ph33nx/php.conf

## php.conf
# PHP DDOS Protection + Harden PHP on Nginx (2022)
# Created as per latest security standards
# includes protection against DDOS, SQL injections, Comment spam, Php code injection and more
# 444 is returned in most places as it's the most appropriate response code for hackers.
# Some wordpress url's are also blocked as most bots often hit those urls no matter the site is running on wordpress or not
# ** Created by @ph33nx : https://github.com/ph33nx **

# HOW TO USE:
# Include below line (#12) in all your WordPress Sites server block (/etc/nginx/conf.d/wp_site.conf) for this to take effect
# include snippets/wordpress.conf;

location ~ /.well-known {
    allow all;
}

location ~ /\.ht {
    deny all;
}

location ~ /\. {
    deny all;
}

# Disable access to wp user api which is enabled by default. This is how the bots & hackers know the username of admins.
location ~* /wp/v2/users {
    deny all;
    # return 444;
}

## Block SQL injections
location ~* union.*select.*\( {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* union.*all.*select.* {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* concat.*\( {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

## Block common exploits, sql injection and other attacks
location ~* (<|%3C).*script.*(>|%3E) {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* base64_(en|de)code\(.*\) {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* (%24&x) {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* (%0|%A|%B|%C|%D|%E|%F|127\.0) {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* \.\.\/ {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* ~$ {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* proc/self/environ {
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* /\.(htaccess|htpasswd|svn) {
    log_not_found off;
    access_log /var/log/nginx/blocked.log blocked;
    deny all;
}

location ~* "(eval\()" {
    deny all;
}

location ~* "(127\.0\.0\.1)" {
    deny all;
}

location ~* "([a-z0-9]{2000})" {
    deny all;
}

location ~* "(javascript\:)(.*)(\;)" {
    deny all;
}

location ~* "(base64_encode)(.*)(\()" {
    deny all;
}

location ~* "(GLOBALS|REQUEST)(=|\[|%)" {
    deny all;
}

location ~* "(<|%3C).*script.*(>|%3)" {
    deny all;
}

location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" {
    deny all;
}

location ~* "(boot\.ini|etc/passwd|self/environ)" {
    deny all;
}

location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" {
    deny all;
}

location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" {
    deny all;
}

location ~* "(https?|ftp|php):/" {
    deny all;
}

location ~* "(=\\\'|=\\%27|/\\\'/?)\." {
    deny all;
}

location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" {
    deny all;
}

location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" {
    deny all;
}

location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" {
    deny all;
}

location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" {
    deny all;
}

location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" {
    deny all;
}

location ~* [a-zA-Z0-9_]=(\.\.//?)+ {
    deny all;
}

location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ {
    deny all;
}

## Block wp-config & xmlrpc access
location ~* /(?:xmlrpc|wp-adminer|wp-config|wp-config-sample|adminer|phpmyadmin).php {
    return 444;
}

# Block direct access to these extensions
location ~* ^/(?:wp-content|assets|files|uploads|wp-includes|akismet)/(.*?)\.(zip|gz|tar|bzip2|rar|7z|php|php5|log|bak|md|txt|old|orig|original|php#|php~|php_bak|save|swo|swp|sql|ini)(?:/(.*))?$ {
    return 444;
}

# Block access to wp-config backup file and nginx.conf backup file
location ~* /(?:nginx.conf|wp-config.php.backup|wp-config.php.bak) {
    return 444;
}

# Add 365 days expiry to static files
location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|pdf|html|swf)$ {
    expires 365d;
    add_header Cache-Control "public, no-transform";
}

location / {
    limit_req zone=static burst=80;
    autoindex off;
    try_files $uri $uri/ /index.php$is_args$args;
}

location ~ /wp-login.php {
    limit_req zone=login burst=1 nodelay;
    fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}

# PHP handler
location ~ \.php$ {
    limit_req zone=engine burst=50 nodelay;
    try_files $uri /index.php =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
}
	# PHP DDOS Protection + Harden PHP on Nginx (2022)
	# Created as per latest security standards
	# includes protection against DDOS, SQL injections, Comment spam, Php code injection and more
	# 444 is returned in most places as it's the most appropriate response code for hackers.
	# Some wordpress url's are also blocked as most bots often hit those urls no matter the site is running on wordpress or not
	# Created by @ph33nx : https://github.com/ph33nx

