Caution: This post was published in 2019 and may contain information, techniques, or code examples that are no longer current. Please double-check official documentation and modern best practices before using anything from this article.
November 2019

WordPress security - NGINX

WordPress

Techniques for hardening WordPress Sites running on an Nginx server to enhance security.

Limit Access to Admin Panel

Limit XMLRPC Access

This will lock down the XMLRPC endpoint which allows external applications to modify your WordPress website. You can allow access from specific IP addresses.

location ~* /xmlrpc.php$ {  
   allow 123.0.1.1;  
   deny all;  
}

Limit Admin Login Access

Use this to lock down the WordPress Admin Panel – it will block logins from everyone except the specified IP addresses.

location ~* /wp-login.php$ {   
   allow 195.26.45.206;   
   allow 123.0.1.1;   
   deny all;   
}

Hide/block source and configuration settings

Disable access to PHP Files

This will stop a malicious user being able to directly run PHP files from source:

location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {  
   deny all; 
   access_log off; 
   log_not_found off;  
}

Disable access to configuration files

As above, this will limit direct access to dotfiles (.htaccess, .user.ini, .git etc) These may contain sensitive information.

location ~ /.(svn|git)/* {  
   deny all; 
   access_log off;  
   log_not_found off;  
}  
 
location ~ /.ht {  
  deny all;  
  access_log off;  
  log_not_found off;  
} 
 
location ~ /.user.ini { 
  deny all;  
  access_log off;  
  log_not_found off;  
}

Hide Version Number

This will hide PHP and Nginx version numbers.

#Hide the nginx version.  
server_tokens off;  
#Hide the PHP version.  
fastcgi_hide_header X-Powered-By;  
proxy_hide_header X-Powered-By;

Disable Directory Listing

Stop Nginx listing files in directories without an index file.

autoindex off;

Security Headers

Security headers provide an extra layer of security by explicitly telling browsers how the website can and cannot be loaded.

# Block loading in an iFrame 
add_header X-Frame-Options SAMEORIGIN;  
# Enforce HTTPS 
add_header Strict-Transport-Security "max-age=31536000";  
# Blocks hidden malicious scripts 
add_header X-Content-Type-Options nosniff;  
# Stops scripts from unknown sources 
add_header X-XSS-Protection "1; mode=block";

Ready to elevate your WordPress site?

Whether you're launching a new site, strengthening security, or integrating WooCommerce, I can help transform your vision into a high-performing online presence.

Contact me to discuss your WordPress project

More WordPress posts

Using WordPress as a static site generator

Static site generators have gained significant traction amongst developers, designers, and businesses seeking faster, more secure websites. Unlike traditional dynamic sites, which rely on a database to deliver content on…

Continue reading

Moving a WordPress Website with ACF and Custom Post Types to Brightspot CMS

Migrating a website from WordPress to Brightspot CMS can seem daunting, particularly when the WordPress installation relies heavily on Advanced Custom Fields and Custom Post Types . Both ACF amd…

Continue reading

Better WordPress Performance

A slow-loading website can be frustrating, not only for your visitors, but for you as a business owner. If your WordPress site is taking too long to load, you’re not…

Continue reading

What's going on between WordPress and WP Engine?

The disagreement between WordPress and WP Engine has sparked considerable debate within the WordPress community and could have important implications for users of the WordPress content management system (CMS). WP…

Continue reading

keithgreer.dev
Main Menu   Back to top