Last active
April 14, 2021 17:31
-
-
Save kjprince/9496501 to your computer and use it in GitHub Desktop.
/etc/nginx/wordpress.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################## | |
# WORDPRESS NGINX CONFIGURATIONS | |
################################## | |
# /etc/nginx/wordpress.conf | |
# | |
# Contains a common configuration for use by nginx on a WordPress | |
# installation. This file should be included in any WordPress site | |
# nginx virtual host config located in sites-available with the following line: | |
# | |
# include /etc/nginx/wordpress.config; | |
# | |
# Attempt to rewrite wordpress in sub directory | |
rewrite ^/wp/([_0-9a-zA-Z-]+)/(xmlrpc\.php|wp-[0-9a-z-]+\.php) /wp/$2; | |
rewrite ^/wp/([_0-9a-zA-Z-]+)/(wp-(admin|content|includes).*) /wp/$2; | |
location / { | |
index index.php index.html; | |
try_files $uri $uri/ /index.php?$args; | |
} | |
############# | |
# Specify a charset | |
############ | |
charset utf-8; | |
############ | |
# GZIP | |
########### | |
gzip off; | |
############# | |
# Add trailing slash to */wp-admin requests. | |
############ | |
rewrite /wp-admin$ $scheme://$host$uri/ permanent; | |
############ | |
# this prevents hidden files (beginning with a period) from being served | |
############ | |
location ~ /\. { | |
access_log off; | |
log_not_found off; | |
deny all; | |
} | |
########### | |
# SEND EXPIRES HEADERS AND TURN OFF 404 LOGGING | |
########### | |
location ~* ^.+.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { | |
access_log off; | |
log_not_found off; | |
expires max; | |
} | |
############ | |
# Pass uploaded files to wp-includes/ms-files.php. | |
############ | |
# rewrite /files/$ /index.php last; | |
if ($uri !~ wp-content/plugins) { | |
rewrite /files/(.+)$ /wp-includes/ms-files.php?file=$1 last; | |
} | |
# Rewrite multisite in a subdirectory '.../wp-.*' and '.../*.php'. | |
# if (!-e $request_filename) { | |
# rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) $1 last; | |
# rewrite ^/[_0-9a-zA-Z-]+.*(/wp-admin/.*\.php)$ $1 last; | |
# rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ $1 last; | |
#} | |
# Rewrite multisite '.../wp-.*' and '.../*.php'. | |
if (!-e $request_filename) { | |
rewrite /wp-admin$ $scheme://$host$uri/ permanent; | |
rewrite ^/[_0-9a-zA-Z-]+(/wp-.*) /wp$1 last; | |
rewrite ^/[_0-9a-zA-Z-]+(/.*\.php)$ /wp$1 last; | |
} | |
############ | |
# Pass all .php files onto a php-fpm or php-cgi server | |
############ | |
location ~ \.php$ { | |
# Try the files specified in order. In our case, try the requested URI and if | |
# that fails, try (successfully) to pass a 404 error. | |
# zero day exploit defense | |
try_files $uri =404; | |
# Include the fastcgi_params defaults provided by nginx | |
include /etc/nginx/fastcgi_params; | |
# The amount of time for upstream to wait for a fastcgi process to send data. | |
# We keep this *extremely* high so that one can be lazy when remote debugging. | |
fastcgi_read_timeout 3600s; | |
# Buffer size for reading the header of the backend FastCGI process. | |
# This defaults to the value of a single fastcgi_buffers, so does not | |
# need to be specified in our case, but it's good to be explicit. | |
fastcgi_buffer_size 128k; | |
# The number and size of the buffers into which the reply from the FastCGI | |
# process in the backend is read. | |
# | |
# 4 buffers at 128k means that any reply by FastCGI greater than 512k goes | |
# to disk and replies under 512k are handled directly in memory. | |
fastcgi_buffers 4 128k; | |
# SCRIPT_FILENAME is a required parameter for things to work properly, | |
# but was missing in the default fastcgi_params on upgrade to nginx 1.4. | |
# We define it here to be sure that it exists. | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
# Use the upstream for php5-fpm that we defined in nginx.conf | |
fastcgi_pass unix:/var/run/php5-fpm.sock; | |
# And get to serving the file! | |
fastcgi_index index.php; | |
} | |
############ | |
# ROBOTS | |
########### | |
# location = /robots.txt { | |
# allow all; | |
# log_not_found off; | |
# access_log off; | |
#} | |
############ | |
# RESTRICTIONS | |
############ | |
# Deny access to any files with a .php extension in the uploads directory | |
# Works in sub-directory installs and also in multisite network | |
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | |
location ~* /(?:uploads|files)/.*\.php$ { | |
deny all; | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
any rules for protecting wp-login.php
renaming it and blocking direct access to wp-login.php
tried this but not working
perusio/wordpress-nginx#4