{"id":48677,"date":"2019-09-10T23:19:59","date_gmt":"2019-09-10T15:19:59","guid":{"rendered":"https:\/\/www.hongkiat.com\/blog\/?p=48677"},"modified":"2022-10-18T20:12:10","modified_gmt":"2022-10-18T12:12:10","slug":"nginx-rules-for-wordpress-security","status":"publish","type":"post","link":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/","title":{"rendered":"10 Nginx Rules to Harden WordPress Security"},"content":{"rendered":"

WordPress is, to this date, the most popular CMS with over 30% market share of the web. With such an amount of market share, WordPress often becomes a target of security threats. So for a WordPress site owner, it\u2019s better to take some measures to tighten the security of your site.<\/p>\n

As thousands of websites run on Nginx, I have gathered some basic tips or Nginx rules to harden your WordPress site security<\/strong>. Let\u2019s take a look.<\/p>\n

Read Also:<\/strong> 10 Tips to Hardening WordPress Security<\/a><\/p>\n

1. Limit XMLRPC Access<\/h2>\n

XMLRPC endpoint in WordPress is used to allow an external application to interact with WordPress data. For example, it can allow adding, creating, or deleting a post. However, XMLRPC is also a common attack vector<\/strong> where the attacker may be able to perform those operations without authorization. It\u2019s better to allow request to XMLRPC from authorized IP<\/strong> that you trust, like so:<\/p>\n

\r\nlocation ~* \/xmlrpc.php$ {\r\n    allow 172.0.1.1;\r\n    deny all;\r\n}\r\n<\/pre>\n
Once the above is added, you should see the 403 error code response<\/strong> when loading xmlrpc.php<\/code> in the browser.<\/p>\n
2. Limit Request Types<\/h2>\n
Most of the time your website may only perform two types fo requests i.e. GET<\/code> to retrieve data from your site and POST<\/code> to upload data<\/strong> to your site. Limiting the type of request that our site can handle to only these two sounds like a good idea here.<\/p>\n
\r\nif ($request_method !~ ^(GET|POST)$ ) {\r\n    return 444;\r\n}\r\n<\/pre>\n
3. Direct PHP File Access<\/h2>\n
If somehow, a hacker successfully sneaks in a PHP file onto your site, they\u2019ll be able to run this file by loading file which effectively becomes a backdoor to infiltrate your site. We should disable direct access to any PHP files<\/strong> by adding the following rules:<\/p>\n
\r\nlocation ~* \/(?:uploads|files|wp-content|wp-includes|akismet)\/.*.php$ {\r\n    deny all;\r\n    access_log off;\r\n    log_not_found off;\r\n}\r\n<\/pre>\n
4. Dotfiles<\/h2>\n
Similar to PHP file, a dotfile like .htaccess<\/code>, .user.ini<\/code>, and .git<\/code> may contain sensitive information. To be on the safer side, it\u2019s better to disable direct access to these files<\/strong>.<\/p>\n
\r\nlocation ~ \/\\.(svn|git)\/* {\r\n    deny all;\r\n    access_log off;\r\n    log_not_found off;\r\n}\r\nlocation ~ \/\\.ht {\r\n    deny all;\r\n    access_log off;\r\n    log_not_found off;\r\n}\r\nlocation ~ \/\\.user.ini { \r\n    deny all; \r\n    access_log off;\r\n    log_not_found off;\r\n}\r\n<\/pre>\n
5. Hide Nginx and PHP version<\/h2>\n
Certain information should better not to be exposed like the Nginx version as well as the PHP version. This won\u2019t prevent the attack itself. However, assuming particular Ningx or PHP version turns out has vulnerability exposed, the attacker won\u2019t get to know easily from your site. To hide the Nginx version:<\/p>\n
\r\n#Hide the nginx version.\r\nserver_tokens off;\r\n<\/pre>\n
\r\n#Hide the PHP version.\r\nfastcgi_hide_header X-Powered-By;\r\nproxy_hide_header X-Powered-By;\r\n<\/pre>\n
6. Security Headers<\/h2>\n
Security headers provide an extra layer of security by dictating the browser behavior. The X-Frame-Options<\/code>, for example, will prevent your site to load from an iframe, unless it\u2019s from your own site. The Strict-Transport-Security<\/code> will enforce browser to load your site from HTTPS<\/strong>.<\/p>\n
\r\nadd_header X-Frame-Options SAMEORIGIN;\r\nadd_header Strict-Transport-Security \"max-age=31536000\";\r\nadd_header X-Content-Type-Options nosniff;\r\nadd_header X-XSS-Protection \"1; mode=block\";\r\n<\/pre>\n
7. Block Subdirectory Access<\/h2>\n
If your site runs on a sub-directory like \/blog<\/code>, it\u2019s better to allow access to this sub-directory<\/strong>. It means that any obscure access to other directories which an attacker always looks for, for example, \/82jdkj\/?.php<\/code> are blocked.<\/p>\n
\r\nlocation ~ ^\/(?!(blog)\/?) { \r\n    deny all;\r\n    access_log off;\r\n    log_not_found off;\r\n}\r\n<\/pre>\n
8. Reduce Spam<\/h2>\n
Spam comment, although it may not break your site, it\u2019ll flood your database with garbage content or a malicious content that could possibly leverage as a vector. To reduce spam entries<\/strong>, you can add the following rules to your Nginx config alongside with a Spam protection plugin like Akismet<\/a>.<\/p>\n
\r\nset $comment_flagged 0;\r\nset $comment_request_method 0;\r\nset $comment_request_uri 0;\r\nset $comment_referrer 1;\r\n\r\nif ($request_method ~ \"POST\"){\r\n    set $comment_request_method 1;\r\n}\r\n\r\nif ($request_uri ~ \"\/wp-comments-post\\.php$\"){\r\n    set $comment_request_method 1;\r\n}\r\n\r\nif ($http_referer !~ \"^https?:\/\/(([^\/]+\\.)?site\\.com|jetpack\\.wordpress\\.com\/jetpack-comment)(\/|$)\"){\r\n    set $comment_referrer 0;\r\n}\r\n\r\nset $comment_flagged \"${comment_request_method}${comment_request_uri}${comment_referrer}\";\r\nif ($comment_flagged = \"111\") {\r\n    return 403;\r\n}\r\n<\/pre>\n
9. Limit Requests<\/h2>\n
The WordPress login page, wp-login.php<\/code>, is a common endpoint for a brute-force attack. The attacker will try to break through your site<\/strong> by submitting multiple username and password combination and this usually done multiple times in a second.<\/p>\n
For this, we can apply a rule that will limit the number of requests that the page can handle per second. Here we set the limit to 2 requests per second<\/strong>, otherwise, the request will be blocked.<\/p>\n
\r\nlimit_req_zone $binary_remote_addr zone=WPRATELIMIT:10m rate=2r\/s;\r\nlocation ~ \\wp-login.php$ {\r\n    limit_req zone=WPRATELIMIT;\r\n}\r\n<\/pre>\n
10. Disable Directory Listing<\/h2>\n
Last but not least, you should disable the directory listing so the attacker won\u2019t get to know what\u2019s in the directory. There\u2019s very little reason that I know where directory listing is useful on a WordPress site.<\/p>\n
\r\nautoindex off;\r\n<\/pre>","protected":false},"excerpt":{"rendered":"
WordPress is, to this date, the most popular CMS with over 30% market share of the web. With such an amount of market share, WordPress often becomes a target of security threats. So for a WordPress site owner, it\u2019s better to take some measures to tighten the security of your site. As thousands of websites…<\/p>\n","protected":false},"author":113,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[49],"tags":[4663,4555,4601,3325],"topic":[],"class_list":["entry-content","is-maxi"],"acf":[],"yoast_head":"\n10 Nginx Rules to Harden WordPress Security - Hongkiat<\/title>\n<meta name=\"description\" content=\"WordPress is, to this date, the most popular CMS with over 30% market share of the web. With such an amount of market share, WordPress often becomes a\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"10 Nginx Rules to Harden WordPress Security\" \/>\n<meta property=\"og:description\" content=\"WordPress is, to this date, the most popular CMS with over 30% market share of the web. With such an amount of market share, WordPress often becomes a\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Hongkiat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/hongkiatcom\" \/>\n<meta property=\"article:published_time\" content=\"2019-09-10T15:19:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-10-18T12:12:10+00:00\" \/>\n<meta name=\"author\" content=\"Thoriq Firdaus\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@tfirdaus\" \/>\n<meta name=\"twitter:site\" content=\"@hongkiat\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Thoriq Firdaus\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/nginx-rules-for-wordpress-security\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/nginx-rules-for-wordpress-security\\\/\"},\"author\":{\"name\":\"Thoriq Firdaus\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#\\\/schema\\\/person\\\/e7948c7a175d211496331e4b6ce55807\"},\"headline\":\"10 Nginx Rules to Harden WordPress Security\",\"datePublished\":\"2019-09-10T15:19:59+00:00\",\"dateModified\":\"2022-10-18T12:12:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/nginx-rules-for-wordpress-security\\\/\"},\"wordCount\":616,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#organization\"},\"keywords\":[\"ad-divi\",\"Nginx\",\"Security and Privacy\",\"WordPress Security\"],\"articleSection\":[\"WordPress\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/nginx-rules-for-wordpress-security\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/nginx-rules-for-wordpress-security\\\/\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/nginx-rules-for-wordpress-security\\\/\",\"name\":\"10 Nginx Rules to Harden WordPress Security - Hongkiat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#website\"},\"datePublished\":\"2019-09-10T15:19:59+00:00\",\"dateModified\":\"2022-10-18T12:12:10+00:00\",\"description\":\"WordPress is, to this date, the most popular CMS with over 30% market share of the web. With such an amount of market share, WordPress often becomes a\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/nginx-rules-for-wordpress-security\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/nginx-rules-for-wordpress-security\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/nginx-rules-for-wordpress-security\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"10 Nginx Rules to Harden WordPress Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/\",\"name\":\"Hongkiat\",\"description\":\"Tech and Design Tips\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#organization\",\"name\":\"Hongkiat.com\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wp-content\\\/uploads\\\/hkdc-logo-rect-yoast.jpg\",\"contentUrl\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wp-content\\\/uploads\\\/hkdc-logo-rect-yoast.jpg\",\"width\":1200,\"height\":799,\"caption\":\"Hongkiat.com\"},\"image\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/hongkiatcom\",\"https:\\\/\\\/x.com\\\/hongkiat\",\"https:\\\/\\\/www.pinterest.com\\\/hongkiat\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#\\\/schema\\\/person\\\/e7948c7a175d211496331e4b6ce55807\",\"name\":\"Thoriq Firdaus\",\"description\":\"Thoriq is a writer for Hongkiat.com with a passion for web design and development. He is the author of Responsive Web Design by Examples, where he covered his best approaches in developing responsive websites quickly with a framework.\",\"sameAs\":[\"https:\\\/\\\/thoriq.com\",\"https:\\\/\\\/x.com\\\/tfirdaus\"],\"jobTitle\":\"Web Developer\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/author\\\/thoriq\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"10 Nginx Rules to Harden WordPress Security - Hongkiat","description":"WordPress is, to this date, the most popular CMS with over 30% market share of the web. With such an amount of market share, WordPress often becomes a","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/","og_locale":"en_US","og_type":"article","og_title":"10 Nginx Rules to Harden WordPress Security","og_description":"WordPress is, to this date, the most popular CMS with over 30% market share of the web. With such an amount of market share, WordPress often becomes a","og_url":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/","og_site_name":"Hongkiat","article_publisher":"https:\/\/www.facebook.com\/hongkiatcom","article_published_time":"2019-09-10T15:19:59+00:00","article_modified_time":"2022-10-18T12:12:10+00:00","author":"Thoriq Firdaus","twitter_card":"summary_large_image","twitter_creator":"@tfirdaus","twitter_site":"@hongkiat","twitter_misc":{"Written by":"Thoriq Firdaus","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/#article","isPartOf":{"@id":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/"},"author":{"name":"Thoriq Firdaus","@id":"https:\/\/www.hongkiat.com\/blog\/#\/schema\/person\/e7948c7a175d211496331e4b6ce55807"},"headline":"10 Nginx Rules to Harden WordPress Security","datePublished":"2019-09-10T15:19:59+00:00","dateModified":"2022-10-18T12:12:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/"},"wordCount":616,"commentCount":0,"publisher":{"@id":"https:\/\/www.hongkiat.com\/blog\/#organization"},"keywords":["ad-divi","Nginx","Security and Privacy","WordPress Security"],"articleSection":["WordPress"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/","url":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/","name":"10 Nginx Rules to Harden WordPress Security - Hongkiat","isPartOf":{"@id":"https:\/\/www.hongkiat.com\/blog\/#website"},"datePublished":"2019-09-10T15:19:59+00:00","dateModified":"2022-10-18T12:12:10+00:00","description":"WordPress is, to this date, the most popular CMS with over 30% market share of the web. With such an amount of market share, WordPress often becomes a","breadcrumb":{"@id":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.hongkiat.com\/blog\/nginx-rules-for-wordpress-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.hongkiat.com\/blog\/"},{"@type":"ListItem","position":2,"name":"10 Nginx Rules to Harden WordPress Security"}]},{"@type":"WebSite","@id":"https:\/\/www.hongkiat.com\/blog\/#website","url":"https:\/\/www.hongkiat.com\/blog\/","name":"Hongkiat","description":"Tech and Design Tips","publisher":{"@id":"https:\/\/www.hongkiat.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.hongkiat.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.hongkiat.com\/blog\/#organization","name":"Hongkiat.com","url":"https:\/\/www.hongkiat.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.hongkiat.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.hongkiat.com\/blog\/wp-content\/uploads\/hkdc-logo-rect-yoast.jpg","contentUrl":"https:\/\/www.hongkiat.com\/blog\/wp-content\/uploads\/hkdc-logo-rect-yoast.jpg","width":1200,"height":799,"caption":"Hongkiat.com"},"image":{"@id":"https:\/\/www.hongkiat.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/hongkiatcom","https:\/\/x.com\/hongkiat","https:\/\/www.pinterest.com\/hongkiat\/"]},{"@type":"Person","@id":"https:\/\/www.hongkiat.com\/blog\/#\/schema\/person\/e7948c7a175d211496331e4b6ce55807","name":"Thoriq Firdaus","description":"Thoriq is a writer for Hongkiat.com with a passion for web design and development. He is the author of Responsive Web Design by Examples, where he covered his best approaches in developing responsive websites quickly with a framework.","sameAs":["https:\/\/thoriq.com","https:\/\/x.com\/tfirdaus"],"jobTitle":"Web Developer","url":"https:\/\/www.hongkiat.com\/blog\/author\/thoriq\/"}]}},"jetpack_featured_media_url":"https:\/\/","jetpack_shortlink":"https:\/\/wp.me\/p4uxU-cF7","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/posts\/48677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/users\/113"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/comments?post=48677"}],"version-history":[{"count":2,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/posts\/48677\/revisions"}],"predecessor-version":[{"id":57078,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/posts\/48677\/revisions\/57078"}],"wp:attachment":[{"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/media?parent=48677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/categories?post=48677"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/tags?post=48677"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/topic?post=48677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}