scripts/setup-security.sh

#!/bin/bash

echo "配置基础安全设置..."

# 设置文件权限
chown -R www-data:www-data /var/www/html
find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;

# 保护敏感文件
chmod 600 /var/www/html/wp-config-sample.php 2>/dev/null || true

# 创建 .htaccess 安全文件
cat > /var/www/html/.htaccess << 'EOF'
# 禁用目录列表
Options -Indexes

# 阻止访问敏感文件
<FilesMatch "\.(htaccess|htpasswd|ini|log|sh|inc|bak|backup|old)$">
    Require all denied
</FilesMatch>

# 阻止访问 WordPress 配置文件
<Files "wp-config.php">
    Require all denied
</Files>

# 安全头
<IfModule mod_headers.c>
    Header always set X-Content-Type-Options nosniff
    Header always set X-Frame-Options SAMEORIGIN
    Header always set X-XSS-Protection "1; mode=block"
</IfModule>
EOF

# 设置 MySQL 安全配置
mysql -u root -e "
    DELETE FROM mysql.user WHERE User='';
    DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
    DROP DATABASE IF EXISTS test;
    DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
    FLUSH PRIVILEGES;
" 2>/dev/null || echo "MySQL 安全配置跳过（服务未运行）"

echo "安全配置完成"