-
-
Notifications
You must be signed in to change notification settings - Fork 166
Better security mode (HTTPS and other features)
- You can turn the Force HTTPS -> ON in your Settings -> Security.
- WonderCMS automatically checks for SSL. Turning this functionality "ON" will force WoderCMS to always use HTTPS.
Note: since we no longer support overwriting ".htaccess" through WonderCMS (since it can break you website), users can manually overwrite their ".htaccess" with the following config, which is available below the warnings below.
Better security mode works on Apache servers / hosting packages. There are some external instructions for tuning your NGINX at the bottom of this page).
- Create a backup of your website (Settings -> Security) before making any changes.
- The HTTPS redirect feature works best if WonderCMS is installed at the root of your website (not in a subfolder).
- Contact your host and make sure your website supports the included HTTPS://www redirect or activating this MAY BREAK YOUR WEBSITE. Also check you have a valid HTTPS certificate.
- It may take some time for changes take effect.
If anything goes wrong and you cannot access your website normally over overwriting your ".htaccess" file: open the "htaccess" file on your server and replace all content with the default ".htaccess": https://github.com/WonderCMS/wondercms/blob/main/.htaccess
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set Cache-Control "max-age=2628000, public"
Options -Indexes
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]
RewriteRule cache.json - [F]
Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin
What happens when you use the better security mode (or in other word, when you overwrite the ".htaccess" file)
- turns off directory listing // included in WonderCMS by default
- turns off server signature // included by default
- denies access to database.js // included by default
- creates clean URLs (example.com/?page=home TO example.com/home) // included by default
- always redirect to
https://www
on your website - a stricter cookie policy
- additional XSS protection for when the user has it turned off by default (server side)
- MIME type sniffing prevention
- iframes to be allowed only from the same origin
- a stricter referrer policy
Check the official nginx website for instructions on enabling https.
Options -Indexes
ServerSignature Off
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]
RewriteRule cache.json - [F]
Still need help?
- Ask a question or make a request in the community.
- Official website
Intro
- Home
- Demo
- Download
- One step install
- Requirements
- 5 file structure
- List of hooks
- Included libraries
- Create theme in 8 easy steps
- Create a plugin
- Custom modules
- Translations
- All security features described
Basic how to's
- Backup all files
- Change default login URL
- Change default password
- Create custom page template
- Create new editable areas or editable blocks
- Edit 404 page
- Get data from database
- Set data to database
- Hide page from menu
- Caddy web server config
- IIS server config
- NGINX server config
- Login
- Recover login URL
- Reset password
- Restore backup
- Update
- PHP built in server
Themes
- Create theme in 8 easy steps
- Add favicon
- Theme tags
- Update theme to work with WonderCMS 2.0.0
- Update theme to work with WonderCMS 3.0.0
- Share your themes with Custom modules
Plugins
- Quick intro on creating plugins and List of hooks
- Share your plugin with simply with Custom modules
Security
- All security features described
- Add SRI tags to your theme libraries
- Always redirect to https and www
- Additional security configuration(s)
- Add SRI tags to your theme libraries
- Better security mode (HTTPS and other features)
Features description
- One click update
- Optional: functions.php file
- Default database.js
- Allowed extensions file types for uploads
- Login URL doesn't work - 404
- 500 internal server error
- Persistent "New WonderCMS update available" message
- URLs mailformed on Windows IIS
- Other errors