You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

97 lines
3.0 KiB

  1. # WordPress COMMON SETTINGS - WO v3.9.7
  2. # DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
  3. # Limit access to avoid brute force attack
  4. location = /wp-login.php {
  5. limit_req zone=one burst=1 nodelay;
  6. include fastcgi_params;
  7. fastcgi_pass php73;
  8. }
  9. # Prevent DoS attacks on wp-cron
  10. location = /wp-cron.php {
  11. limit_req zone=two burst=1 nodelay;
  12. include fastcgi_params;
  13. fastcgi_pass php73;
  14. }
  15. # Prevent Dos attacks with xmlrpc.php
  16. location = /xmlrpc.php {
  17. limit_req zone=two burst=1 nodelay;
  18. include fastcgi_params;
  19. fastcgi_pass php73;
  20. }
  21. # Disable wp-config.txt
  22. location = /wp-config.txt {
  23. deny all;
  24. access_log off;
  25. log_not_found off;
  26. }
  27. location = /robots.txt {
  28. # Some WordPress plugin gererate robots.txt file
  29. # Refer #340 issue
  30. try_files $uri $uri/ /index.php?$args @robots;
  31. access_log off;
  32. log_not_found off;
  33. }
  34. # fallback for robots.txt with default wordpress rules
  35. location @robots {
  36. return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
  37. }
  38. # webp rewrite rules for jpg and png images
  39. # try to load alternative image.png.webp before image.png
  40. location /wp-content/uploads {
  41. location ~ \.(png|jpe?g)$ {
  42. add_header Vary "Accept-Encoding";
  43. more_set_headers 'Access-Control-Allow-Origin : *';
  44. add_header Cache-Control "public, no-transform";
  45. access_log off;
  46. log_not_found off;
  47. expires max;
  48. try_files $uri$webp_suffix $uri =404;
  49. }
  50. location ~* \.(php|gz|log|zip|tar|rar)$ {
  51. #Prevent Direct Access Of PHP Files & BackupsFrom Web Browsers
  52. deny all;
  53. }
  54. }
  55. # webp rewrite rules for EWWW testing image
  56. location /wp-content/plugins/ewww-image-optimizer/images {
  57. location ~ \.(png|jpe?g)$ {
  58. add_header Vary "Accept-Encoding";
  59. more_set_headers 'Access-Control-Allow-Origin : *';
  60. add_header Cache-Control "public, no-transform";
  61. access_log off;
  62. log_not_found off;
  63. expires max;
  64. try_files $uri$webp_suffix $uri =404;
  65. }
  66. location ~ \.php$ {
  67. #Prevent Direct Access Of PHP Files From Web Browsers
  68. deny all;
  69. }
  70. }
  71. # enable gzip on static assets - php files are forbidden
  72. location /wp-content/cache {
  73. # Cache css & js files
  74. location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
  75. more_set_headers 'Access-Control-Allow-Origin : *';
  76. access_log off;
  77. log_not_found off;
  78. expires 30d;
  79. }
  80. location ~ \.php$ {
  81. #Prevent Direct Access Of PHP Files From Web Browsers
  82. deny all;
  83. }
  84. }
  85. # Deny access to any files with a .php extension in the uploads directory
  86. # Works in sub-directory installs and also in multisite network
  87. # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
  88. location ~* /(?:uploads|files)/.*\.php$ {
  89. deny all;
  90. }
  91. # mitigate DoS attack CVE with WordPress script concatenation
  92. # add the following line to wp-config.php
  93. # define( 'CONCATENATE_SCRIPTS', false );
  94. location ~ \/wp-admin\/load-(scripts|styles).php {
  95. deny all;
  96. }