Skip to content

Instantly share code, notes, and snippets.

@DenisJunio

DenisJunio/nginx-wordpress.conf

Forked from nfsarmento/nginx-wordpress.conf
Created September 14, 2020 20:21
Show Gist options
  • Save DenisJunio/f48c6f71a0af7334e0cbb634cd712a12 to your computer and use it in GitHub Desktop.
Save DenisJunio/f48c6f71a0af7334e0cbb634cd712a12 to your computer and use it in GitHub Desktop.
Download ZIP
Harden wordpress security nginx
Raw
wordpress.conf
############ WordPress ####################
location @empty {
empty_gif;
}
# Limit access to avoid brute force attack
# if you getting error please add this (limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;) to your /etc/nginx/nginx.conf
# location = /wp-login.php {
# limit_req zone=one burst=1 nodelay;
# include fastcgi_params;
# fastcgi_pass 127.0.0.1:9000;
#}
#Deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ {
deny all;
}
location ~ ^/wp-content/uploads/sucuri {
deny all;
}
location ~ ^/wp-content/updraft {
deny all;
}
#Disable execution of scripts other than PHP from your document root
location ~* .(pl|cgi|py|sh|lua|asp)$ {
return 444;
}
#Disable access to your configuration files and other files that you don’t want to users are able to see
location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
deny all;
}
# Disable wp-config.txt
location = /wp-config.txt {
deny all;
access_log off;
log_not_found off;
}
# Disallow php in upload folder and add webp rewrite
location /wp-content/uploads/ {
location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
deny all;
}
# webp rewrite rules
location ~ \.(png|jpe?g)$ {
add_header Vary "Accept-Encoding";
add_header "Access-Control-Allow-Origin" "*";
add_header Cache-Control "public, no-transform";
access_log off;
log_not_found off;
expires max;
try_files $uri $uri =404;
}
}
# nginx block xmlrpc.php requests
location /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
return 444;
}
# nginx block wpscann on plugins folder
location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
deny all;
error_page 403 =404 / ;
}
# block access to install.php and upgrade.php
location ^~ /wp-admin/install.php {
deny all;
error_page 403 =404 / ;
}
location ^~ /wp-admin/upgrade.php {
deny all;
error_page 403 =404 / ;
}
# stop user enumeration
if ($args ~ "^/?author=([0-9]*)"){
set $rule_0 1$rule_0;
}
if ($rule_0 = "1"){
rewrite ^/$ https://next100years.org.uk/404 permanent;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Stop scann for the follow files on plugins folder
location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
deny all;
error_page 403 =404 / ;
}
# Stop scann for the follow files on themes folder
location ~* ^/wp-content/themes/.+\.(txt|log|md)$ {
deny all;
error_page 403 =404 / ;
}
#This module will allow us to pattern match certain key files and inject random text in the files that
# is non-destructive / non-invasive and will most importantly alter the md5sum calculated on such files. All transparent to WPScan.
location ~* ^/(license.txt|wp-includes/(.*)/.+\.(js|css)|wp-admin/(.*)/.+\.(js|css))$ {
sub_filter_types text/css text/javascript text/plain;
sub_filter_once on;
sub_filter ';' '; /* $msec */ ';
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment