You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

82 lines
2.7 KiB

  1. # WordPress COMMON SETTINGS
  2. # DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE EasyEngine (ee)
  3. # Limit access to avoid brute force attack
  4. location = /wp-login.php {
  5. limit_req zone=one burst=1 nodelay;
  6. include fastcgi_params;
  7. fastcgi_pass php73;
  8. }
  9. # Disable wp-config.txt
  10. location = /wp-config.txt {
  11. deny all;
  12. access_log off;
  13. log_not_found off;
  14. }
  15. # webp rewrite rules for jpg and png images
  16. # try to load alternative image.png.webp before image.png
  17. location /wp-content/uploads {
  18. location ~ \.(png|jpe?g)$ {
  19. add_header Vary "Accept-Encoding";
  20. add_header "Access-Control-Allow-Origin" "*";
  21. add_header Cache-Control "public, no-transform";
  22. access_log off;
  23. log_not_found off;
  24. expires max;
  25. try_files $uri$webp_suffix $uri =404;
  26. }
  27. location ~ \.php$ {
  28. #Prevent Direct Access Of PHP Files From Web Browsers
  29. deny all;
  30. }
  31. }
  32. # Deny access to any files with a .php extension in the uploads directory
  33. # Works in sub-directory installs and also in multisite network
  34. # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
  35. location ~* /(?:uploads|files)/.*\.php$ {
  36. deny all;
  37. }
  38. # mitigate DoS attack CVE with WordPress script concatenation
  39. # add the following line to wp-config.php
  40. # define( 'CONCATENATE_SCRIPTS', false );
  41. location ~ \/wp-admin\/load-(scripts|styles).php {
  42. deny all;
  43. }
  44. location "=/wp-config\.(php|txt)" {
  45. location ~* wp-config.php { deny all; }
  46. location ~* "^/wp-content/uploads/.*\\.php" { deny all; }
  47. location ~* "^/wp-includes/(?!js/tinymce/wp-tinymce\\.php$).*\\.php" {
  48. deny all;
  49. }
  50. location ~* "^/wp-admin/(load-styles|load-scripts)\\.php" { deny all; }
  51. location ~* ".*/cache/.*\\.ph(?:p[345]?|t|tml)" {
  52. access_log off;
  53. log_not_found off;
  54. deny all;
  55. }
  56. if ($query_string ~ "author=\d+") {
  57. return 403;
  58. }
  59. location ~* "(?:wp-config\\.bak|\\.wp-config\\.php\\.swp|(?:readme|license|changelog|-config|-sample)\\.(?:php|md|txt|htm|html))" {
  60. return 403;
  61. }
  62. location ~* ".*\\.(psd|log|cmd|exe|bat|csh|sh)" {
  63. return 403;
  64. }
  65. location ~* /\.ht {
  66. deny all;
  67. }
  68. if ($http_user_agent ~* "(?:acunetix|BLEXBot|domaincrawler\\.com|LinkpadBot|MJ12bot/v|majestic12\\.co\\.uk|AhrefsBot|TwengaBot|SemrushBot|nikto|winhttp|Xenu\\s+Link\\s+Sleuth|Baiduspider|HTTrack|clshttp|harvest|extract|grab|miner|python-requests)") {
  69. return 403;
  70. }
  71. #extension wp-toolkit end