Dimasmagadan · December 4, 2020 11:18
diff --git a/wp-secure.conf b/wp-secure.conf
 # wp-secure.conf
 #
 #
 # This file includes common security considerations for wordpress using nginx.
 #
 # The goal is to block actions which are usually dangerous to wordpress.
 # Additionally, we block direct access to PHP files and folders which should not 
 # be accessed directly from a browser.
 #
 # Also have included exceptions for plugins that are known to require this access.


 # Optional HTTP authentication for wp-login and wp-admin areas

 #location ~* /(wp-login\.php) {
 #    limit_req zone=xwplogin burst=1 nodelay;
 #    auth_basic "Authorization Required";
 #    auth_basic_user_file /usr/local/nginx/conf/htpasswd; 
 #    include /usr/local/nginx/conf/php.conf;
 #}
 #
 #location ~* /wp-admin/.*\.php$ {
 #	auth_basic "Authorization Required";
 #    auth_basic_user_file /usr/local/nginx/conf/htpasswd;
 #	include /usr/local/nginx/conf/php.conf;
 #}

 # allow AJAX requests in themes and plugins
 location ~ ^/wp-admin/admin-ajax.php$ { allow all; include /usr/local/nginx/conf/php.conf; }

 #Deny access to wp-content folders for suspicious files
 location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; }

 # Deny access to any files with a .php extension in the uploads directory
 # Works in sub-directory installs and also in multisite network
 location ~* /(?:uploads|files)/.*\.php\$ { deny all; }

 # Deny access to uploads that aren’t images, videos, music, etc.
 location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ {
    deny all;
 }

 # Block PHP files in uploads, content, and includes directory.
 location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ {
  deny all;
 }
 # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
 location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_
 {
 return 444;
 }
 #nocgi
 location ~* \.(pl|cgi|py|sh|lua)\$ {
 return 444;
 }
 #disallow
 location ~* (w00tw00t) {
 return 444;
 }
 location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
	# wp-secure.conf
	#
	#
	# This file includes common security considerations for wordpress using nginx.
	#
	# The goal is to block actions which are usually dangerous to wordpress.
	# Additionally, we block direct access to PHP files and folders which should not
	# be accessed directly from a browser.
	#
	# Also have included exceptions for plugins that are known to require this access.


	# Optional HTTP authentication for wp-login and wp-admin areas

	#location ~* /(wp-login\.php) {
	# limit_req zone=xwplogin burst=1 nodelay;
	# auth_basic "Authorization Required";
	# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
	# include /usr/local/nginx/conf/php.conf;
	#}
	#
	#location ~* /wp-admin/.*\.php$ {
	# auth_basic "Authorization Required";
	# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
	# include /usr/local/nginx/conf/php.conf;
	#}

	# allow AJAX requests in themes and plugins
	location ~ ^/wp-admin/admin-ajax.php$ { allow all; include /usr/local/nginx/conf/php.conf; }

	#Deny access to wp-content folders for suspicious files
	location ~* ^/(wp-content)/(.*?)\.(zip\|gz\|tar\|bzip2\|7z)\$ { deny all; }

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	location ~* /(?:uploads\|files)/.*\.php\$ { deny all; }

	# Deny access to uploads that aren’t images, videos, music, etc.
	location ~* ^/wp-content/uploads/.*.(html\|htm\|shtml\|php\|js\|swf\|css)$ {
	deny all;
	}

	# Block PHP files in uploads, content, and includes directory.
	location ~* /(?:uploads\|files\|wp-content\|wp-includes)/.*\.php\$ {
	deny all;
	}
	# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
	location ~* \.(engine\|inc\|info\|install\|make\|module\|profile\|test\|po\|sh\|.sql\|theme\|tpl(\.php)?\|xtmpl)\$\|^(\..\|Entries.*\|Repository\|Root\|Tag\|Template)\$\|\.php_
	{
	return 444;
	}
	#nocgi
	location ~* \.(pl\|cgi\|py\|sh\|lua)\$ {
	return 444;
	}
	#disallow
	location ~* (w00tw00t) {
	return 444;
	}
	location ~* /(\.\|wp-config\.php\|wp-config\.txt\|changelog\.txt\|readme\.txt\|readme\.html\|license\.txt) { deny all; }