# WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
# Limit access to avoid brute force attack
location = /wp-login.php {
    limit_req zone=one burst=1 nodelay;
    include fastcgi_params;
    fastcgi_pass php73;
}
# Disable wp-config.txt
location = /wp-config.txt {
    deny all;
    access_log off;
    log_not_found off;
}
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
    location ~ \.(png|jpe?g)$ {
        add_header Vary "Accept-Encoding";
        add_header "Access-Control-Allow-Origin" "*";
        add_header Cache-Control "public, no-transform";
        access_log off;
        log_not_found off;
        expires max;
        try_files $uri$webp_suffix $uri =404;
    }
    location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
        deny all;
    }
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
    deny all;
}

location "=/wp-config\.(php|txt)" {

location ~* wp-config.php { deny all; }

        location ~* "^/wp-content/uploads/.*\\.php" { deny all; }
        location ~* "^/wp-includes/(?!js/tinymce/wp-tinymce\\.php$).*\\.php" {
                deny all;
        }
        location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }

        location ~* ".*/cache/.*\\.ph(?:p[345]?|t|tml)" {
                access_log off;
                log_not_found off;
                deny all;
        }

        if ($query_string ~ "author=\d+") {
                return 403;
        }

        location ~* "(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html))" {
                return 403;
        }

        location ~* ".*\\.(psd|log|cmd|exe|bat|csh|sh)" {
                return 403;
        }

        location ~* /\.ht {
                deny all;
        }

        if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") {
                return 403;
        }

        #extension wp-toolkit end