NGINX Wordpress Template

This is the NGINX config I use for most Wordpress / PHP projects. I've updated it throughout the years with optimal configurations. Give it a try if you're using LEMP stack in your work.

Also available on Github.

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    set $base /var/www/PROJECTDIRECTORY;

    root $base;

    index index.php index.html index.htm index.nginx-debian.html;

    server_name _ IPADDRESS DOMAINADDRESS;

    client_max_body_size 8M;

    # security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;

    # assets, media
    location ~ \.(js|css|png|jpg|jpeg|gif|ico|html|woff|woff2|ttf|svg|eot|otf)$ {
        add_header "Access-Control-Allow-Origin" "*";
        expires 1M;
        access_log off;
        add_header Cache-Control "public";
    }

    # default
    location / {
        try_files $uri $uri/ /index.php?q=$uri&$args;

        # Bad IPS
        deny 45.40.254.224;
        deny 46.246.58.10;
        deny 88.208.236.239;
        deny 108.162.229.0/24; # alaafood.us, bstbikerepair.us
        deny 128.199.141.0/24;
        deny 119.29.64.0/24; # "-"
        deny 141.101.69.0/24; # cleanfoodd.us
        deny 141.101.88.0/24; # lolrental.us, walkerrentals.us, allnaturalfood.us
        deny 141.101.96.0/24; # villarental.us, batteryrepair.us, "-"
        deny 159.65.32.0/24; # walkerrentals.us, bot hitting cron
        deny 162.158.79.191; # "http://www.google.com.hk"
        deny 162.158.134.0/24;
        deny 162.158.142.0/24; # textbookrentalstender.us, alaafood.us
        deny 172.68.59.0/24; # walkerrentals.us
        deny 172.68.211.0/24; # feelfood.us
        deny 172.68.246.0/24; # textbookrentalstender.us
    }

    # fastcgi
    location ~ \.php$ {
        # fastcgi
        fastcgi_pass                unix:/run/php/php7.2-fpm.sock;
        fastcgi_split_path_info     ^(.+\.php)(/.+)$;
        fastcgi_param               SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param               PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
        fastcgi_intercept_errors    off;

        fastcgi_buffer_size             128k;
        fastcgi_buffers                 256 16k;
        fastcgi_busy_buffers_size       256k;
        fastcgi_temp_file_write_size    256k;

        # default fastcgi_params
        include fastcgi_params;
        include snippets/fastcgi-php.conf;
    }

    # apache
    location ~ /\.ht {
        deny all;
    }

    # xmlrpc
    location = /xmlrpc.php {
        deny all;
        access_log off;
        log_not_found off;
    }

    # favicon
    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    # robots
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # no php in uploads
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }

    # no scripts
    location ~* .(pl|cgi|py|sh|lua)$ {
        return 444;
    }

    # sensitive files
    # location ~* .(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(.php)?|xtmpl)$|^(..*|Entries.*|Repository|Root|Tag|Template)$|.php_ {
    #     return 444;
    # }

    # no executable code in uploads
    location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
        deny all;
    }

    # no executable code in uploads
    location ~* /(?:uploads|files)/.*.php$ {
        deny all;
    }

    # includes execution
    location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
        deny all;
    }

    # deny wp-content, wp-includes php files
    location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
        deny all;
    }

    # deny wp-content/uploads nasty stuff
    location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
        deny all;
    }

    # deny wp-content/plugins (except earlier rules)
    location ~ ^/wp-content/plugins {
        deny all;
    }

    # deny scripts and styles concat
    location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
        deny all;
    }

    # deny general stuff
    location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
        deny all;
    }

    # assets, media
    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires max;
        log_not_found off;
    }

    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
        expires 7d;
        access_log off;
    }

    # . files
    location ~ /\. {
        deny all;
    }

}