I would like to know if anyone sees a problem with my setup
I host the sites on a VPS with the latest version of nginx and PHP7-FPM. I have iptables blocking all incomming TCP ports except for 80 and 443. The nginx virtualhosts I have configured so that only index.php can be acceced over the web, all other php files return a 444 error. I have open_base dir restriction with file upload disabled.
The sites listen on ports 80, 443 and a hidden port that is firewalled and only open to me. In wp-config I have enabled Force administration over SSL. wp-admin and all other php files can only be accessed over this hidden port. Im using a rewrite like this:
server {listen 443 ssl http2 .....
location ~ /wp-admin {
if ($remote_addr != my.ip.xxx.xx) {return 444;}
rewrite ^ https://www.my.site:4xxxx$request_uri;}
....
server {listen 4xxxx ssl http2 ...
I just started testing this and it seems to work fine. The only problem encountered with the setup is that I can’t login via wp-login.php, have to use my own login form. My error logs are clean, no more scanners since 444 closes the connection without returning an error.
Is this good security practice?