Skip to content

Instantly share code, notes, and snippets.

@MaxLazar
Created September 10, 2019 15:31
Show Gist options
  • Save MaxLazar/7fa8332ec6552a202a96f258782db154 to your computer and use it in GitHub Desktop.
Save MaxLazar/7fa8332ec6552a202a96f258782db154 to your computer and use it in GitHub Desktop.
Nginx Rules to Harden WordPress Security
location ~* /xmlrpc.php$ {
allow 172.0.1.1;
deny all;
}
if ($request_method !~ ^(GET|POST)$ ) {
return 444;
}
location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
deny all;
access_log off;
log_not_found off;
}
location ~ /\.(svn|git)/* {
deny all;
access_log off;
log_not_found off;
}
location ~ /\.ht {
deny all;
access_log off;
log_not_found off;
}
location ~ /\.user.ini {
deny all;
access_log off;
log_not_found off;
}
#Hide the nginx version.
server_tokens off;
#Hide the PHP version.
fastcgi_hide_header X-Powered-By;
proxy_hide_header X-Powered-By;
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location ~ ^/(?!(blog)/?) {
deny all;
access_log off;
log_not_found off;
}
set $comment_flagged 0;
set $comment_request_method 0;
set $comment_request_uri 0;
set $comment_referrer 1;
if ($request_method ~ "POST"){
set $comment_request_method 1;
}
if ($request_uri ~ "/wp-comments-post\.php$"){
set $comment_request_method 1;
}
if ($http_referer !~ "^https?://(([^/]+\.)?site\.com|jetpack\.wordpress\.com/jetpack-comment)(/|$)"){
set $comment_referrer 0;
}
set $comment_flagged "${comment_request_method}${comment_request_uri}${comment_referrer}";
if ($comment_flagged = "111") {
return 403;
}
limit_req_zone $binary_remote_addr zone=WPRATELIMIT:10m rate=2r/s;
location ~ \wp-login.php$ {
limit_req zone=WPRATELIMIT;
}
autoindex off;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment