Techniques for hardening WordPress Sites running on an Nginx server to enhance security.
This will lock down the XMLRPC endpoint which allows external applications to modify your WordPress website. You can allow access from specific IP addresses.
location ~* /xmlrpc.php$ { allow 123.0.1.1; deny all; }
Use this to lock down the WordPress Admin Panel – it will block logins from everyone except the specified IP addresses.
location ~* /wp-login.php$ { allow 195.26.45.206; allow 123.0.1.1; deny all; }
This will stop a malicious user being able to directly run PHP files from source:
location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ { deny all; access_log off; log_not_found off; }
As above, this will limit direct access to dotfiles (.htaccess, .user.ini, .git etc) These may contain sensitive information.
location ~ /.(svn|git)/* { deny all; access_log off; log_not_found off; } location ~ /.ht { deny all; access_log off; log_not_found off; } location ~ /.user.ini { deny all; access_log off; log_not_found off; }
This will hide PHP and Nginx version numbers.
#Hide the nginx version. server_tokens off; #Hide the PHP version. fastcgi_hide_header X-Powered-By; proxy_hide_header X-Powered-By;
Stop Nginx listing files in directories without an index file.
autoindex off;
Security headers provide an extra layer of security by explicitly telling browsers how the website can and cannot be loaded.
# Block loading in an iFrame add_header X-Frame-Options SAMEORIGIN; # Enforce HTTPS add_header Strict-Transport-Security "max-age=31536000"; # Blocks hidden malicious scripts add_header X-Content-Type-Options nosniff; # Stops scripts from unknown sources add_header X-XSS-Protection "1; mode=block";