# WordPress COMMON SETTINGS - WO v3.9.7 # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE # Limit access to avoid brute force attack location = /wp-login.php { limit_req zone=one burst=1 nodelay; include fastcgi_params; fastcgi_pass php73; } # Prevent DoS attacks on wp-cron location = /wp-cron.php { limit_req zone=two burst=1 nodelay; include fastcgi_params; fastcgi_pass php73; } # Prevent Dos attacks with xmlrpc.php location = /xmlrpc.php { limit_req zone=two burst=1 nodelay; include fastcgi_params; fastcgi_pass php73; } # Disable wp-config.txt location = /wp-config.txt { deny all; access_log off; log_not_found off; } location = /robots.txt { # Some WordPress plugin gererate robots.txt file # Refer #340 issue try_files $uri $uri/ /index.php?$args @robots; access_log off; log_not_found off; } # fallback for robots.txt with default wordpress rules location @robots { return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n"; } # webp rewrite rules for jpg and png images # try to load alternative image.png.webp before image.png location /wp-content/uploads { location ~ \.(png|jpe?g)$ { add_header Vary "Accept-Encoding"; more_set_headers 'Access-Control-Allow-Origin : *'; add_header Cache-Control "public, no-transform"; access_log off; log_not_found off; expires max; try_files $uri$webp_suffix $uri =404; } location ~* \.(php|gz|log|zip|tar|rar)$ { #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers deny all; } } # webp rewrite rules for EWWW testing image location /wp-content/plugins/ewww-image-optimizer/images { location ~ \.(png|jpe?g)$ { add_header Vary "Accept-Encoding"; more_set_headers 'Access-Control-Allow-Origin : *'; add_header Cache-Control "public, no-transform"; access_log off; log_not_found off; expires max; try_files $uri$webp_suffix $uri =404; } location ~ \.php$ { #Prevent Direct Access Of PHP Files From Web Browsers deny all; } } # enable gzip on static assets - php files are forbidden location /wp-content/cache { # Cache css & js files location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ { more_set_headers 'Access-Control-Allow-Origin : *'; access_log off; log_not_found off; expires 30d; } location ~ \.php$ { #Prevent Direct Access Of PHP Files From Web Browsers deny all; } } # Deny access to any files with a .php extension in the uploads directory # Works in sub-directory installs and also in multisite network # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) location ~* /(?:uploads|files)/.*\.php$ { deny all; } # mitigate DoS attack CVE with WordPress script concatenation # add the following line to wp-config.php # define( 'CONCATENATE_SCRIPTS', false ); location ~ \/wp-admin\/load-(scripts|styles).php { deny all; }