Dimasmagadan/wp-secure.conf

## wp-secure.conf
# wp-secure.conf
#
#
# This file includes common security considerations for wordpress using nginx.
#
# The goal is to block actions which are usually dangerous to wordpress.
# Additionally, we block direct access to PHP files and folders which should not
# be accessed directly from a browser.
#
# Also have included exceptions for plugins that are known to require this access.


# Optional HTTP authentication for wp-login and wp-admin areas

#location ~* /(wp-login\.php) {
#    limit_req zone=xwplogin burst=1 nodelay;
#    auth_basic "Authorization Required";
#    auth_basic_user_file /usr/local/nginx/conf/htpasswd;
#    include /usr/local/nginx/conf/php.conf;
#}
#
#location ~* /wp-admin/.*\.php$ {
#	auth_basic "Authorization Required";
#    auth_basic_user_file /usr/local/nginx/conf/htpasswd;
#	include /usr/local/nginx/conf/php.conf;
#}

# allow AJAX requests in themes and plugins
location ~ ^/wp-admin/admin-ajax.php$ { allow all; include /usr/local/nginx/conf/php.conf; }

#Deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; }

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
location ~* /(?:uploads|files)/.*\.php\$ { deny all; }

# Deny access to uploads that aren’t images, videos, music, etc.
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ {
    deny all;
}

# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ {
  deny all;
}
# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_
{
return 444;
}
#nocgi
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
#disallow
location ~* (w00tw00t) {
return 444;
}
location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
	# wp-secure.conf
	#
	#
	# This file includes common security considerations for wordpress using nginx.
	#
	# The goal is to block actions which are usually dangerous to wordpress.
	# Additionally, we block direct access to PHP files and folders which should not
	# be accessed directly from a browser.
	#
	# Also have included exceptions for plugins that are known to require this access.


	# Optional HTTP authentication for wp-login and wp-admin areas

	#location ~* /(wp-login\.php) {
	# limit_req zone=xwplogin burst=1 nodelay;
	# auth_basic "Authorization Required";
	# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
	# include /usr/local/nginx/conf/php.conf;
	#}
	#
	#location ~* /wp-admin/.*\.php$ {
	# auth_basic "Authorization Required";
	# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
	# include /usr/local/nginx/conf/php.conf;
	#}

	# allow AJAX requests in themes and plugins
	location ~ ^/wp-admin/admin-ajax.php$ { allow all; include /usr/local/nginx/conf/php.conf; }

	#Deny access to wp-content folders for suspicious files
	location ~* ^/(wp-content)/(.*?)\.(zip\|gz\|tar\|bzip2\|7z)\$ { deny all; }

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	location ~* /(?:uploads\|files)/.*\.php\$ { deny all; }

	# Deny access to uploads that aren’t images, videos, music, etc.
	location ~* ^/wp-content/uploads/.*.(html\|htm\|shtml\|php\|js\|swf\|css)$ {
	deny all;
	}

	# Block PHP files in uploads, content, and includes directory.
	location ~* /(?:uploads\|files\|wp-content\|wp-includes)/.*\.php\$ {
	deny all;
	}
	# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
	location ~* \.(engine\|inc\|info\|install\|make\|module\|profile\|test\|po\|sh\|.sql\|theme\|tpl(\.php)?\|xtmpl)\$\|^(\..\|Entries.*\|Repository\|Root\|Tag\|Template)\$\|\.php_
	{
	return 444;
	}
	#nocgi
	location ~* \.(pl\|cgi\|py\|sh\|lua)\$ {
	return 444;
	}
	#disallow
	location ~* (w00tw00t) {
	return 444;
	}
	location ~* /(\.\|wp-config\.php\|wp-config\.txt\|changelog\.txt\|readme\.txt\|readme\.html\|license\.txt) { deny all; }