DenisJunio · September 14, 2020 20:21
diff --git a/wordpress.conf b/wordpress.conf
 ############ WordPress ####################

 # Disable logging for favicon and robots.txt
 location = /favicon.ico {
  try_files /favicon.ico @empty;
  access_log off;
  log_not_found off;
  expires max;
 }

 location @empty {
  empty_gif;
 }

 location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
    try_files $uri /index.php?$args;
 }

 # Limit access to avoid brute force attack
 # if you getting error please add this (limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;) to your /etc/nginx/nginx.conf
 location = /wp-login.php {
   limit_req zone=one burst=1 nodelay;
   include fastcgi_params;
   fastcgi_pass 127.0.0.1:9000;
 }

 #Deny access to wp-content folders for suspicious files
 location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ {
  deny all;
 }

 location ~ ^/wp-content/uploads/sucuri {
  deny all;
 }

 location ~ ^/wp-content/updraft {
  deny all;
 }

 #Disable execution of scripts other than PHP from your document root
 location ~* .(pl|cgi|py|sh|lua|asp)$ {
   return 444;
 }

 #Disable access to your configuration files and other files that you don’t want to users are able to see
 location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
   deny all;
 }

 # Disable wp-config.txt
 location = /wp-config.txt {
    deny all;
    access_log off;
    log_not_found off;
 }

 # Disallow php in upload folder and add webp rewrite
 location /wp-content/uploads/ {
    location ~ \.php$ {
    #Prevent Direct Access Of PHP Files From Web Browsers
        deny all;
    }
    # webp rewrite rules
    location ~ \.(png|jpe?g)$ {
        add_header Vary "Accept-Encoding";
        add_header "Access-Control-Allow-Origin" "*";
        add_header Cache-Control "public, no-transform";
        access_log off;
        log_not_found off;
        expires max;
        try_files $uri  $uri =404;
    }
 }

 # nginx block xmlrpc.php requests
 location /xmlrpc.php {
  deny all;
  access_log off;
  log_not_found off;
  return 444;
 }

 # nginx block wpscann on plugins folder
 location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
  deny all;
  error_page 403 =404 / ;
 }

 # block access to install.php and upgrade.php
 location ^~ /wp-admin/install.php {
  deny all;
  error_page 403 =404 / ;
 }

 location ^~ /wp-admin/upgrade.php {
  deny all;
  error_page 403 =404 / ;
 }

 # Deny access to any files with a .php extension in the uploads directory
 # Works in sub-directory installs and also in multisite network
 # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
 location ~* /(?:uploads|files)/.*\.php$ {
   deny all;
 }

 # Stop scann for the follow files on plugins folder
 location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
      deny all;
      error_page 403 =404 / ;
 }

 # Stop scann for the follow files on themes folder
 location ~* ^/wp-content/themes/.+\.(txt|log|md)$ {
      deny all;
      error_page 403 =404 / ;
 }

 #This module will allow us to pattern match certain key files and inject random text in the files that
 # is non-destructive / non-invasive and will most importantly alter the md5sum calculated on such files. All transparent to WPScan.
 location ~* ^/(license.txt|wp-includes/(.*)/.+\.(js|css)|wp-admin/(.*)/.+\.(js|css))$ {
    sub_filter_types text/css text/javascript text/plain;
    sub_filter_once on;
    sub_filter ';' '; /* $msec */ ';
 }

 #Direct PHP File Access
 #If somehow, a hacker successfully sneaks in a PHP file onto your site,
 #they’ll be able to run this file by loading file which effectively becomes a backdoor to infiltrate your site.
 #We should disable direct access to any PHP files by adding the following rules:
 location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
    deny all;
    access_log off;
    log_not_found off;
 }

 #Dotfiles
 #Similar to PHP file, a dotfile like .htaccess, .user.ini, and .git may contain sensitive information.
 #To be on the safer side, it’s better to disable direct access to these files.
 location ~ /\.(svn|git)/* {
    deny all;
    access_log off;
    log_not_found off;
 }
 location ~ /\.ht {
    deny all;
    access_log off;
    log_not_found off;
 }

 # Deny access to uploads that aren’t images, videos, music, etc.
 location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
    deny all;
 }

 #WordFence
 location ~ \.user\.ini$ {
 deny all;
 }
	############ WordPress ####################

