Securing your WordPress site running on Nginx

As you already know by now Nginx is the latest fast web server software. In case if you are not familiar with Nginx, you may be familiar with the Apache HTTP web server software. Even though they have significant differences in the performance and function both of them can serve your site which is powered by WordPress. So, today I am going to introduce some helpful Nginx server configurations to have a secure WordPress site.

No PHP scripts in the uploads/directory

The uploads directory is located within the wp-content folder. It usually contains everything that stores everything that you and your users upload to your WordPress sites like pictures, videos, and temporary files. If an issue comes up when an attacker decides to gain control of your site, he may be able to get some PHP scripts into the uploads directory. Then he will be able to run the scripts by calling the URL address of that specific file.

Ex: https://abc.com/wp-content/uploads/a-hidden-hack.php.

Fortunately, we can prevent the attacker from requesting the file. The below Nginx location directive can inspect the incoming request. And then with regular expressions jujitsu can check whether that file is ending in .php or not. If so, deny all. The Nginx module denies it. restricts access to certain clients (visitors) addresses.

location ~* /(?:uploads|files)/.*.php$ {
    deny all;
}

Hide Sensitive Files

Some files in your site contain valuable information like passwords, database SQL queries, backups, etc. Definitely a random visitor should not have access to this information.
So, to prevent those sensitive files you can use the following method. The below location directive uses regular expressions to match those files and return “No Response” while closing the connection.

location ~* .(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(.php)?|xtmpl)$|^(..*|Entries.*|Repository|Root|Tag|Template)$|.php_
{
        return 444;
}

No other CGI scripts

CGI stands for Common Gateway Interface. It is the standard method to generate dynamic content on the web. If you are running an Nginx web server you might be already using a CGI; FastCGI to facilitate your WordPress site.
Some attackers might mask their viruses as CGI scripts of various languages like Python. Just enter the following Nginx config:

location ~* .(pl|cgi|py|sh|lua)$ {
        return 444;
}

That’s all. You are good to go!

Restrict WordPress pain points

There are some files in WordPress that may help an attacker to get more details about your WordPress; like its version. And also we might expose the site database settings when we are changing the wp-config.php file. And even spammers are trying to post comments on your articles.
So in order to prevent that, I recommend you use the Disqus Comment System. But you have to deny access to the standard WordPress comment system. Or else spammers would be able to comment. Though the comments won’t be visible below the articles they will be stored in the database taking up space unnecessarily and causing problems.
Just deny them all! That’s the answer.

location ~ /(.|wp-config.php|wp-comments-post.php|readme.html|license.txt) {
    deny all;
}

Stop Image Hotlinking

Imagine if you have an image uploaded on your site. The URL of that will be http://my-site.com/wp-content/uploads/image.png. What will happen if someone wants to put the same image on their site?

Every time a visitor loads their site, the image will be requested from your site, not from theirs. So this will waste your valuable bandwidth, server CPU, and RAM resources.
So you can use the following Nginx config to prevent this:

location ~ .(gif|png|jpe?g)$ {
     valid_referers none blocked mywebsite.com *.mywebsite.com;
     if ($invalid_referer) {
        return   403;
    }
}

Put your site on the valid_referers line. That particular line indicates the sites which are enabled to request images.