This post was published in 2019 and may contain information, techniques or code examples that are no longer current. Please double-check official documentation and modern best practices before using anything from this article.
Techniques for hardening WordPress Sites running on an Nginx server to enhance security.
Limit Access to Admin Panel
Limit XMLRPC Access
This will lock down the XMLRPC endpoint which allows external applications to modify your WordPress website. You can allow access from specific IP addresses.
location ~* /xmlrpc.php$ {
allow 123.0.1.1;
deny all;
}
Limit Admin Login Access
Use this to lock down the WordPress Admin Panel – it will block logins from everyone except the specified IP addresses.
location ~* /wp-login.php$ {
allow 195.26.45.206;
allow 123.0.1.1;
deny all;
}
Hide/block source and configuration settings
Disable access to PHP Files
This will stop a malicious user being able to directly run PHP files from source:
location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
deny all;
access_log off;
log_not_found off;
}
Disable access to configuration files
As above, this will limit direct access to dotfiles (.htaccess, .user.ini, .git etc) These may contain sensitive information.
location ~ /.(svn|git)/* {
deny all;
access_log off;
log_not_found off;
}
location ~ /.ht {
deny all;
access_log off;
log_not_found off;
}
location ~ /.user.ini {
deny all;
access_log off;
log_not_found off;
}
Hide Version Number
This will hide PHP and Nginx version numbers.
#Hide the nginx version. server_tokens off; #Hide the PHP version. fastcgi_hide_header X-Powered-By; proxy_hide_header X-Powered-By;
Disable Directory Listing
Stop Nginx listing files in directories without an index file.
autoindex off;
Security Headers
Security headers provide an extra layer of security by explicitly telling browsers how the website can and cannot be loaded.
# Block loading in an iFrame add_header X-Frame-Options SAMEORIGIN; # Enforce HTTPS add_header Strict-Transport-Security "max-age=31536000"; # Blocks hidden malicious scripts add_header X-Content-Type-Options nosniff; # Stops scripts from unknown sources add_header X-XSS-Protection "1; mode=block";
Ready to elevate your WordPress site?
Whether you're launching a new site, strengthening security, or integrating WooCommerce, I can help transform your vision into a high-performing online presence.
More WordPress posts
—
Enhancing WordPress Search: The Best Plugins and Tools for 2026
Visitors come expecting to find what they need quickly; when search fails, bounce rates climb and conversions slip. The default WordPress search leaves much to be desired, which means you…
Continue reading "Enhancing WordPress Search: The Best Plugins and Tools for 2026 "
—
WordPress plugin security auditing
In the WordPress ecosystem, plugins are the lifeblood of functionality, yet they represent the single largest attack surface for malicious actors. With thousands of new plugins submitted to the repository…
—
WordPress 6.9.1
WordPress 6.9.1, released on 3 February 2026, is a short‑cycle maintenance update that follows the major 6.9 “Gene” launch in December 2025. Rather than adding new features, this point release…
—
Choosing the right content management system
Choosing the right content management system (CMS) is one of the most consequential early decisions when building a website The content management system shapes everything from how editors publish to…
Continue reading "Choosing the right content management system"