Created
September 11, 2019 19:39
-
-
Save alexander-bock/691bd8d7104dd5908e5df137a3542949 to your computer and use it in GitHub Desktop.
WordPress Security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #This file includes common security considerations for wordpress using nginx. | |
| if ($request_method !~ ^(GET|POST|HEAD)$ ) {return 444;} | |
| location ~* wp-admin/includes { deny all; } | |
| location ~* wp-includes/theme-compat/ { deny all; } | |
| location ~* wp-includes/js/tinymce/langs/.*.php { deny all; } | |
| location = /xmlrpc.php { deny all; } | |
| #Deny access to wp-content folders for suspicious files | |
| location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; } | |
| #Deny access to any files with a .php extension in the uploads directory | |
| location ~* /(?:uploads|files)/.*\.php\$ { deny all; } | |
| #Deny access to uploads that aren’t images, videos, music, etc. | |
| location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ { deny all; } | |
| #Block PHP files in content directory. | |
| location ~* /wp-content/.*\.php\$ { deny all; } | |
| #Block PHP files in includes directory. | |
| location ~* /wp-includes/.*\.php\$ { deny all; } | |
| #Block PHP files in uploads, content, and includes directory. | |
| location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ { deny all; } | |
| #Nocgi | |
| location ~* \.(pl|cgi|py|jsp|asp|sh|lua)\$ { return 444;} | |
| #Hide sensitive files | |
| location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment