Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon An example of Nginx configuration for WordPress security
    Nginx WordPress security Nginx configuration WordPress protection Content Security Policy XML-RPC security PHP access control


An example of Nginx configuration for WordPress security


Here is a detailed example of an Nginx configuration for WordPress security: 

nginx
## Nginx Configuration for Secure WordPress Setup

# Disable access to sensitive files and directories
location ~* /(wp-config.php|wp-content/debug.log|readme.html|license.txt) {
    deny all;
}

# Block direct access to PHP files in certain directories
location ~* ^/(wp-content|wp-includes)/.*\.php$ {
    deny all;
}

# Limit access to the wp-admin and wp-login.php
location ~* /(wp-admin|wp-login\.php) {
    limit_req zone=admin burst=1 nodelay;
    include includes/php-example.com.conf;
}

# Disable XML-RPC access
location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
    return 444;
}

# Disable access to .git, .svn, and other version control directories
location ~ /\.(?!well-known) {
    deny all;
}

# Set Content Security Policy (CSP) to prevent XSS attacks
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'none'; frame-src 'none';" always;

# Set Permissions Policy to control browser features
add_header Permissions-Policy "geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(), payment=()";

# Set Referrer-Policy to control referrer information
add_header Referrer-Policy "strict-origin-when-cross-origin";

# Set X-Frame-Options to prevent clickjacking attacks
add_header X-Frame-Options "SAMEORIGIN";

# Set X-XSS-Protection to enable the browser's XSS filtering
add_header X-XSS-Protection "1; mode=block";

# Set X-Content-Type-Options to prevent Internet Explorer from MIME-sniffing
add_header X-Content-Type-Options "nosniff";

# Disable server version disclosure
server_tokens off;

# Limit request methods to GET, POST, HEAD, and OPTIONS
if ($request_method !~ ^(GET|POST|HEAD|OPTIONS)$ ) {
    return 444;
}

# Limit the number of requests per IP address
limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/s;

# Include the PHP configuration file
include includes/php-example.com.conf;

Here's a breakdown of the configuration:

1. Disable access to sensitive files and directories: This block prevents direct access to sensitive files like `wp-config.php`, `debug.log`, `readme.html`, and `license.txt`.

2. Block direct access to PHP files in certain directories: This block denies direct access to PHP files in the `wp-content` and `wp-includes` directories, which can help prevent unauthorized access to sensitive files.

3. Limit access to the wp-admin and wp-login.php: This block limits the number of requests to the `wp-admin` and `wp-login.php` pages to prevent brute-force attacks. It also includes the PHP configuration file.

4. Disable XML-RPC access: This block disables access to the `xmlrpc.php` file, which can be a common attack vector.

5. Disable access to version control directories: This block denies access to directories like `.git` and `.svn` to prevent exposing sensitive information.

6. Set Content Security Policy (CSP): This sets a strict Content Security Policy to prevent cross-site scripting (XSS) attacks.

7. Set Permissions Policy: This sets the Permissions Policy to control browser features and APIs.

8. Set Referrer-Policy: This sets the Referrer-Policy to control the referrer information sent with requests.

9. Set X-Frame-Options: This sets the X-Frame-Options header to prevent clickjacking attacks.

10. Set X-XSS-Protection and X-Content-Type-Options: These headers enable the browser's built-in XSS protection and prevent MIME-sniffing, respectively.

11. Disable server version disclosure: This hides the Nginx server version information to prevent potential attackers from identifying the server software.

12. Limit request methods: This block limits the allowed HTTP request methods to GET, POST, HEAD, and OPTIONS.

13. Limit the number of requests per IP address: This sets a rate limit on the number of requests per IP address to prevent brute-force attacks.

14. Include the PHP configuration file: This includes the PHP configuration file, which should contain the necessary settings for your PHP-FPM setup.

Remember to customize the paths and settings to match your specific WordPress installation and environment.

Citations:
[1] https://www.getpagespeed.com/server-setup/nginx/best-practice-secure-nginx-configuration-for-wordpress
[2] https://gist.github.com/ethanpil/1bfd01a817a8198369efec5c4cde6628
[3] https://spinupwp.com/hosting-wordpress-yourself-nginx-security-tweaks-woocommerce-caching-auto-server-updates/
[4] https://stackoverflow.com/questions/63753876/wordpress-nginx-security-best-practice
[5] https://www.hongkiat.com/blog/nginx-rules-for-wordpress-security/