Skip to content

Instantly share code, notes, and snippets.

@ethanpil
Created May 12, 2017 16:16
Show Gist options
  • Save ethanpil/1bfd01a817a8198369efec5c4cde6628 to your computer and use it in GitHub Desktop.
Save ethanpil/1bfd01a817a8198369efec5c4cde6628 to your computer and use it in GitHub Desktop.
Wordpress Security for NginX
# wp-secure.conf
#
#
# This file includes common security considerations for wordpress using nginx.
#
# The goal is to block actions which are usually dangerous to wordpress.
# Additionally, we block direct access to PHP files and folders which should not
# be accessed directly from a browser.
#
# Also have included exceptions for plugins that are known to require this access.
# Optional HTTP authentication for wp-login and wp-admin areas
#location ~* /(wp-login\.php) {
# limit_req zone=xwplogin burst=1 nodelay;
# auth_basic "Authorization Required";
# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
# include /usr/local/nginx/conf/php.conf;
#}
#
#location ~* /wp-admin/.*\.php$ {
# auth_basic "Authorization Required";
# auth_basic_user_file /usr/local/nginx/conf/htpasswd;
# include /usr/local/nginx/conf/php.conf;
#}
# allow AJAX requests in themes and plugins
location ~ ^/wp-admin/admin-ajax.php$ { allow all; include /usr/local/nginx/conf/php.conf; }
#Deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; }
location ~ ^/wp-content/uploads/sucuri { deny all; }
location ~ ^/wp-content/updraft { deny all; }
# Block nginx-help log from public viewing
location ~* /wp-content/uploads/nginx-helper/ { deny all; }
location ~ ^/(wp-includes/js/tinymce/wp-tinymce.php) {
include /usr/local/nginx/conf/php.conf;
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
location ~* /(?:uploads|files)/.*\.php\$ { deny all; }
# Deny access to uploads that aren’t images, videos, music, etc.
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ {
deny all;
}
# Whitelist Exception for https://wordpress.org/plugins/onesignal-free-web-push-notifications//
location ~ ^/wp-content/plugins/onesignal-free-web-push-notifications/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/sparkpost/
location ~ ^/wp-content/plugins/sparkpost/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/sendgrid-email-delivery-simplified/
location ~ ^/wp-content/plugins/sendgrid-email-delivery-simplified/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/mailgun/
location ~ ^/wp-content/plugins/mailgun/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/mailjet-for-wordpress/
location ~ ^/wp-content/plugins/mailjet-for-wordpress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/easy-wp-smtp/
location ~ ^/wp-content/plugins/easy-wp-smtp/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/postman-smtp/
location ~ ^/wp-content/plugins/postman-smtp/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/sendpress/
location ~ ^/wp-content/plugins/sendpress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wp-mail-bank/
location ~ ^/wp-content/plugins/wp-mail-bank/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/theme-check/
location ~ ^/wp-content/plugins/theme-check/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/woocommerce/
location ~ ^/wp-content/plugins/woocommerce/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/woocommerce-csvimport/
location ~ ^/wp-content/plugins/woocommerce-csvimport/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/advanced-custom-fields/
location ~ ^/wp-content/plugins/advanced-custom-fields/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/contact-form-7/
location ~ ^/wp-content/plugins/contact-form-7/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/duplicator/
location ~ ^/wp-content/plugins/duplicator/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/jetpack/
location ~ ^/wp-content/plugins/jetpack/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/nextgen-gallery/
location ~ ^/wp-content/plugins/nextgen-gallery/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/tinymce-advanced/
location ~ ^/wp-content/plugins/tinymce-advanced/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/updraftplus/
location ~ ^/wp-content/plugins/updraftplus/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wordpress-importer/
location ~ ^/wp-content/plugins/wordpress-importer/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wordpress-seo/
location ~ ^/wp-content/plugins/wordpress-seo/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wpclef/
location ~ ^/wp-content/plugins/wpclef/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/mailchimp-for-wp/
location ~ ^/wp-content/plugins/mailchimp-for-wp/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wp-optimize/
location ~ ^/wp-content/plugins/wp-optimize/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/si-contact-form/
location ~ ^/wp-content/plugins/si-contact-form/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/akismet/
location ~ ^/wp-content/plugins/akismet/ {
location ~ ^/wp-content/plugins/akismet/(.+/)?(form|akismet)\.(css|js)\$ { allow all; }
location ~ ^/wp-content/plugins/akismet/(.+/)?(.+)\.(png|gif)\$ { allow all; }
location ~* /wp-content/plugins/akismet/akismet/.*\.php\$ {
include /usr/local/nginx/conf/php.conf;
allow 127.0.0.1;
deny all;
}
}
# Whitelist Exception for https://wordpress.org/plugins/bbpress/
location ~ ^/wp-content/plugins/bbpress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/buddypress/
location ~ ^/wp-content/plugins/buddypress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/all-in-one-seo-pack/
location ~ ^/wp-content/plugins/all-in-one-seo-pack/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/google-analytics-for-wordpress/
location ~ ^/wp-content/plugins/google-analytics-for-wordpress/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/regenerate-thumbnails/
location ~ ^/wp-content/plugins/regenerate-thumbnails/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wp-pagenavi/
location ~ ^/wp-content/plugins/wp-pagenavi/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wordfence/
location ~ ^/wp-content/plugins/wordfence/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/really-simple-captcha/
location ~ ^/wp-content/plugins/really-simple-captcha/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/wp-pagenavi/
location ~ ^/wp-content/plugins/wp-pagenavi/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/ml-slider/
location ~ ^/wp-content/plugins/ml-slider/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/black-studio-tinymce-widget/
location ~ ^/wp-content/plugins/black-studio-tinymce-widget/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/disable-comments/
location ~ ^/wp-content/plugins/disable-comments/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/better-wp-security/
location ~ ^/wp-content/plugins/better-wp-security/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for http://wlmsocial.com/
location ~ ^/wp-content/plugins/wlm-social/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for mediagrid timthumb
location ~ ^/wp-content/plugins/media-grid/classes/ {
include /usr/local/nginx/conf/php.conf;
}
# Whitelist Exception for https://wordpress.org/plugins/sparkpost/
location ~ ^/wp-content/plugins/comet-cache/ {
include /usr/local/nginx/conf/php.conf;
}
# Block PHP files in content directory.
location ~* /wp-content/.*\.php\$ {
deny all;
}
# Block PHP files in includes directory.
location ~* /wp-includes/.*\.php\$ {
deny all;
}
# Block PHP files in uploads, content, and includes directory.
location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ {
deny all;
}
# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_
{
return 444;
}
#nocgi
location ~* \.(pl|cgi|py|sh|lua)\$ {
return 444;
}
#disallow
location ~* (w00tw00t) {
return 444;
}
location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
@BoBBer446
Copy link

