Keith Greer Web Development and Design keithgreer.dev blog / wordpress nginx hardening wordpress security hacking

WordPress Security - Nginx

Posted in WordPress on 21 November 2019

Techniques for hardening WordPress Sites running on an Nginx server to enhance security.

Limit Access to Admin Panel

Limit XMLRPC Access

This will lock down the XMLRPC endpoint which allows external applications to modify your WordPress website. You can allow access from specific IP addresses.

location ~* /xmlrpc.php$ {  
   allow 123.0.1.1;  
   deny all;  
}

Limit Admin Login Access

Use this to lock down the WordPress Admin Panel – it will block logins from everyone except the specified IP addresses.

location ~* /wp-login.php$ {   
   allow 195.26.45.206;   
   allow 123.0.1.1;   
   deny all;   
}

Hide/block source and configuration settings

Disable access to PHP Files

This will stop a malicious user being able to directly run PHP files from source:

location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {  
   deny all; 
   access_log off; 
   log_not_found off;  
}

Disable access to configuration files

As above, this will limit direct access to dotfiles (.htaccess, .user.ini, .git etc) These may contain sensitive information.

location ~ /.(svn|git)/* {  
   deny all; 
   access_log off;  
   log_not_found off;  
}  
 
location ~ /.ht {  
  deny all;  
  access_log off;  
  log_not_found off;  
} 
 
location ~ /.user.ini { 
  deny all;  
  access_log off;  
  log_not_found off;  
}

Hide Version Number

This will hide PHP and Nginx version numbers.

#Hide the nginx version.  
server_tokens off;  
#Hide the PHP version.  
fastcgi_hide_header X-Powered-By;  
proxy_hide_header X-Powered-By;

Disable Directory Listing

Stop Nginx listing files in directories without an index file.

autoindex off;

Security Headers

Security headers provide an extra layer of security by explicitly telling browsers how the website can and cannot be loaded.

# Block loading in an iFrame 
add_header X-Frame-Options SAMEORIGIN;  
# Enforce HTTPS 
add_header Strict-Transport-Security "max-age=31536000";  
# Blocks hidden malicious scripts 
add_header X-Content-Type-Options nosniff;  
# Stops scripts from unknown sources 
add_header X-XSS-Protection "1; mode=block";

Related WordPress Posts

January 2024

Creating a brand-promoting brochure website with WordPress

In today's digital age, establishing an online presence is crucial for businesses looking to promote their brand effectively. One powerful tool for achieving this is... Continue reading

November 2023

WordPress for charities and donation websites

In an era where digital presence is paramount, charities are increasingly turning to online platforms to raise awareness and funds for their causes. WordPress, with... Continue reading

July 2023

How to secure WordPress in 2023?

Securing a WordPress website involves a combination of practices, including using secure hosting configurations, regularly updating WordPress and its plugins/themes, and implementing strong security measures.... Continue reading

More WordPress Posts

Copyright © Keith Greer 2024. Some Rights Reserved.