Skip to content

Instantly share code, notes, and snippets.

@Dimasmagadan
Forked from ethanpil/wp-secure.conf
Last active December 4, 2020 11:18
Show Gist options
  • Save Dimasmagadan/e4cb540a933a7fc7a1dd21ce19a7d935 to your computer and use it in GitHub Desktop.
Save Dimasmagadan/e4cb540a933a7fc7a1dd21ce19a7d935 to your computer and use it in GitHub Desktop.
Wordpress Security for NginX
# wp-secure.conf
#
#
# This file includes common security considerations for wordpress using nginx.
#
# The goal is to block actions which are usually dangerous to wordpress.
# Additionally, we block direct access to PHP files and folders which should not
# be accessed directly from a browser.
#
# Also have included exceptions for plugins that are known to require this access.
# Optional HTTP authentication for wp-login and wp-admin areas
#location ~* /(wp-login\.php) {
# limit_req zone=xwplogin burst=1 nodelay;
# auth_basic "Authorization Required";
# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
# include /usr/local/nginx/conf/php.conf;
#}
#
#location ~* /wp-admin/.*\.php$ {
# auth_basic "Authorization Required";
# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
# include /usr/local/nginx/conf/php.conf;
#}
# allow AJAX requests in themes and plugins
location ~ ^/wp-admin/admin-ajax.php$ { allow all; include /usr/local/nginx/conf/php.conf; }
#Deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; }
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
location ~* /(?:uploads|files)/.*\.php\$ { deny all; }
# Deny access to uploads that aren’t images, videos, music, etc.
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ {
deny all;
}
# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ {
deny all;
}
# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_
{
return 444;
}
#nocgi
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
#disallow
location ~* (w00tw00t) {
return 444;
}
location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment