#--MULTISITE--if (!-e $request_filename) { #--MULTISITE--rewrite /wp-admin$ $scheme://$host$uri/ permanent; #--MULTISITE--rewrite ^__PATH__(/[^/]+)?(/wp-.*) __PATH__$2 last; #--MULTISITE--rewrite ^__PATH__(/[^/]+)?(/.*\.php)$ __PATH__$2 last; #--MULTISITE--} # fallback for robots.txt with default wordpress rules location @robots { return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n"; } location @empty_gif { empty_gif; } #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { # Path to source alias __FINALPATH__/; index index.php; if (!-e $request_filename) { rewrite ^(.+)$ __PATH__/index.php?q=$1 last; } # Force usage of https if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } client_max_body_size 1G; location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; try_files $uri =404; } location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; } location ~ /\. { deny all; access_log off; log_not_found off; } ##### SECURITY CONFIGURATION ##### location = /wp-login.php { limit_req zone=one burst=1 nodelay; fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; try_files $uri =404; } # Prevent DoS attacks on wp-cron location = /wp-cron.php { limit_req zone=two burst=1 nodelay; fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; try_files $uri =404; } # Prevent DoS attacks with xmlrpc.php location = /xmlrpc.php { limit_req zone=two burst=1 nodelay; fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_pass unix:/var/run/php/php__PHPVERSION__-fpm-__NAME__.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; try_files $uri =404; } # Disable wp-config.txt location = /wp-config.txt { deny all; access_log off; log_not_found off; } location = /robots.txt { # Some WordPress plugin gererate robots.txt file # Refer #340 issue try_files $uri $uri/ /index.php?$args @robots; access_log off; log_not_found off; } # webp rewrite rules for jpg and png images # try to load alternative image.png.webp before image.png location /wp-content/uploads { location ~ \.(png|jpe?g)$ { add_header Vary "Accept-Encoding"; more_set_headers 'Access-Control-Allow-Origin : *'; more_set_headers "Cache-Control : public, no-transform"; access_log off; log_not_found off; expires max; try_files $uri$webp_suffix $uri =404; } location ~* \.(php|gz|log|zip|tar|rar|xz)$ { #Prevent Direct Access Of PHP Files & Backups from Web Browsers deny all; } } # webp rewrite rules for EWWW testing image location /wp-content/plugins/ewww-image-optimizer/images { location ~ \.(png|jpe?g)$ { add_header Vary "Accept-Encoding"; more_set_headers 'Access-Control-Allow-Origin : *'; more_set_headers "Cache-Control : public, no-transform"; access_log off; log_not_found off; expires max; try_files $uri$webp_suffix $uri =404; } location ~ \.php$ { #Prevent Direct Access Of PHP Files From Web Browsers deny all; } } # enable gzip on static assets - php files are forbidden location /wp-content/cache { # Cache css & js files location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ { more_set_headers 'Access-Control-Allow-Origin : *'; access_log off; log_not_found off; expires 30d; } location ~ \.php$ { #Prevent Direct Access Of PHP Files From Web Browsers deny all; } } # Deny access to any files with a .php extension in the uploads directory # Works in sub-directory installs and also in multisite network # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) location ~* /(?:uploads|files)/.*\.php$ { deny all; } # mitigate DoS attack CVE with WordPress script concatenation # add the following line to wp-config.php # define( 'CONCATENATE_SCRIPTS', false ); location ~ \/wp-admin\/load-(scripts|styles).php { deny all; } # Protect Easy Digital Download files from being accessed directly. location ~ ^/wp-content/uploads/edd/(.*?)\.zip$ { rewrite / permanent; } ##### ADDITIONAL LOCATIONS ##### # Basic locations files location = /favicon.ico { try_files /wp-content/uploads/fbrfg/favicon.ico $uri $uri/ /index.php?$args @empty_gif; access_log off; log_not_found off; expires max; } # Cache static files location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|ttf|m4a|mp4|ttf|rss|atom|jpe?g|gif|cur|heic|png|tiff|ico|webm|mp3|aac|tgz|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp|json|webmanifest|cast)$ { more_set_headers 'Access-Control-Allow-Origin : *'; more_set_headers "Cache-Control : public, no-transform"; access_log off; log_not_found off; expires max; } # Cache css & js files location ~* \.(?:css(\.map)?|js(\.map)?)$ { more_set_headers 'Access-Control-Allow-Origin : *'; more_set_headers "Cache-Control : public, no-transform"; access_log off; log_not_found off; expires 30d; } # Security settings for better privacy # Deny hidden files location ~ /\.(?!well-known\/) { deny all; } # letsencrypt validation location /.well-known/acme-challenge/ { alias /var/www/html/.well-known/acme-challenge/; allow all; auth_basic off; } # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files location ~* "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" { deny all; } # Deny backup extensions & log files and return 403 forbidden location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|tar|rdf|gz|zip|bz2|7z|pem|asc|conf|dump)$" { deny all; } location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; } # block base64_encoded content location ~* "(base64_encode)(.*)(\()" { deny all; } # block javascript eval() location ~* "(eval\()" { deny all; } # Additional security settings location ~* "(127\.0\.0\.1)" { deny all; } location ~* "([a-z0-9]{2000})" { deny all; } location ~* "(javascript\:)(.*)(\;)" { deny all; } location ~* "(GLOBALS|REQUEST)(=|\[|%)" { deny all; } location ~* "(<|%3C).*script.*(>|%3)" { deny all; } location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; } location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; } location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; } location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; } location ~* "(https?|ftp|php):/" { deny all; } location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; } location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; } location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { deny all; } # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; }