Nginx Security Rules for SEO Enhanced WordPress Website Security

Before building a WordPress website, please configure Nginx security rules

Nginx security rules It is buildingWordPressBefore you build a website, you need to configure it first. Currently, WordPress is the most popular website building program. It has more than 30% of the network market share, which also makes WordPress often become the target of security threats. Nginx security rules are very important. Therefore, for us WordPress website owners, it is best to set some Nginx security rules to enhance the security of the website.

WordPress can run on either Apache or Nginx. Today we will share some Nginx rules to enhance WordPress security.

Prohibit downloading files with XXX suffix

Set file extensions that are prohibited from downloading on the website to prevent sensitive files such as databases from being packaged and downloaded.

location ~ \.(zip|rar|sql|bak|gz|7z)$ { return 444; }

URL sensitive character jump

URL access links containing keywords will always jump to the website homepage or point to the 404 page.

#url contains test to jump directly to the homepage if ($request_uri ~* test=) { return 301 https://uzbox.com; } #url contains the following keywords, jump to the homepage if ($request_uri ~* "(\.gz)|(")|(\.tar)|(admin)|(\.zip)|(\.sql)|(\.asp)|(\.rar)|(function)|($_GET)|(eval)|(\?php)|(config)|(\')|(\.bak)") { return 301 https://uzbox.com;

Prevent malicious crawlers

nginx configuration to block spam spider crawlers. You can add the name of the spam crawler to the blocking rules below.

Below are some crawler names for reference only.

qihoobot|Censys|Baiduspider|Googlebot|Googlebot-Mobile|Googlebot-Image|Mediapartners-Google|Adsbot-Google|Feedfetcher-Google|Yahoo! Slurp|Yahoo! Slurp China|YoudaoBot|Sosospider|Sogou spider|Sogou web spider|MSNBot|ia_archiver|Tomato Bot|FeedDemon|JikeSpider|Indy Library|Alexa Toolbar|AskTbFXTV|AhrefsBot|CrawlDaddy|CoolpadWebkit|Java|Feedly|UniversalFeedParser|ApacheBench|Microsoft URL Control|Swiftbot|ZmEu|oBot|jaunty|Python-urllib|lightDeckReports Bot|YYSpider|DigExt|YisouSpider|Scrapy|HttpClient|MJ12bot|heritrix|EasouSpider|LinkpadBot|Ezooms

if ($http_user_agent ~* (SemrushBot|python|MJ12bot|AhrefsBot|AhrefsBot|hubspot|opensiteexplorer|leiki|webmeup)) { return 404; }

Block non-browsers from accessing the website

#Prohibit non-browser accessif ($http_user_agent ~ ^$) { return 404; }

Hide Nginx and PHP versions

It is best not to disclose Nginx and PHP versions to the public. If a specific Nginx or PHP version exposes a vulnerability, and an attacker finds the corresponding vulnerable version on your server, it may be very dangerous. The following rules can hide Nginx and PHP versions:

# hide nginx version. server_tokens off; # hide PHP version fastcgi_hide_header X-Powered-By; proxy_hide_header X-Powered-By;

Security Header

Security headers provide an extra layer of security by instructing browser behavior. For example, X-Frame-Options can prevent your website from being embedded in an iframe. Strict-Transport-Security willLet the browser load the site using HTTPS.

add_header X-Frame-Options SAMEORIGIN; add_header Strict-Transport-Security "max-age=31536000"; add_header X-Content-Type-Options nosniff; add_header

Block access to subdirectories

If your website runs in a subdirectory, such as /blog, you should restrict access to subdirectories other than /blog.

location ~ ^/(?!(blog)/?) { deny all; access_log off; log_not_found off; }

Restricting Access to XMLRPC

The XMLRPC endpoint in WordPress (xmlrpc.php file in the root directory) is used to allow external applications to interact with WordPress data. For example, it can allow adding, creating, or deleting posts. However, XMLRPC is also a common attack vector where attackers can perform these actions without authorization. So it is best to allow XMLRPC requests from authorized IPs that you trust, as shown below:

location ~* /xmlrpc.php$ { allow 172.0.1.1; deny all; }

After adding the above, you should see a 403 error response code when accessing xmlrpc.php in your browser.

Limit request types

Most of the time, your website will probably only perform two types of requests:

• GET – Retrieve data from your website
• POST – Submits data to your website

Therefore, only allowing our website to execute these two types of requests is also a way to enhance security.

if ($request_method !~ ^(GET|POST)$ ) { return 444; }

Disable direct access to PHP files

Without anyone noticing, a hacker could upload a PHP file to your server and then create a backdoor on your website by accessing the malicious file and performing certain actions.Direct access to any PHP files should be prohibited:

location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ { deny all; access_log off; log_not_found off; }

Disable access to certain sensitive files

Similar to PHP files, files beginning with a dot, such as .htaccess, .user.ini, and .git, may contain sensitive information. For added security, it is best toDisable direct access to these files.

location ~ /\.(svn|git)/* { deny all; access_log off; log_not_found off; } location ~ /\.ht { deny all; access_log off; log_not_found off; } location ~ /\.user.ini { deny all; access_log off; log_not_found off; }

Reduce spam comments

Spam comments may not damage your website, but it will add spam to your database and serve as an advertisement.Reduce spam content, you can add the following rules to your Nginx configuration along with a spam protection plugin like Akismet.

set $comment_flagged 0; set $comment_request_method 0; set $comment_request_uri 0; set $comment_referrer 1; if ($request_method ~ "POST"){ set $comment_request_method 1; } if ($request_uri ~ "/wp-comments-post\.php$"){ set $comment_request_method 1; } if ($http_referer !~ "^https?://(([^/]+\.)?site\.com|jetpack\.wordpress\.com/jetpack-comment)(/|$)"){ set $comment_referrer 0; } set $comment_flagged "${comment_request_method}${comment_request_uri}${comment_referrer}"; if ($comment_flagged = "111") { return 403; }

Limit Requests

The WordPress login page, wp-login.php, is a common endpoint for brute force attacks.Attackers will try to log in by submitting username and password combinations in batches. They may not be able to crack your password, but they will take up a lot of server resources and may make the website inaccessible..

To do this, we can apply a rule to limit the number of requests per second that the page can handle. Here weSet the limit to 2 requests per second, requests exceeding the number will be blocked.

limit_req_zone $binary_remote_addr zone=WPRATELIMIT:10m rate=2r/s; location ~ \wp-login.php$ { limit_req zone=WPRATELIMIT; }

Disable Directory Listing

Last but not least, you should disable directory listings so that attackers cannot tell what is in the directory.

autoindex off;

Summarize

Website security is alreadySEOoptimizationIt is a very important part of the website security. Once the website is hacked, it may cause the website to be unable to open, the access speed to slow down, and be hung with black links. Once these problems occur, it is possible to be blacklisted by the search engine. It is very necessary to master the most basic website security prevention knowledge.