Skip to content

Instantly share code, notes, and snippets.

@kjprince
Last active April 14, 2021 17:31
Show Gist options
  • Save kjprince/9496501 to your computer and use it in GitHub Desktop.
Save kjprince/9496501 to your computer and use it in GitHub Desktop.
/etc/nginx/wordpress.conf
##################################
# WORDPRESS NGINX CONFIGURATIONS
##################################
# /etc/nginx/wordpress.conf
#
# Contains a common configuration for use by nginx on a WordPress
# installation. This file should be included in any WordPress site
# nginx virtual host config located in sites-available with the following line:
#
# include /etc/nginx/wordpress.config;
#
# Attempt to rewrite wordpress in sub directory
rewrite ^/wp/([_0-9a-zA-Z-]+)/(xmlrpc\.php|wp-[0-9a-z-]+\.php) /wp/$2;
rewrite ^/wp/([_0-9a-zA-Z-]+)/(wp-(admin|content|includes).*) /wp/$2;
location / {
index index.php index.html;
try_files $uri $uri/ /index.php?$args;
}
#############
# Specify a charset
############
charset utf-8;
############
# GZIP
###########
gzip off;
#############
# Add trailing slash to */wp-admin requests.
############
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
############
# this prevents hidden files (beginning with a period) from being served
############
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
###########
# SEND EXPIRES HEADERS AND TURN OFF 404 LOGGING
###########
location ~* ^.+.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off;
log_not_found off;
expires max;
}
############
# Pass uploaded files to wp-includes/ms-files.php.
############
# rewrite /files/$ /index.php last;
if ($uri !~ wp-content/plugins) {
rewrite /files/(.+)$ /wp-includes/ms-files.php?file=$1 last;
}
# Rewrite multisite in a subdirectory '.../wp-.*' and '.../*.php'.
# if (!-e $request_filename) {
# rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
# rewrite ^/[_0-9a-zA-Z-]+.*(/wp-admin/.*\.php)$ $1 last;
# rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
#}
# Rewrite multisite '.../wp-.*' and '.../*.php'.
if (!-e $request_filename) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) /wp$1 last;
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ /wp$1 last;
}
############
# Pass all .php files onto a php-fpm or php-cgi server
############
location ~ \.php$ {
# Try the files specified in order. In our case, try the requested URI and if
# that fails, try (successfully) to pass a 404 error.
# zero day exploit defense
try_files $uri =404;
# Include the fastcgi_params defaults provided by nginx
include /etc/nginx/fastcgi_params;
# The amount of time for upstream to wait for a fastcgi process to send data.
# We keep this *extremely* high so that one can be lazy when remote debugging.
fastcgi_read_timeout 3600s;
# Buffer size for reading the header of the backend FastCGI process.
# This defaults to the value of a single fastcgi_buffers, so does not
# need to be specified in our case, but it's good to be explicit.
fastcgi_buffer_size 128k;
# The number and size of the buffers into which the reply from the FastCGI
# process in the backend is read.
#
# 4 buffers at 128k means that any reply by FastCGI greater than 512k goes
# to disk and replies under 512k are handled directly in memory.
fastcgi_buffers 4 128k;
# SCRIPT_FILENAME is a required parameter for things to work properly,
# but was missing in the default fastcgi_params on upgrade to nginx 1.4.
# We define it here to be sure that it exists.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Use the upstream for php5-fpm that we defined in nginx.conf
fastcgi_pass unix:/var/run/php5-fpm.sock;
# And get to serving the file!
fastcgi_index index.php;
}
############
# ROBOTS
###########
# location = /robots.txt {
# allow all;
# log_not_found off;
# access_log off;
#}
############
# RESTRICTIONS
############
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
@rajuginne
Copy link

any rules for protecting wp-login.php

renaming it and blocking direct access to wp-login.php

tried this but not working
perusio/wordpress-nginx#4

@mims92
Copy link

mims92 commented Jul 10, 2018

No ssl certificat?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment