Skip to content

Better security mode (HTTPS and other features)

Jump to bottom
Robert Isoski edited this page Dec 7, 2019 · 6 revisions

Better security mode works on Apache servers / hosting packages (but there are some external instructions for tuning NGINX at the bottom of this page).

Important: read before turning this feature ON

  • Create a backup of your website (Settings -> Security) before making any changes.
  • The HTTPS redirect feature works best if WonderCMS is installed at the root of your website (not in a subfolder).
  • Contact your host and make sure your website supports the included HTTPS://www redirect or activating this MAY BREAK YOUR WEBSITE. Also check you have a valid HTTPS certificate.
  • To turn on better security mode, go to Settings -> Security and the click "ON" button.
  • It may take some time for changes take effect.

If anything goes wrong and you cannot access your website normally after activating this feature: open the "htaccess" file on your server and replace all content with the default htaccess: https://github.com/robiso/wondercms/blob/master/.htaccess

What happens when you turn ON better security mode

Your server htaccess file will be overwritten with the below bolded features.

  • turns off directory listing // included in WonderCMS by default
  • turns off server signature // included by default
  • denies access to database.js // included by default
  • creates clean URLs (example.com/?page=home TO example.com/home) // included by default
  • always redirect to https://www on your website
  • a stricter cookie policy
  • additional XSS protection for when the user has it turned off by default (server side)
  • MIME type sniffing prevention
  • iframes to be allowed only from the same origin
  • a stricter referrer policy

The final overwritten (htaccess file) when turning this feature ON will look like:

Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set Cache-Control "max-age=2628000, public"

Options -Indexes
ServerSignature Off
RewriteEngine on

RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]
RewriteRule cache.json - [F]

Header always edit Set-Cookie (.*) "$1; HTTPOnly"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options: nosniff
Header always append X-Frame-Options SAMEORIGIN
Header set Referrer-Policy: strict-origin-when-cross-origin

NGINX

Check the official nginx website for instructions on enabling https.

Default htaccess file

Options -Indexes
ServerSignature Off
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.+)$ index.php?page=$1 [QSA,L]
RewriteRule database.js - [F]
RewriteRule cache.json - [F]

Still need help?

Intro

Basic how to's

Themes

Plugins

Security

Features description

List of common errors

Clone this wiki locally