	# Disable logging for favicon and robots.txt
	location = /favicon.ico {
	try_files /favicon.ico @empty;
	access_log off;
	log_not_found off;
	expires max;
	}

	location @empty {
	empty_gif;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	try_files $uri /index.php?$args;
	}

	# Limit access to avoid brute force attack
	# if you getting error please add this (limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;) to your /etc/nginx/nginx.conf
	location = /wp-login.php {
	limit_req zone=one burst=1 nodelay;
	include fastcgi_params;
	fastcgi_pass 127.0.0.1:9000;
	}

	#Deny access to wp-content folders for suspicious files
	location ~* ^/(wp-content)/(.*?)\.(zip\|gz\|tar\|bzip2\|7z)\$ {
	deny all;
	}

	location ~ ^/wp-content/uploads/sucuri {
	deny all;
	}

	location ~ ^/wp-content/updraft {
	deny all;
	}

	#Disable execution of scripts other than PHP from your document root
	location ~* .(pl\|cgi\|py\|sh\|lua\|asp)$ {
	return 444;
	}

	#Disable access to your configuration files and other files that you don’t want to users are able to see
	location ~* /(wp-config.php\|readme.html\|license.txt\|nginx.conf) {
	deny all;
	}

	# Disable wp-config.txt
	location = /wp-config.txt {
	deny all;
	access_log off;
	log_not_found off;
	}

	# Disallow php in upload folder and add webp rewrite
	location /wp-content/uploads/ {
	location ~ \.php$ {
	#Prevent Direct Access Of PHP Files From Web Browsers
	deny all;
	}
	# webp rewrite rules
	location ~ \.(png\|jpe?g)$ {
	add_header Vary "Accept-Encoding";
	add_header "Access-Control-Allow-Origin" "*";
	add_header Cache-Control "public, no-transform";
	access_log off;
	log_not_found off;
	expires max;
	try_files $uri $uri =404;
	}
	}

	# nginx block xmlrpc.php requests
	location /xmlrpc.php {
	deny all;
	access_log off;
	log_not_found off;
	return 444;
	}

	# nginx block wpscann on plugins folder
	location ~* ^/wp-content/plugins/.+\.(txt\|log\|md)$ {
	deny all;
	error_page 403 =404 / ;
	}

	# block access to install.php and upgrade.php
	location ^~ /wp-admin/install.php {
	deny all;
	error_page 403 =404 / ;
	}

	location ^~ /wp-admin/upgrade.php {
	deny all;
	error_page 403 =404 / ;
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}

	# Stop scann for the follow files on plugins folder
	location ~* ^/wp-content/plugins/.+\.(txt\|log\|md)$ {
	deny all;
	error_page 403 =404 / ;
	}

	# Stop scann for the follow files on themes folder
	location ~* ^/wp-content/themes/.+\.(txt\|log\|md)$ {
	deny all;
	error_page 403 =404 / ;
	}

	#This module will allow us to pattern match certain key files and inject random text in the files that
	# is non-destructive / non-invasive and will most importantly alter the md5sum calculated on such files. All transparent to WPScan.
	location ~* ^/(license.txt\|wp-includes/(.)/.+\.(js\|css)\|wp-admin/(.)/.+\.(js\|css))$ {
	sub_filter_types text/css text/javascript text/plain;
	sub_filter_once on;
	sub_filter ';' '; /* $msec */ ';
	}

	#Direct PHP File Access
	#If somehow, a hacker successfully sneaks in a PHP file onto your site,
	#they’ll be able to run this file by loading file which effectively becomes a backdoor to infiltrate your site.
	#We should disable direct access to any PHP files by adding the following rules:
	location ~* /(?:uploads\|files\|wp-content\|wp-includes\|akismet)/.*.php$ {
	deny all;
	access_log off;
	log_not_found off;
	}

	#Dotfiles
	#Similar to PHP file, a dotfile like .htaccess, .user.ini, and .git may contain sensitive information.
	#To be on the safer side, it’s better to disable direct access to these files.
	location ~ /\.(svn\|git)/* {
	deny all;
	access_log off;
	log_not_found off;
	}
	location ~ /\.ht {
	deny all;
	access_log off;
	log_not_found off;
	}

	# Deny access to uploads that aren’t images, videos, music, etc.
	location ~* ^/wp-content/uploads/.*.(html\|htm\|shtml\|php\|js\|swf)$ {
	deny all;
	}

	#WordFence
	location ~ \.user\.ini$ {
	deny all;
	}