Securing WordPress with Nginx is an absolutely necessary task considering the ease with it can be hacked by hackers and malintentionalists who can exploit more or less known bugs.
It is possible to put some instructions in Nginx to minimize the risk of being hacked.
Securing WordPress with Nginx and Plesk
If you have plesk, you can easily enter instructions by going to your chosen domain in Apache & Nginx Settings and paste them into the “Additional Nginx Directives” field.
Securing WordPress with Nginx from terminal
If you have the terminal, you can easily insert the instructions by putting them inside “http {” just before “include /etc/nginx/conf.d/*.conf;”
sudo nano /etc/nginx/nginx.conf
Disable directory listing
It is important to disable directory listing so that a hacker cannot know what is in the folders.
## disable directory listing autoindex off;
Block access to xmlrpc.php
WordPress uses the xmlrpc.php file to allow third parties to publish content within the site via the XML-RPC API. It is typically used by the Jetpack and the WordPress App. In most cases it can be safely disabled.
## block access to xmlrpc.php location ~* /xmlrpc.php$ { deny all; access_log off; log_not_found off; }
Prevent access to some files
Block direct access to some files
## block access to configuration files and other files location ~* /(wp-config.php|readme.html|license.txt) { deny all; }
Block direct access to php files
There are many php files in WordPress that an outside user should never be able to access directly.
## block direct access to php file location ~* /(?:files|wp-content|wp-includes|akismet)/.*.php$ { deny all; access_log off; log_not_found off; }
Block access to dot files
As with the php files seen above, files beginning with “.” such as .htaccess, .user.ini, and .git may contain sensitive information and thereforedirect access must be blocked.
## block direct access to dotfile like .htaccess, .user.ini, and .git location ~ /\.(svn|git)/* { deny all; access_log off; log_not_found off; } location ~ /\.ht { deny all; access_log off; log_not_found off; } location ~ /\.user.ini { deny all; access_log off; log_not_found off; }
Prevent access to backup and log files
Be sure not to expose other sensitive files such as backups and logs
# block direct access to backup extensions & log files location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql|wpress)$ { deny all; access_log off; log_not_found off; }
Limiting Login Requests
The WordPress login URL is the same for millions of sites, wp-login.php, which is why hackers could try to access the site by trying different username and password combinations.
A rule can be inserted that can limit the number of requests the login page can handle in 1 second.
Enter in the nginx configuration file
sudo nano /etc/nginx/nginx.conf
restart nginx
systemctl restart nginx
the following line within “http {” immediately before “include /etc/nginx/conf.d/*.conf;”
limit_req_zone $binary_remote_addr zone=WPLOGINLIMIT:10m rate=2r/s;
N.B. Do not enter in case of sites with many possible accesses such as large ecommerce
then you can add
## limit login requests location ~ \wp-login.php$ { limit_req zone=WPLOGINLIMIT; }
Hide nginx version
# hide nginx version server_tokens off;
Hide php version
# hide php version fastcgi_hide_header X-Powered-By; proxy_hide_header X-Powered-By;
Protect headers
## secure headers ### enforce browser to load your site from HTTPS add_header Strict-Transport-Security "max-age=31536000"; ### prevent content sniffing add_header X-Content-Type-Options nosniff; ### prevent your site to load from an iframe add_header X-Frame-Options SAMEORIGIN; ### prevent pages from loading when they detect reflected cross-site scripting add_header X-XSS-Protection "1; mode=block";
Source: https://gist.github.com/nfsarmento/57db5abba08b315b67f174cd178bea88