kgriffs · March 17, 2020 15:12
diff --git a/naxsi.rules b/naxsi.rules
 # -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" -*-

 # LearningMode;
 SecRulesEnabled;

 DeniedUrl "/RequestDenied"

 CheckRule "$SQL >= 8" BLOCK;
 CheckRule "$RFI >= 8" BLOCK;
 CheckRule "$TRAVERSAL >= 4" BLOCK;
 CheckRule "$EVADE >= 4" BLOCK;
 CheckRule "$XSS >= 8" BLOCK;

 # WordPress naxsi rules

 ### HEADERS
 BasicRule wl:1000,1001,1005,1007,1010,1011,1013,1100,1200,1308,1309,1310,1311,1315 "mz:$HEADERS_VAR:cookie";
 # xmlrpc
 BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";

 ### simple BODY (POST)
 BasicRule wl:1001,1015,1009,1311,1310,1101,1016 "mz:$URL:/|$BODY_VAR:customized";
 # comments
 BasicRule wl:1000,1010,1011,1013,1015,1200,1310,1311 "mz:$BODY_VAR:post_title";
 BasicRule wl:1000 "mz:$BODY_VAR:original_publish";
 BasicRule wl:1000 "mz:$BODY_VAR:save";
 BasicRule wl:1008,1010,1011,1013,1015 "mz:$BODY_VAR:sk2_my_js_payload";
 BasicRule wl:1001,1009,1005,1016,1100,1310 "mz:$BODY_VAR:url";
 BasicRule wl:1009,1100 "mz:$BODY_VAR:referredby";
 BasicRule wl:1009,1100 "mz:$BODY_VAR:_wp_original_http_referer";
 BasicRule wl:1000,1001,1005,1008,1007,1009,1010,1011,1013,1015,1016,1100,1200,1302,1303,1310,1311,1315,1400 "mz:$BODY_VAR:comment";
 BasicRule wl:1100 "mz:$BODY_VAR:redirect_to";
 BasicRule wl:1000,1009,1315 "mz:$BODY_VAR:_wp_http_referer";
 BasicRule wl:1000 "mz:$BODY_VAR:action";
 BasicRule wl:1001,1013 "mz:$BODY_VAR:blogname";
 BasicRule wl:1015,1013 "mz:$BODY_VAR:blogdescription";
 BasicRule wl:1015 "mz:$BODY_VAR:date_format_custom";
 BasicRule wl:1015 "mz:$BODY_VAR:date_format";
 BasicRule wl:1015 "mz:$BODY_VAR:tax_input%5bpost_tag%5d";
 BasicRule wl:1015 "mz:$BODY_VAR:tax_input[post_tag]";
 BasicRule wl:1100 "mz:$BODY_VAR:siteurl";
 BasicRule wl:1100 "mz:$BODY_VAR:home";
 BasicRule wl:1000,1015 "mz:$BODY_VAR:submit";
 # news content matches pretty much everything
 BasicRule wl:0 "mz:$BODY_VAR:content";
 BasicRule wl:1000 "mz:$BODY_VAR:delete_option";
 BasicRule wl:1000 "mz:$BODY_VAR:prowl-msg-message";
 BasicRule wl:1100 "mz:$BODY_VAR:_url";
 BasicRule wl:1001,1009 "mz:$BODY_VAR:c2c_text_replace%5btext_to_replace%5d";
 BasicRule wl:1200 "mz:$BODY_VAR:ppn_post_note";
 BasicRule wl:1100 "mz:$BODY_VAR:author";
 BasicRule wl:1001,1015 "mz:$BODY_VAR:excerpt";
 BasicRule wl:1015 "mz:$BODY_VAR:catslist";
 BasicRule wl:1005,1008,1009,1010,1011,1015,1315 "mz:$BODY_VAR:cookie";
 BasicRule wl:1101 "mz:$BODY_VAR:googleplus";
 BasicRule wl:1007 "mz:$BODY_VAR:name";
 BasicRule wl:1007 "mz:$BODY_VAR:action";
 BasicRule wl:1100 "mz:$BODY_VAR:attachment%5burl%5d";
 BasicRule wl:1100 "mz:$BODY_VAR:attachment_url";
 BasicRule wl:1001,1009,1100,1302,1303,1310,1311 "mz:$BODY_VAR:html";
 BasicRule wl:1015 "mz:$BODY_VAR:title";
 BasicRule wl:1001,1009,1015 "mz:$BODY_VAR:recaptcha_challenge_field";
 BasicRule wl:1011 "mz:$BODY_VAR:pwd";
 BasicRule wl:1000 "mz:$BODY_VAR:excerpt";

 ### BODY|NAME
 BasicRule wl:1000 "mz:$BODY_VAR:delete_option|NAME";
 BasicRule wl:1000 "mz:$BODY_VAR:from|NAME";

 ### Simple ARGS (GET)
 # WP login screen
 BasicRule wl:1100 "mz:$ARGS_VAR:redirect_to";
 BasicRule wl:1000,1009 "mz:$ARGS_VAR:_wp_http_referer";
 BasicRule wl:1000 "mz:$ARGS_VAR:wp_http_referer";
 BasicRule wl:1000 "mz:$ARGS_VAR:action";
 BasicRule wl:1000 "mz:$ARGS_VAR:action2";
 # load and load[] GET variable
 BasicRule wl:1000,1015 "mz:$ARGS_VAR:load";
 BasicRule wl:1000,1015 "mz:$ARGS_VAR:load[]";
 BasicRule wl:1015 "mz:$ARGS_VAR:q";
 BasicRule wl:1000,1015 "mz:$ARGS_VAR:load%5b%5d";

 ### URL
 BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update-core.php";
 BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php";
 # URL|BODY
 BasicRule wl:1009,1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer";
 BasicRule wl:1016 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect";
 BasicRule wl:11 "mz:$URL:/xmlrpc.php|BODY";
 BasicRule wl:11 "mz:$URL:/wp-cron.php|BODY";
 BasicRule wl:2 "mz:$URL:/wp-admin/async-upload.php|BODY";
 # URL|BODY|NAME
 BasicRule wl:1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME";
 BasicRule wl:1000 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME";
 BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME";
 BasicRule wl:1100 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME";
 BasicRule wl:1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:attachment_url|NAME";
 BasicRule wl:1000 "mz:$URL:/wp-admin/plugins.php|$BODY_VAR:verify-delete|NAME";
 BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category[]|NAME";
 BasicRule wl:1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:post_category|NAME";
 BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:tax_input[post_tag]|NAME";
 BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php|$BODY_VAR:newtag[post_tag]|NAME";
 BasicRule wl:1310,1311 "mz:$URL:/wp-admin/users.php|$BODY_VAR:users[]|NAME";
 # URL|ARGS|NAME
 BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME";
 BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME";
 BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME";

 # plain WP site
 BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update-core.php";
 BasicRule wl:1000 "mz:URL|$URL:/wp-admin/update.php";
 # URL|BODY
 BasicRule wl:1009,1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_http_referer";
 BasicRule wl:1016 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect";
 BasicRule wl:11 "mz:$URL:/xmlrpc.php|BODY";
 BasicRule wl:11 "mz:$URL:/wp-cron.php|BODY";
 # URL|BODY|NAME
 BasicRule wl:1100 "mz:$URL:/wp-admin/post.php|$BODY_VAR:_wp_original_http_referer|NAME";
 BasicRule wl:1000 "mz:$URL:/wp-admin/post.php|$BODY_VAR:metakeyselect|NAME";
 BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php|$BODY_VAR:from|NAME";
 BasicRule wl:1100 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:attachment%5burl%5d|NAME";
 BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-auth-check]|NAME";
 BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php|$BODY_VAR:data[wp-check-locked-posts][]|NAME";
 BasicRule wl:1310,1311 "mz:$URL:/wp-admin/update-core.php|$BODY_VAR:checked[]|NAME";
 # URL|ARGS|NAME
 BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php|$ARGS_VAR:load[]|NAME";
 BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:delete_count|NAME";
 BasicRule wl:1000 "mz:$URL:/wp-admin/users.php|$ARGS_VAR:update|NAME";

 ### Plugins
 #WP Minify
 BasicRule wl:1015 "mz:$URL:/wp-content/plugins/bwp-minify/min/|$ARGS_VAR:f";
diff --git a/wordpress.conf b/wordpress.conf
 # -*- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: 'american' -*-

 server {
    listen 80;

    server_name example.com www.example.com cdn.example.net;

    access_log   /var/log/nginx/example.com.access.log;
    error_log    /var/log/nginx/example.com.error.log error;

    root /var/www/example.com/htdocs;
    index index.php index.html index.htm;

    charset utf-8;

    set $cache_uri $request_uri;
    set $skip_cache 0;

    set $cache_control 'public, store, must-revalidate';
    set $expires 24h;

    # Don't cache POST requests
    if ($request_method = POST) {
        set $cache_control 'no-cache';
        set $cache_uri 'null cache';
        set $expires 0;
        set $skip_cache 1;
    }

    # Don't cache PUT requests
    if ($request_method = PUT) {
        set $cache_control 'no-cache';
        set $cache_uri 'null cache';
        set $expires 0;
        set $skip_cache 1;
    }

    # Don't cache PATCH requests
    if ($request_method = PATCH) {
        set $cache_control 'no-cache';
        set $cache_uri 'null cache';
        set $expires 0;
        set $skip_cache 1;
    }

    # Don't cache DELETE requests
    if ($request_method = DELETE) {
        set $cache_control 'no-cache';
        set $cache_uri 'null cache';
        set $expires 0;
        set $skip_cache 1;
    }

    # Don't cache requests with a query string
    if ($query_string != '') {
        set $cache_control 'no-cache';
        set $cache_uri 'null cache';
        set $expires 0;
        set $skip_cache 1;
    }

    # Don't cache uris containing the following segments
    if ($request_uri ~* '(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)') {
        set $cache_control 'no-cache';
        set $cache_uri 'null cache';
        set $expires 0;
        set $skip_cache 1;
    }

    # Don't use the cache for logged in users or recent commenters
    if ($http_cookie ~* 'comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in') {
        set $cache_control 'no-cache';
        set $cache_uri 'null cache';
        set $expires 0;
        set $skip_cache 1;
    }

    location = /favicon.ico { log_not_found off; access_log off; }
    location = /robots.txt  { log_not_found off; access_log off; }

    location ~ /\.                          { deny all; log_not_found off; access_log off; }
    location = /wp-config.php               { deny all; log_not_found off; access_log off; }
    location ~ ^/wp-content/backups         { deny all; log_not_found off; access_log off; }
    location ~ ^/wp-content/.*\.php$        { deny all; log_not_found off; access_log off; }
    location ~ ^/wp-admin/includes/.*\.php$ { deny all; log_not_found off; access_log off; }
    location ~ ^/wp-includes/.*\.php$       { deny all; log_not_found off; access_log off; }
    location ~ ^/wp-config-sample\.php$     { deny all; log_not_found off; access_log off; }

    location /RequestDenied {
        return 403;
    }

    # Use cached or actual file if they exists, otherwise pass request to WordPress
    location / {
        # WP Super Cache:
        # try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;

        # Normal:
        try_files $uri $uri/ /index.php?$args;

        include /var/www/example.com/conf/naxsi.rules;
    }

    location ~ /wp-login\.php$ {
        try_files $uri =404;

        limit_req zone=one burst=1 nodelay;

        include /var/www/example.com/conf/naxsi.rules;
        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass php;
    }

    location ~ \.php$ {
        try_files $uri =404;

        include /var/www/example.com/conf/naxsi.rules;
        include fastcgi_params;

        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass php;

        fastcgi_cache_bypass $skip_cache;
        fastcgi_no_cache $skip_cache;

        fastcgi_cache WORDPRESS;
        fastcgi_cache_valid  60m;

        add_header Cache-Control $cache_control;
        expires $expires;
    }

    location ~ /purge(/.*) {
        fastcgi_cache_purge WORDPRESS '$scheme$request_method$host$1';
    }

    location ~* .(css|js)$ {
        expires max;
    }

    # Cache static files for as long as possible
    location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
        expires max;
        log_not_found off;
        access_log off;

        tcp_nodelay off;

        open_file_cache max=1000 inactive=120s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors off;
    }
 }
	# -- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: "american" --

	# LearningMode;
	SecRulesEnabled;

	DeniedUrl "/RequestDenied"

	CheckRule "$SQL >= 8" BLOCK;
	CheckRule "$RFI >= 8" BLOCK;
	CheckRule "$TRAVERSAL >= 4" BLOCK;
	CheckRule "$EVADE >= 4" BLOCK;
	CheckRule "$XSS >= 8" BLOCK;

	# WordPress naxsi rules

	### HEADERS
	BasicRule wl:1000,1001,1005,1007,1010,1011,1013,1100,1200,1308,1309,1310,1311,1315 "mz:$HEADERS_VAR:cookie";
	# xmlrpc
	BasicRule wl:1402 "mz:$HEADERS_VAR:content-type";

	### simple BODY (POST)
	BasicRule wl:1001,1015,1009,1311,1310,1101,1016 "mz:$URL:/\|$BODY_VAR:customized";
	# comments
	BasicRule wl:1000,1010,1011,1013,1015,1200,1310,1311 "mz:$BODY_VAR:post_title";
	BasicRule wl:1000 "mz:$BODY_VAR:original_publish";
	BasicRule wl:1000 "mz:$BODY_VAR:save";
	BasicRule wl:1008,1010,1011,1013,1015 "mz:$BODY_VAR:sk2_my_js_payload";
	BasicRule wl:1001,1009,1005,1016,1100,1310 "mz:$BODY_VAR:url";
	BasicRule wl:1009,1100 "mz:$BODY_VAR:referredby";
	BasicRule wl:1009,1100 "mz:$BODY_VAR:_wp_original_http_referer";
	BasicRule wl:1000,1001,1005,1008,1007,1009,1010,1011,1013,1015,1016,1100,1200,1302,1303,1310,1311,1315,1400 "mz:$BODY_VAR:comment";
	BasicRule wl:1100 "mz:$BODY_VAR:redirect_to";
	BasicRule wl:1000,1009,1315 "mz:$BODY_VAR:_wp_http_referer";
	BasicRule wl:1000 "mz:$BODY_VAR:action";
	BasicRule wl:1001,1013 "mz:$BODY_VAR:blogname";
	BasicRule wl:1015,1013 "mz:$BODY_VAR:blogdescription";
	BasicRule wl:1015 "mz:$BODY_VAR:date_format_custom";
	BasicRule wl:1015 "mz:$BODY_VAR:date_format";
	BasicRule wl:1015 "mz:$BODY_VAR:tax_input%5bpost_tag%5d";
	BasicRule wl:1015 "mz:$BODY_VAR:tax_input[post_tag]";
	BasicRule wl:1100 "mz:$BODY_VAR:siteurl";
	BasicRule wl:1100 "mz:$BODY_VAR:home";
	BasicRule wl:1000,1015 "mz:$BODY_VAR:submit";
	# news content matches pretty much everything
	BasicRule wl:0 "mz:$BODY_VAR:content";
	BasicRule wl:1000 "mz:$BODY_VAR:delete_option";
	BasicRule wl:1000 "mz:$BODY_VAR:prowl-msg-message";
	BasicRule wl:1100 "mz:$BODY_VAR:_url";
	BasicRule wl:1001,1009 "mz:$BODY_VAR:c2c_text_replace%5btext_to_replace%5d";
	BasicRule wl:1200 "mz:$BODY_VAR:ppn_post_note";
	BasicRule wl:1100 "mz:$BODY_VAR:author";
	BasicRule wl:1001,1015 "mz:$BODY_VAR:excerpt";
	BasicRule wl:1015 "mz:$BODY_VAR:catslist";
	BasicRule wl:1005,1008,1009,1010,1011,1015,1315 "mz:$BODY_VAR:cookie";
	BasicRule wl:1101 "mz:$BODY_VAR:googleplus";
	BasicRule wl:1007 "mz:$BODY_VAR:name";
	BasicRule wl:1007 "mz:$BODY_VAR:action";
	BasicRule wl:1100 "mz:$BODY_VAR:attachment%5burl%5d";
	BasicRule wl:1100 "mz:$BODY_VAR:attachment_url";
	BasicRule wl:1001,1009,1100,1302,1303,1310,1311 "mz:$BODY_VAR:html";
	BasicRule wl:1015 "mz:$BODY_VAR:title";
	BasicRule wl:1001,1009,1015 "mz:$BODY_VAR:recaptcha_challenge_field";
	BasicRule wl:1011 "mz:$BODY_VAR:pwd";
	BasicRule wl:1000 "mz:$BODY_VAR:excerpt";

	### BODY\|NAME
	BasicRule wl:1000 "mz:$BODY_VAR:delete_option\|NAME";
	BasicRule wl:1000 "mz:$BODY_VAR:from\|NAME";

	### Simple ARGS (GET)
	# WP login screen
	BasicRule wl:1100 "mz:$ARGS_VAR:redirect_to";
	BasicRule wl:1000,1009 "mz:$ARGS_VAR:_wp_http_referer";
	BasicRule wl:1000 "mz:$ARGS_VAR:wp_http_referer";
	BasicRule wl:1000 "mz:$ARGS_VAR:action";
	BasicRule wl:1000 "mz:$ARGS_VAR:action2";
	# load and load[] GET variable
	BasicRule wl:1000,1015 "mz:$ARGS_VAR:load";
	BasicRule wl:1000,1015 "mz:$ARGS_VAR:load[]";
	BasicRule wl:1015 "mz:$ARGS_VAR:q";
	BasicRule wl:1000,1015 "mz:$ARGS_VAR:load%5b%5d";

	### URL
	BasicRule wl:1000 "mz:URL\|$URL:/wp-admin/update-core.php";
	BasicRule wl:1000 "mz:URL\|$URL:/wp-admin/update.php";
	# URL\|BODY
	BasicRule wl:1009,1100 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:_wp_http_referer";
	BasicRule wl:1016 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:metakeyselect";
	BasicRule wl:11 "mz:$URL:/xmlrpc.php\|BODY";
	BasicRule wl:11 "mz:$URL:/wp-cron.php\|BODY";
	BasicRule wl:2 "mz:$URL:/wp-admin/async-upload.php\|BODY";
	# URL\|BODY\|NAME
	BasicRule wl:1100 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:_wp_original_http_referer\|NAME";
	BasicRule wl:1000 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:metakeyselect\|NAME";
	BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php\|$BODY_VAR:from\|NAME";
	BasicRule wl:1100 "mz:$URL:/wp-admin/admin-ajax.php\|$BODY_VAR:attachment%5burl%5d\|NAME";
	BasicRule wl:1100 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:attachment_url\|NAME";
	BasicRule wl:1000 "mz:$URL:/wp-admin/plugins.php\|$BODY_VAR:verify-delete\|NAME";
	BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:post_category[]\|NAME";
	BasicRule wl:1311 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:post_category\|NAME";
	BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:tax_input[post_tag]\|NAME";
	BasicRule wl:1310,1311 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:newtag[post_tag]\|NAME";
	BasicRule wl:1310,1311 "mz:$URL:/wp-admin/users.php\|$BODY_VAR:users[]\|NAME";
	# URL\|ARGS\|NAME
	BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php\|$ARGS_VAR:load[]\|NAME";
	BasicRule wl:1000 "mz:$URL:/wp-admin/users.php\|$ARGS_VAR:delete_count\|NAME";
	BasicRule wl:1000 "mz:$URL:/wp-admin/users.php\|$ARGS_VAR:update\|NAME";

	# plain WP site
	BasicRule wl:1000 "mz:URL\|$URL:/wp-admin/update-core.php";
	BasicRule wl:1000 "mz:URL\|$URL:/wp-admin/update.php";
	# URL\|BODY
	BasicRule wl:1009,1100 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:_wp_http_referer";
	BasicRule wl:1016 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:metakeyselect";
	BasicRule wl:11 "mz:$URL:/xmlrpc.php\|BODY";
	BasicRule wl:11 "mz:$URL:/wp-cron.php\|BODY";
	# URL\|BODY\|NAME
	BasicRule wl:1100 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:_wp_original_http_referer\|NAME";
	BasicRule wl:1000 "mz:$URL:/wp-admin/post.php\|$BODY_VAR:metakeyselect\|NAME";
	BasicRule wl:1000 "mz:$URL:/wp-admin/user-edit.php\|$BODY_VAR:from\|NAME";
	BasicRule wl:1100 "mz:$URL:/wp-admin/admin-ajax.php\|$BODY_VAR:attachment%5burl%5d\|NAME";
	BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php\|$BODY_VAR:data[wp-auth-check]\|NAME";
	BasicRule wl:1310,1311 "mz:$URL:/wp-admin/admin-ajax.php\|$BODY_VAR:data[wp-check-locked-posts][]\|NAME";
	BasicRule wl:1310,1311 "mz:$URL:/wp-admin/update-core.php\|$BODY_VAR:checked[]\|NAME";
	# URL\|ARGS\|NAME
	BasicRule wl:1310,1311 "mz:$URL:/wp-admin/load-scripts.php\|$ARGS_VAR:load[]\|NAME";
	BasicRule wl:1000 "mz:$URL:/wp-admin/users.php\|$ARGS_VAR:delete_count\|NAME";
	BasicRule wl:1000 "mz:$URL:/wp-admin/users.php\|$ARGS_VAR:update\|NAME";

	### Plugins
	#WP Minify
	BasicRule wl:1015 "mz:$URL:/wp-content/plugins/bwp-minify/min/\|$ARGS_VAR:f";
	# -- mode: nginx; mode:autopair; mode: flyspell-prog; ispell-local-dictionary: 'american' --

	server {
	listen 80;

	server_name example.com www.example.com cdn.example.net;

	access_log /var/log/nginx/example.com.access.log;
	error_log /var/log/nginx/example.com.error.log error;

	root /var/www/example.com/htdocs;
	index index.php index.html index.htm;

	charset utf-8;

	set $cache_uri $request_uri;
	set $skip_cache 0;

	set $cache_control 'public, store, must-revalidate';
	set $expires 24h;

	# Don't cache POST requests
	if ($request_method = POST) {
	set $cache_control 'no-cache';
	set $cache_uri 'null cache';
	set $expires 0;
	set $skip_cache 1;
	}

	# Don't cache PUT requests
	if ($request_method = PUT) {
	set $cache_control 'no-cache';
	set $cache_uri 'null cache';
	set $expires 0;
	set $skip_cache 1;
	}

	# Don't cache PATCH requests
	if ($request_method = PATCH) {
	set $cache_control 'no-cache';
	set $cache_uri 'null cache';
	set $expires 0;
	set $skip_cache 1;
	}

	# Don't cache DELETE requests
	if ($request_method = DELETE) {
	set $cache_control 'no-cache';
	set $cache_uri 'null cache';
	set $expires 0;
	set $skip_cache 1;
	}

	# Don't cache requests with a query string
	if ($query_string != '') {
	set $cache_control 'no-cache';
	set $cache_uri 'null cache';
	set $expires 0;
	set $skip_cache 1;
	}

	# Don't cache uris containing the following segments
	if ($request_uri ~* '(/wp-admin/\|/xmlrpc.php\|/wp-(app\|cron\|login\|register\|mail).php\|wp-.*.php\|/feed/\|index.php\|wp-comments-popup.php\|wp-links-opml.php\|wp-locations.php\|sitemap(_index)?.xml\|[a-z0-9_-]+-sitemap([0-9]+)?.xml)') {
	set $cache_control 'no-cache';
	set $cache_uri 'null cache';
	set $expires 0;
	set $skip_cache 1;
	}

	# Don't use the cache for logged in users or recent commenters
	if ($http_cookie ~* 'comment_author\|wordpress_[a-f0-9]+\|wp-postpass\|wordpress_logged_in') {
	set $cache_control 'no-cache';
	set $cache_uri 'null cache';
	set $expires 0;
	set $skip_cache 1;
	}

	location = /favicon.ico { log_not_found off; access_log off; }
	location = /robots.txt { log_not_found off; access_log off; }

	location ~ /\. { deny all; log_not_found off; access_log off; }
	location = /wp-config.php { deny all; log_not_found off; access_log off; }
	location ~ ^/wp-content/backups { deny all; log_not_found off; access_log off; }
	location ~ ^/wp-content/.*\.php$ { deny all; log_not_found off; access_log off; }
	location ~ ^/wp-admin/includes/.*\.php$ { deny all; log_not_found off; access_log off; }
	location ~ ^/wp-includes/.*\.php$ { deny all; log_not_found off; access_log off; }
	location ~ ^/wp-config-sample\.php$ { deny all; log_not_found off; access_log off; }

	location /RequestDenied {
	return 403;
	}

	# Use cached or actual file if they exists, otherwise pass request to WordPress
	location / {
	# WP Super Cache:
	# try_files /wp-content/cache/supercache/$http_host/$cache_uri/index.html $uri $uri/ /index.php?$args;

	# Normal:
	try_files $uri $uri/ /index.php?$args;

	include /var/www/example.com/conf/naxsi.rules;
	}

	location ~ /wp-login\.php$ {
	try_files $uri =404;

	limit_req zone=one burst=1 nodelay;

	include /var/www/example.com/conf/naxsi.rules;
	include fastcgi_params;

	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_pass php;
	}

	location ~ \.php$ {
	try_files $uri =404;

	include /var/www/example.com/conf/naxsi.rules;
	include fastcgi_params;

	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_pass php;

	fastcgi_cache_bypass $skip_cache;
	fastcgi_no_cache $skip_cache;

	fastcgi_cache WORDPRESS;
	fastcgi_cache_valid 60m;

	add_header Cache-Control $cache_control;
	expires $expires;
	}

	location ~ /purge(/.*) {
	fastcgi_cache_purge WORDPRESS '$scheme$request_method$host$1';
	}

	location ~* .(css\|js)$ {
	expires max;
	}

	# Cache static files for as long as possible
	location ~* .(ogg\|ogv\|svg\|svgz\|eot\|otf\|woff\|mp4\|ttf\|css\|rss\|atom\|js\|jpg\|jpeg\|gif\|png\|ico\|zip\|tgz\|gz\|rar\|bz2\|doc\|xls\|exe\|ppt\|tar\|mid\|midi\|wav\|bmp\|rtf)$ {
	expires max;
	log_not_found off;
	access_log off;

	tcp_nodelay off;

	open_file_cache max=1000 inactive=120s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 2;
	open_file_cache_errors off;
	}
	}