with pretty permalinks.
If it isn’t at the top of your file, place at the top of your .htaccess file. Any other rules should go after the # BEGIN WordPress and # END WordPress statements.
Restrict Logins to IP Range
This rule restricts access to wp-login.php to an IP, protecting you from unauthorized login attempts in other locations. Even if you do not have a static IP, you can still restrict logins to your ISP common range.
Use this same entry on other authenticated URLs that you’d like to restrict, including /wp-admin. If you are using a dynamic IP, you can refer to our instructions: How to lock down WordPress Admin Panel with a dynamic IP
Protect wp-config.php
This rule restricts visitors from accessing your wp-config.php file, which contains sensitive information about the database, including name, host, username and password. This file is also used to define advanced settings, security keys and developer options.
Prevent Directory Browsing
This rule prevents attackers from viewing the folder contents of your website, restricting the information they have to exploit your website.
Prevent Image Hotlinking
This rule prevents other websites from using images hosted on your website. While hotlinking won’t get your site hacked, it can result in a damaging exploitation of your server resources. Change example.com to your website.
Protect .htaccess
This rule prevents attackers from accessing any files that start with “hta” - this ensures that .htaccess files are protected in all of the directories of your server.
Block Includes
This rule blocks hackers from inserting malicious files into any of the four primary folders used for includes:
/WP-INCLUDES/.HTACCESS
/WP-CONTENT/UPLOADS/.HTACCESS
Rule Explanation
Prevent PHP Backdoors
This rule prevents hackers from placing PHP backdoors in the /wp-includes/ and /wp-content/uploads/ folders, two popular locations for malicious file uploads.
4.2 - Application Configurations
WP-Config
The wp-config.php file is a very important configuration file containing sensitive information about your WordPress site, including database connections.
If the wp-config.php file does not exist in the root folder, WordPress will automatically look for this file in the folder above the root directory. Moving this file out of the root folder prevents wp-config.php from being accessible from the Internet.
Salts & Keys
The wp-config file includes a section dedicated to authentication salts and keys. These salts and keys improve the security of cookies and passwords that are in transit between your browser and the web server.
You can set up your keys by including or editing these lines after the other define statements in your wp-config.php file:
define('AUTH_KEY', 'include salt here');
define('SECURE_AUTH_KEY', 'include salt here');
define('LOGGED_IN_KEY', 'include salt here');
define('NONCE_KEY', 'include salt here');
You can easily generate your salts by navigating to the wordpress.org salt generator or using the reset salts + keys option in our WordPress Plugin.
Important
Disable File Editing
By default, file changes can be made through Appearance > Editor from the WordPress dashboard.
You can increase your WordPress security by disabling file editing from the dashboard. This prevents an attacker from changing your files through the backend or wp-admin. You will still be able to make changes via SFTP/SSH.
To disable file editing from the dashboard, include the following two lines of code at the end of your wp-config.php file:
## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);