	# HOW TO USE:
	# Include below line (#12) in all your WordPress Sites server block (/etc/nginx/conf.d/wp_site.conf) for this to take effect
	# include snippets/wordpress.conf;

	location ~ /.well-known {
	allow all;
	}

	location ~ /\.ht {
	deny all;
	}

	location ~ /\. {
	deny all;
	}

	# Disable access to wp user api which is enabled by default. This is how the bots & hackers know the username of admins.
	location ~* /wp/v2/users {
	deny all;
	# return 444;
	}

	## Block SQL injections
	location ~* union.select.\( {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* union.all.select.* {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* concat.*\( {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	## Block common exploits, sql injection and other attacks
	location ~* (<\|%3C).script.(>\|%3E) {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* base64_(en\|de)code\(.*\) {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* (%24&x) {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* (%0\|%A\|%B\|%C\|%D\|%E\|%F\|127\.0) {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* \.\.\/ {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* ~$ {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* proc/self/environ {
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* /\.(htaccess\|htpasswd\|svn) {
	log_not_found off;
	access_log /var/log/nginx/blocked.log blocked;
	deny all;
	}

	location ~* "(eval\()" {
	deny all;
	}

	location ~* "(127\.0\.0\.1)" {
	deny all;
	}

	location ~* "([a-z0-9]{2000})" {
	deny all;
	}

	location ~* "(javascript\:)(.*)(\;)" {
	deny all;
	}

	location ~* "(base64_encode)(.*)(\()" {
	deny all;
	}

	location ~* "(GLOBALS\|REQUEST)(=\|\[\|%)" {
	deny all;
	}

	location ~* "(<\|%3C).script.(>\|%3)" {
	deny all;
	}

	location ~ "(\\\|\.\.\.\|\.\./\|~\|`\|<\|>\|\\|)" {
	deny all;
	}

	location ~* "(boot\.ini\|etc/passwd\|self/environ)" {
	deny all;
	}

	location ~* "(thumbs?(_editor\|open)?\|tim(thumb)?)\.php" {
	deny all;
	}

	location ~* "(\'\|\")(.*)(drop\|insert\|md5\|select\|union)" {
	deny all;
	}

	location ~* "(https?\|ftp\|php):/" {
	deny all;
	}

	location ~* "(=\\\'\|=\\%27\|/\\\'/?)\." {
	deny all;
	}

	location ~ "(\{0\}\|\(/\(\|\.\.\.\|\+\+\+\|\\\"\\\")" {
	deny all;
	}

	location ~ "(~\|`\|<\|>\|:\|;\|%\|\\\|\s\|\{\|\}\|\[\|\]\|\\|)" {
	deny all;
	}

	location ~* "/(=\|\$&\|_mm\|(wp-)?config\.\|cgi-\|etc/passwd\|muieblack)" {
	deny all;
	}

	location ~* "(&pws=0\|_vti_\|\(null\)\|\{\$itemURL\}\|echo(.*)kae\|etc/passwd\|eval\(\|self/environ)" {
	deny all;
	}

	location ~* "/(^$\|mobiquo\|phpinfo\|shell\|sqlpatch\|thumb\|thumb_editor\|thumbopen\|timthumb\|webshell\|config\|settings\|configuration)\.php" {
	deny all;
	}

	location ~* [a-zA-Z0-9_]=(\.\.//?)+ {
	deny all;
	}

	location ~* [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ {
	deny all;
	}

	## Block wp-config & xmlrpc access
	location ~* /(?:xmlrpc\|wp-adminer\|wp-config\|wp-config-sample\|adminer\|phpmyadmin).php {
	return 444;
	}

	# Block direct access to these extensions
	location ~* ^/(?:wp-content\|assets\|files\|uploads\|wp-includes\|akismet)/(.?)\.(zip\|gz\|tar\|bzip2\|rar\|7z\|php\|php5\|log\|bak\|md\|txt\|old\|orig\|original\|php#\|php~\|php_bak\|save\|swo\|swp\|sql\|ini)(?:/(.))?$ {
	return 444;
	}

	# Block access to wp-config backup file and nginx.conf backup file
	location ~* /(?:nginx.conf\|wp-config.php.backup\|wp-config.php.bak) {
	return 444;
	}

	# Add 365 days expiry to static files
	location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|svg\|ico\|pdf\|html\|swf)$ {
	expires 365d;
	add_header Cache-Control "public, no-transform";
	}

	location / {
	limit_req zone=static burst=80;
	autoindex off;
	try_files $uri $uri/ /index.php$is_args$args;
	}

	location ~ /wp-login.php {
	limit_req zone=login burst=1 nodelay;
	fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	}

	# PHP handler
	location ~ \.php$ {
	limit_req zone=engine burst=50 nodelay;
	try_files $uri /index.php =404;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include fastcgi_params;
	}