Introduction
Securing a WordPress site can feel like fortifying a castle that’s constantly under siege. From hackers trying to brute-force their way in to bots looking for any weak link, WordPress sites face endless threats. As a DevOps engineer, I’ve learned that strong Nginx configurations can be a game-changer in keeping attackers at bay. Here’s a list of my top 10 Nginx rules to boost your WordPress security, bringing you peace of mind while safeguarding your site’s performance and integrity.
Let’s dive in and lock down your site with some rock-solid Nginx configurations.
1. Disable Access to Sensitive Files
One of the easiest ways to harden your WordPress security is to restrict access to files that shouldn’t be public. Certain files, like the configuration and XML-RPC files, can be exploited by attackers.
location ~* /(?:wp-config.php|xmlrpc.php) {
deny all;
}This rule ensures that these sensitive files remain completely out of reach, stopping unauthorized users from ever seeing them.
2. Block PHP Execution in Uploads Folder
The uploads folder is where images and media files live, but hackers sometimes sneak malicious PHP files in there. Let’s disable PHP execution in this folder to make it harder for them to cause harm.
location ~* /wp-content/uploads/.*\.php$ {
deny all;
}Think of it as putting a “No Entry” sign on a restricted area. Your media stays safe, and malicious scripts stay out.
3. Limit Access to the wp-login.php Page
One common target, on WordPress sites is the login page which often faces repeated brute force attacks from bots trying to gain access to the websites file. Consider limiting access to wp login.php to only specified IP addresses as a measure, against entry attempts.
location = /wp-login.php {
allow 192.168.1.1;
deny all;
}Update the IP address to match your own. Now, only you (or your team) have access to the login page, giving potential attackers a dead end.
4. Restrict Access to the Admin Dashboard
Similar to the login page, the WordPress admin area is a prime target for attackers. Restricting access to the admin dashboard adds an additional layer of security.
location /wp-admin/ {
allow 192.168.1.1;
deny all;
}With this rule, you lock down your admin area to trusted IPs, keeping unauthorized visitors out.
5. Enable HTTPS Redirect
SSL encryption is crucial to secure data transfer between your site and visitors. Enforce HTTPS by redirecting all HTTP requests to HTTPS:
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}By forcing HTTPS, you ensure data is encrypted, protecting your visitors’ information and establishing a secure site reputation.
6. Block SQL Injection Attempts
SQL injections are a common way for attackers to try and slip through. While WordPress has some built-in protections, an Nginx rule blocking suspicious requests can add an extra barrier.
location / {
if ($query_string ~* "union.*select.*\(") {
return 403;
}
}This rule shuts the door on malicious queries, keeping your database safe from unauthorized access.
7. Disable Directory Listing
An open directory listing is like leaving the doors to your storage room wide open. Disabling directory listing hides your files and folders from prying eyes, preventing them from seeing what’s inside.
autoindex off;Just like that, you’ve hidden the internal structure of your site, reducing the risk of someone exploiting a file they shouldn’t even know exists.
8. Disable Access to Sensitive Files and Limit Request Types
Two easy ways to make your WordPress site more secure are to block access to sensitive files and limit the types of requests it can process.
First, restrict access to files like wp-config.php and xmlrpc.php, which are prime targets for attackers. This configuration keeps those files under lock and key:
location ~* /(?:wp-config.php|xmlrpc.php) {
deny all;
}Second, limit the request methods that your site accepts. Typically, a WordPress site only needs to handle GET requests to retrieve data and POST requests to submit data. Blocking all other request types adds another layer of security by turning away any unexpected or suspicious methods.
if ($request_method !~ ^(GET|POST)$ ) {
return 444;
}By combining these two simple rules, you’re ensuring that only essential files are accessible and limiting your site’s exposure to potentially harmful requests.
9. Disable Direct PHP File Access
If an attacker manages to sneak a PHP file into your site, they could run it directly, effectively creating a backdoor for further exploits. To prevent this, it’s crucial to disable direct access to PHP files within certain directories, especially folders where user-uploaded files are stored. This configuration rule helps prevent such files from being executed:
location ~* /(?:uploads|wp-content|wp-includes)/.*\.php$ {
deny all;
access_log off;
}With this rule in place, any attempt to directly access PHP files in these directories will be blocked, keeping your site secure and minimizing the chances of unauthorized backdoor access.
10. Add Security Headers
Adding security headers to your WordPress site is an effective way to guard against various web-based attacks like XSS, clickjacking, and data leakage. Implementing these headers in your Nginx configuration enhances your site’s overall security posture.
more_set_headers "Strict-Transport-Security: max-age=31536000; includeSubDomains; preload";
add_header Content-Security-Policy "frame-ancestors 'self';";
add_header X-XSS-Protection "1; mode=block";
add_header Set-Cookie "Secure; HttpOnly";
add_header X-Permitted-Cross-Domain-Policies "master-only";
add_header Feature-Policy "geolocation 'none'; camera 'none'; speaker 'none';";
add_header Expect-CT 'max-age=60, report-uri="https://yourdomain.com/report"';This configuration includes key headers such as:
- Strict-Transport-Security (HSTS): Enforces HTTPS and includes subdomains for added security.
- Content-Security-Policy (CSP): Prevents embedding from unauthorized sources to mitigate clickjacking risks.
- X-XSS-Protection: Adds protection against cross-site scripting attacks.
- Set-Cookie Header: Marks cookies as Secure and HttpOnly, making them accessible only via HTTPS.
- X-Permitted-Cross-Domain-Policies: Limits cross-domain data leakage.
- Feature-Policy: Blocks access to specific browser features like geolocation and camera to unauthorized sites.
- Expect-CT: Helps enforce Certificate Transparency, preventing misissued certificates for your site.
These headers form an essential layer of defense, helping ensure your WordPress site is protected from a wide range of potential threats.
Conclusion
Nginx is more than a high-performance web server—it’s a powerful security ally for your WordPress site. By implementing these 10 Nginx rules, you can keep potential threats at bay, protect sensitive data, and prevent unauthorized access, all while maintaining your site’s performance.
Security is a moving target, and threats evolve. Regularly review and update these rules to stay ahead of the latest vulnerabilities. And remember, the effort you put into securing your WordPress site today will save you countless headaches in the future.
Need help configuring Nginx or fine-tuning your WordPress security? Reach out to us at AWXOps. We’re here to provide tailored security solutions and keep your site running safely and smoothly.