Yes, what is /usr/local/nginx/conf/php.conf ? there is no file with this name Did you mean the php.ini?

@elisaado
Copy link

Hey @kraba and @BoBBer446, I have this in there:

                try_files $uri $document_root$fastcgi_script_name =404;                                           
                fastcgi_pass unix:/run/php-fpm/php-fpm.sock;                                                          
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;                                     
                include fastcgi.conf;

                # prevention for httpoxy vulnerability: https://httpoxy.org/                                          
                fastcgi_param HTTP_PROXY "";

@elisaado
Copy link

@eamon55, include it in the server block for the wordpress website in your nginx config file

@thomashare
Copy link

Use the command “locate php.conf” (without quotes) to retrieve your server's php.conf file location. Do a find and replace of the “/usr/local/nginx/conf/php.conf”. If you have multiple php.conf locations, you're going to have to find out which file your server's using.

@toptools
Copy link

location ~* ^/(wp-content)/(.?).(zip|gz|tar|bzip2|7z)$ { deny all; } --------$------------??????????
location ~* ^/(wp-content)/(.
?).(zip|gz|tar|bzip2|7z) $ { deny all; }

location ~* /(?:uploads|files|wp-content|wp-includes)/..php$ {---------$-------------?????????????
location ~* /(?:uploads|files|wp-content|wp-includes)/.
.php$ {

@ShunraCats
Copy link

This looks excellent but long! I am running an nginx proxy server that passes data on to several websites. Can I put this in the main configuration file nginx.conf rather than in each .conf file in sites-available?

@12obin
Copy link

12obin commented Jul 17, 2019

How to audit these rules is working?

@netson
Copy link

netson commented Jan 13, 2020

Hi, when reviewing my own NGINX configuration, I stumbled across this post. You gave me some good ideas, so thank you! :-)

However, it also seems this configuration has some issues:

  • in some regexes, you escape the $-sign; since you don't want to have NGINX interpret this as a string literal, you should remove the \ to indicate that the regex should match the end of the request uri.

  • I don't think any of the Whitelists for plugins are required (although this may vary per plugin); I have been running many sites over the last few years with tons of plugins, and none that I have come across require direct access. They are included by the php-fpm process so by whitelisting them here, you are actually allowing visitors access to these files. I would recommend reviewing these and removing the ones which don't require direct access.

  • you seem to be mixing case sensitive (~) and case insensitive (~*) regexes at random, is this on purpose? Why not use case insensitive ones everywhere to be on the safe side?

  • this rule: \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$ searches only for sql files with a dot anywhere in the name (this would also match some.thingsql), not merely as an extension.

As such, please don't blindly copy and paste these rules, as it may cause you harm if you don't understand fully how NGINX interprets the rules!

Regards,
Rinck

@JoshMoreno
Copy link

There's a handful of places where the regex $ symbol is being escaped \$. I had to remove the \ to get these rules working.
For example:

- ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$
+ ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)$

Also as others mentioned above, there are a bunch of includes for /usr/local/nginx/conf/php.conf, but this wasn't the location for me.
I replaced all instances with the output of locate php.conf (in my case, using laravel forge, it was /etc/nginx/snippets/fastcgi-php.conf).

@dvershinin
Copy link

dvershinin commented Sep 5, 2020

This gist shouldn't exist or be titled "Wordpress INSecurity for NginX".
Not only all the whitelist locations make no sense, but also allow loading static files through PHP-FPM, thus bringing security issues and killing the benefits of NGINX.

Example:

location ~ ^/wp-content/plugins/onesignal-free-web-push-notifications/ {
  include /usr/local/nginx/conf/php.conf;
}

If the related plugin is installed, then accessing URI /wp-content/plugins/onesignal-free-web-push-notifications/notice.js it will be served by PHP-FPM, completely negating the performance benefit of NGINX for those static files.
Furthermore, it makes no sense because nothing in the specific plugin (or any other which are "whitelisted" require direct access to its PHP files), so these locations are not needed at all.

P.S. Filed a post on secure NGINX configuration for Wordpress with what I see as most satisfying the best security practices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment