# Sucuri location ~* ^/wp-content/uploads/sucuri { deny all; } #Updraft location ~* ^/wp-content/updraft { deny all; } #WordFence location ~* \.user\.ini$ { deny all; } #Disable access to your configuration files and other files that you don’t want to users are able to see location ~* /(wp-config.php|readme.html|license.txt|nginx.conf|phpinfo.php) { deny all; } # Disable wp-config.txt location = /wp-config.txt { deny all; access_log off; log_not_found off; } # Disallow php in upload folder and add webp rewrite location /wp-content/uploads/ { location ~* \.php$ { #Prevent Direct Access Of PHP Files From Web Browsers deny all; } # webp rewrite rules location ~* \.(png|jpe?g)$ { add_header Vary "Accept-Encoding"; add_header "Access-Control-Allow-Origin" "*"; # add_header Cache-Control "public, no-transform"; access_log off; log_not_found off; expires max; try_files $uri $uri =404; } } # Deny access to uploads that aren’t images, videos, music, etc. location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|swf)$ { deny all; } # Deny access to any files with a .php extension in the uploads directory # Works in sub-directory installs and also in multisite network # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) location ~* /(?:uploads|files)/.*\.php$ { deny all; } # Stop scann for the follow files on plugins folder location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ { deny all; error_page 403 =404 / ; } # Stop scann for the follow files on themes folder location ~* ^/wp-content/themes/.+\.(txt|log|md)$ { deny all; error_page 403 =404 / ; } #Dotfiles #Similar to PHP file, a dotfile like .htaccess, .user.ini, and .git may contain sensitive information. #To be on the safer side, it’s better to disable direct access to these files. location ~* /\.(svn|git)/* { deny all; access_log off; log_not_found off; } location ~* /\.ht { deny all; access_log off; log_not_found off; } location ~ /\.user.ini { deny all; access_log off; log_not_found off; } # Deny backup extensions & log files location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { deny all; access_log off; log_not_found off; } # WordPress: deny general stuff location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|readme\.html|license\.txt)$ { deny all; } # NGINX RESTRICTIONS # Directives to send expires headers and turn off 404 error logging. location ~* ^.+\.(curl|heic|swf|tiff|rss|atom|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; } # Web fonts send expires headers location ~* \.(?:eot|otf|ttf|woff|woff2)$ { expires max; access_log off; add_header Cache-Control "public"; } # SVGs & MP4 WEBM send expires headers - this rule is set specific to ns site location ~* \.(?:svg|svgz|mp4|webm)$ { expires max; access_log off; add_header Cache-Control "public"; } # Media: images, icons, video, audio send expires headers. location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|aac|m4a|mp3|ogg|ogv|webp)$ { expires 1M; access_log off; add_header Cache-Control "public"; } # Cache css & js files location ~* \.(?:css(\.map)?|js(\.map)?)$ { add_header "Access-Control-Allow-Origin" "*"; access_log off; log_not_found off; expires 30d; } # CSS and Javascript send expires headers. location ~* \.(?:css|js)$ { expires 30d; access_log off; add_header Cache-Control "public"; } # HTML send expires headers. location ~* \.(html)$ { expires 30d; access_log off; add_header Cache-Control "public"; } # Security settings for better privacy # Deny hidden files # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). location ~* /\. { deny all; } # Use the directory /var/www/html to valide acme-challenge # just create the sub-directories .well-known/acme-challenge and set www-data as owner # # # chown -R www-data:www-data /var/www/html && sudo -u www-data mkdir -p /var/www/html/.well-known/acme-challenge # # location /.well-known/acme-challenge/ { alias /var/www/html/.well-known/acme-challenge/; } # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" { deny all; } # Deny backup extensions & log files and return 403 forbidden location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf)$" { deny all; } # common nginx configuration to block sql injection and other attacks location ~* "(eval\()" { deny all; } location ~* "(127\.0\.0\.1)" { deny all; } location ~* "([a-z0-9]{2000})" { deny all; } location ~* "(javascript\:)(.*)(\;)" { deny all; } location ~* "(base64_encode)(.*)(\()" { deny all; } location ~* "(GLOBALS|REQUEST)(=|\[|%)" { deny all; } location ~* "(<|%3C).*script.*(>|%3)" { deny all; } location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; } location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; } location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; } location ~* "(https?|ftp|php):/" { deny all; } location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; } location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; } location ~ "(`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { deny all; } location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; } location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { deny all; } location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" { deny all; }