Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
WordPress Security
#This file includes common security considerations for wordpress using nginx.
if ($request_method !~ ^(GET|POST|HEAD)$ ) {return 444;}
location ~* wp-admin/includes { deny all; }
location ~* wp-includes/theme-compat/ { deny all; }
location ~* wp-includes/js/tinymce/langs/.*.php { deny all; }
location = /xmlrpc.php { deny all; }
#Deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; }
#Deny access to any files with a .php extension in the uploads directory
location ~* /(?:uploads|files)/.*\.php\$ { deny all; }
#Deny access to uploads that aren’t images, videos, music, etc.
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ { deny all; }
#Block PHP files in content directory.
location ~* /wp-content/.*\.php\$ { deny all; }
#Block PHP files in includes directory.
location ~* /wp-includes/.*\.php\$ { deny all; }
#Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ { deny all; }
#Nocgi
location ~* \.(pl|cgi|py|jsp|asp|sh|lua)\$ { return 444;}
#Hide sensitive files
location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.