Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
/etc/nginx/wordpress.conf
##################################
# WORDPRESS NGINX CONFIGURATIONS
##################################
# /etc/nginx/wordpress.conf
#
# Contains a common configuration for use by nginx on a WordPress
# installation. This file should be included in any WordPress site
# nginx virtual host config located in sites-available with the following line:
#
# include /etc/nginx/wordpress.config;
#
# Attempt to rewrite wordpress in sub directory
rewrite ^/wp/([_0-9a-zA-Z-]+)/(xmlrpc\.php|wp-[0-9a-z-]+\.php) /wp/$2;
rewrite ^/wp/([_0-9a-zA-Z-]+)/(wp-(admin|content|includes).*) /wp/$2;
location / {
index index.php index.html;
try_files $uri $uri/ /index.php?$args;
}
#############
# Specify a charset
############
charset utf-8;
############
# GZIP
###########
gzip off;
#############
# Add trailing slash to */wp-admin requests.
############
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
############
# this prevents hidden files (beginning with a period) from being served
############
location ~ /\. {
access_log off;
log_not_found off;
deny all;
}
###########
# SEND EXPIRES HEADERS AND TURN OFF 404 LOGGING
###########
location ~* ^.+.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
access_log off;
log_not_found off;
expires max;
}
############
# Pass uploaded files to wp-includes/ms-files.php.
############
# rewrite /files/$ /index.php last;
if ($uri !~ wp-content/plugins) {
rewrite /files/(.+)$ /wp-includes/ms-files.php?file=$1 last;
}
# Rewrite multisite in a subdirectory '.../wp-.*' and '.../*.php'.
# if (!-e $request_filename) {
# rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last;
# rewrite ^/[_0-9a-zA-Z-]+.*(/wp-admin/.*\.php)$ $1 last;
# rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last;
#}
# Rewrite multisite '.../wp-.*' and '.../*.php'.
if (!-e $request_filename) {
rewrite /wp-admin$ $scheme://$host$uri/ permanent;
rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) /wp$1 last;
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ /wp$1 last;
}
############
# Pass all .php files onto a php-fpm or php-cgi server
############
location ~ \.php$ {
# Try the files specified in order. In our case, try the requested URI and if
# that fails, try (successfully) to pass a 404 error.
# zero day exploit defense
try_files $uri =404;
# Include the fastcgi_params defaults provided by nginx
include /etc/nginx/fastcgi_params;
# The amount of time for upstream to wait for a fastcgi process to send data.
# We keep this *extremely* high so that one can be lazy when remote debugging.
fastcgi_read_timeout 3600s;
# Buffer size for reading the header of the backend FastCGI process.
# This defaults to the value of a single fastcgi_buffers, so does not
# need to be specified in our case, but it's good to be explicit.
fastcgi_buffer_size 128k;
# The number and size of the buffers into which the reply from the FastCGI
# process in the backend is read.
#
# 4 buffers at 128k means that any reply by FastCGI greater than 512k goes
# to disk and replies under 512k are handled directly in memory.
fastcgi_buffers 4 128k;
# SCRIPT_FILENAME is a required parameter for things to work properly,
# but was missing in the default fastcgi_params on upgrade to nginx 1.4.
# We define it here to be sure that it exists.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Use the upstream for php5-fpm that we defined in nginx.conf
fastcgi_pass unix:/var/run/php5-fpm.sock;
# And get to serving the file!
fastcgi_index index.php;
}
############
# ROBOTS
###########
# location = /robots.txt {
# allow all;
# log_not_found off;
# access_log off;
#}
############
# RESTRICTIONS
############
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
@rajuginne

This comment has been minimized.

Copy link

@rajuginne rajuginne commented Mar 21, 2018

any rules for protecting wp-login.php

renaming it and blocking direct access to wp-login.php

tried this but not working
perusio/wordpress-nginx#4

@mims92

This comment has been minimized.

Copy link

@mims92 mims92 commented Jul 10, 2018

No ssl certificat?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.