Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Wordpress Security for NginX
# wp-secure.conf
#
#
# This file includes common security considerations for wordpress using nginx.
#
# The goal is to block actions which are usually dangerous to wordpress.
# Additionally, we block direct access to PHP files and folders which should not
# be accessed directly from a browser.
#
# Also have included exceptions for plugins that are known to require this access.
# Optional HTTP authentication for wp-login and wp-admin areas
#location ~* /(wp-login\.php) {
# limit_req zone=xwplogin burst=1 nodelay;
# auth_basic "Authorization Required";
# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
# include /usr/local/nginx/conf/php.conf;
#}
#
#location ~* /wp-admin/.*\.php$ {
# auth_basic "Authorization Required";
# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
# include /usr/local/nginx/conf/php.conf;
#}
# allow AJAX requests in themes and plugins
location ~ ^/wp-admin/admin-ajax.php$ { allow all; include /usr/local/nginx/conf/php.conf; }
#Deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; }
location ~ ^/wp-content/uploads/sucuri { deny all; }
location ~ ^/wp-content/updraft { deny all; }
# Block nginx-help log from public viewing
location ~* /wp-content/uploads/nginx-helper/ { deny all; }
location ~ ^/(wp-includes/js/tinymce/wp-tinymce.php) {
include /usr/local/nginx/conf/php.conf;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
location ~* /(?:uploads|files)/.*\.php\$ { deny all; }
# Deny access to uploads that aren’t images, videos, music, etc.
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ {
deny all;
}
# Whitelist Exception for https://wordpress.org/plugins/onesignal-free-web-push-notifications//
location ~ ^/wp-content/plugins/onesignal-free-web-push-notifications/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/sparkpost/
location ~ ^/wp-content/plugins/sparkpost/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/sendgrid-email-delivery-simplified/
location ~ ^/wp-content/plugins/sendgrid-email-delivery-simplified/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/mailgun/
location ~ ^/wp-content/plugins/mailgun/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/mailjet-for-wordpress/
location ~ ^/wp-content/plugins/mailjet-for-wordpress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/easy-wp-smtp/
location ~ ^/wp-content/plugins/easy-wp-smtp/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/postman-smtp/
location ~ ^/wp-content/plugins/postman-smtp/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/sendpress/
location ~ ^/wp-content/plugins/sendpress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wp-mail-bank/
location ~ ^/wp-content/plugins/wp-mail-bank/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/theme-check/
location ~ ^/wp-content/plugins/theme-check/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/woocommerce/
location ~ ^/wp-content/plugins/woocommerce/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/woocommerce-csvimport/
location ~ ^/wp-content/plugins/woocommerce-csvimport/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/advanced-custom-fields/
location ~ ^/wp-content/plugins/advanced-custom-fields/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/contact-form-7/
location ~ ^/wp-content/plugins/contact-form-7/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/duplicator/
location ~ ^/wp-content/plugins/duplicator/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/jetpack/
location ~ ^/wp-content/plugins/jetpack/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/nextgen-gallery/
location ~ ^/wp-content/plugins/nextgen-gallery/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/tinymce-advanced/
location ~ ^/wp-content/plugins/tinymce-advanced/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/updraftplus/
location ~ ^/wp-content/plugins/updraftplus/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wordpress-importer/
location ~ ^/wp-content/plugins/wordpress-importer/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wordpress-seo/
location ~ ^/wp-content/plugins/wordpress-seo/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wpclef/
location ~ ^/wp-content/plugins/wpclef/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/mailchimp-for-wp/
location ~ ^/wp-content/plugins/mailchimp-for-wp/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wp-optimize/
location ~ ^/wp-content/plugins/wp-optimize/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/si-contact-form/
location ~ ^/wp-content/plugins/si-contact-form/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/akismet/
location ~ ^/wp-content/plugins/akismet/ {
location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)\$ { allow all; }
location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)\$ { allow all; }
location ~* /wp-content/plugins/akismet/akismet/.*\.php\$ {
include /usr/local/nginx/conf/php.conf;
allow 127.0.0.1;
deny all;
}
}
# Whitelist Exception for https://wordpress.org/plugins/bbpress/
location ~ ^/wp-content/plugins/bbpress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/buddypress/
location ~ ^/wp-content/plugins/buddypress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/all-in-one-seo-pack/
location ~ ^/wp-content/plugins/all-in-one-seo-pack/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/google-analytics-for-wordpress/
location ~ ^/wp-content/plugins/google-analytics-for-wordpress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/regenerate-thumbnails/
location ~ ^/wp-content/plugins/regenerate-thumbnails/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wp-pagenavi/
location ~ ^/wp-content/plugins/wp-pagenavi/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wordfence/
location ~ ^/wp-content/plugins/wordfence/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/really-simple-captcha/
location ~ ^/wp-content/plugins/really-simple-captcha/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wp-pagenavi/
location ~ ^/wp-content/plugins/wp-pagenavi/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/ml-slider/
location ~ ^/wp-content/plugins/ml-slider/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/black-studio-tinymce-widget/
location ~ ^/wp-content/plugins/black-studio-tinymce-widget/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/disable-comments/
location ~ ^/wp-content/plugins/disable-comments/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/better-wp-security/
location ~ ^/wp-content/plugins/better-wp-security/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for http://wlmsocial.com/
location ~ ^/wp-content/plugins/wlm-social/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for mediagrid timthumb
location ~ ^/wp-content/plugins/media-grid/classes/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/sparkpost/
location ~ ^/wp-content/plugins/comet-cache/ {
include /usr/local/nginx/conf/php.conf;
}
# Block PHP files in content directory.
location ~* /wp-content/.*\.php\$ {
deny all;
}
# Block PHP files in includes directory.
location ~* /wp-includes/.*\.php\$ {
deny all;
}
# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ {
deny all;
}
# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_
{
return 444;
}
#nocgi
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
#disallow
location ~* (w00tw00t) {
return 444;
}
location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
@kraba

This comment has been minimized.

Copy link

commented Dec 5, 2017

Hi, thanks for sharing this file! What do you have in /usr/local/nginx/conf/php.conf ?

@eamon55

This comment has been minimized.

Copy link

commented Feb 6, 2018

Hi
Thanks , where should I locate wp-secure.conf please ??

Thanks for sharing and your support
best

@BoBBer446

This comment has been minimized.

Copy link

commented Mar 7, 2018

Yes, what is /usr/local/nginx/conf/php.conf ? there is no file with this name Did you mean the php.ini?

@elisaado

This comment has been minimized.

Copy link

commented Jun 16, 2018

Hey @kraba and @BoBBer446, I have this in there:

                try_files $uri $document_root$fastcgi_script_name =404;                                           
                fastcgi_pass unix:/run/php-fpm/php-fpm.sock;                                                          
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;                                     
                include fastcgi.conf;

                # prevention for httpoxy vulnerability: https://httpoxy.org/                                          
                fastcgi_param HTTP_PROXY "";
@elisaado

This comment has been minimized.

Copy link

commented Jun 16, 2018

@eamon55, include it in the server block for the wordpress website in your nginx config file

@thomashare

This comment has been minimized.

Copy link

commented Sep 22, 2018

Use the command “locate php.conf” (without quotes) to retrieve your server's php.conf file location. Do a find and replace of the “/usr/local/nginx/conf/php.conf”. If you have multiple php.conf locations, you're going to have to find out which file your server's using.

@ooogooo

This comment has been minimized.

Copy link

commented Jan 14, 2019

location ~* ^/(wp-content)/(.?).(zip|gz|tar|bzip2|7z)$ { deny all; } --------$------------??????????
location ~* ^/(wp-content)/(.
?).(zip|gz|tar|bzip2|7z) $ { deny all; }

location ~* /(?:uploads|files|wp-content|wp-includes)/..php$ {---------$-------------?????????????
location ~* /(?:uploads|files|wp-content|wp-includes)/.
.php$ {

@ShunraCats

This comment has been minimized.

Copy link

commented Apr 5, 2019

This looks excellent but long! I am running an nginx proxy server that passes data on to several websites. Can I put this in the main configuration file nginx.conf rather than in each .conf file in sites-available?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.