This is the NGINX
config I use for most Wordpress / PHP projects. I’ve updated it throughout the years with optimal configurations. Give it a try if you’re using LEMP stack in your work.
Also available on Github.
server {
listen 80 default_server;
listen [::]:80 default_server;
set $base /var/www/PROJECTDIRECTORY;
root $base;
index index.php index.html index.htm index.nginx-debian.html;
server_name _ IPADDRESS DOMAINADDRESS;
client_max_body_size 8M;
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
# assets, media
location ~ \.(js|css|png|jpg|jpeg|gif|ico|html|woff|woff2|ttf|svg|eot|otf)$ {
add_header "Access-Control-Allow-Origin" "*";
expires 1M;
access_log off;
add_header Cache-Control "public";
}
# default
location / {
try_files $uri $uri/ /index.php?q=$uri&$args;
# Bad IPS
deny 45.40.254.224;
deny 46.246.58.10;
deny 88.208.236.239;
deny 108.162.229.0/24; # alaafood.us, bstbikerepair.us
deny 128.199.141.0/24;
deny 119.29.64.0/24; # "-"
deny 141.101.69.0/24; # cleanfoodd.us
deny 141.101.88.0/24; # lolrental.us, walkerrentals.us, allnaturalfood.us
deny 141.101.96.0/24; # villarental.us, batteryrepair.us, "-"
deny 159.65.32.0/24; # walkerrentals.us, bot hitting cron
deny 162.158.79.191; # "http://www.google.com.hk"
deny 162.158.134.0/24;
deny 162.158.142.0/24; # textbookrentalstender.us, alaafood.us
deny 172.68.59.0/24; # walkerrentals.us
deny 172.68.211.0/24; # feelfood.us
deny 172.68.246.0/24; # textbookrentalstender.us
}
# fastcgi
location ~ \.php$ {
# fastcgi
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
fastcgi_intercept_errors off;
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
# default fastcgi_params
include fastcgi_params;
include snippets/fastcgi-php.conf;
}
# apache
location ~ /\.ht {
deny all;
}
# xmlrpc
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}
# favicon
location = /favicon.ico {
log_not_found off;
access_log off;
}
# robots
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# no php in uploads
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# no scripts
location ~* .(pl|cgi|py|sh|lua)$ {
return 444;
}
# sensitive files
# location ~* .(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(.php)?|xtmpl)$|^(..*|Entries.*|Repository|Root|Tag|Template)$|.php_ {
# return 444;
# }
# no executable code in uploads
location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
deny all;
}
# no executable code in uploads
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# includes execution
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
deny all;
}
# deny wp-content, wp-includes php files
location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
deny all;
}
# deny wp-content/uploads nasty stuff
location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
deny all;
}
# deny wp-content/plugins (except earlier rules)
location ~ ^/wp-content/plugins {
deny all;
}
# deny scripts and styles concat
location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
deny all;
}
# deny general stuff
location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
deny all;
}
# assets, media
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
expires 7d;
access_log off;
}
# . files
location ~ /\. {
deny all;
}
}