map $sent_http_content_type $expires { default off; text/html epoch; text/css max; application/javascript max; ~image/ max; } server { root /var/www/{{ vhost_name }}; index index.php; server_name {{ domain }}; listen 80; #Cache settings expires $expires; #Upload max size client_max_body_size 50M; error_log /var/log/nginx/{{ vhost_name }}-error.log access_log /var/log/nginx/{{ vhost_name }}-access.log combined #Disable directory listing autoindex off; location / { try_files $uri $uri/ @handler; } location @handler { if (!-e $request_filename) { rewrite / /index.php last; } rewrite ^(.*.php)/ $1 last; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php{{ php_version }}-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } #Disable access to wp-config.php location ~* /(wp-config.php) { deny all; } #Limit XMLRPC access location ~* /xmlrpc.php$ { allow 172.0.1.1; deny all; } #Limit request types if ($request_method !~ ^(GET|POST)$ ) { return 444; } #Limit direct PHP access location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ { deny all; access_log off; log_not_found off; } #Hide nginx version server_tokens off; #Hide PHP version fastcgi_hide_header X-Powered-By; proxy_hide_header X-Powered-By; #Security headers add_header X-Frame-Options SAMEORIGIN; #Comment it to allow iframe add_header Strict-Transport-Security "max-age=31536000"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # Disable logs for favicon and robots location = /favicon.ico { try_files /favicon.ico @empty; access_log off; log_not_found off; expires max; } location @empty { empty_gif; } location = /robots.txt { allow all; log_not_found off; access_log off; try_files $uri /index.php?$args; } # Deny access to uploads that are not media files location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ { deny all; } # Nginx common security location ~* "(eval\()" { deny all; } location ~* "(127\.0\.0\.1)" { deny all; } location ~* "([a-z0-9]{2000})" { deny all; } location ~* "(javascript\:)(.*)(\;)" { deny all; } location ~* "(base64_encode)(.*)(\()" { deny all; } location ~* "(GLOBALS|REQUEST)(=|\[|%)" { deny all; } location ~* "(<|%3C).*script.*(>|%3)" { deny all; } location ~ "(\\|\.\.\.|\.\./|~|`|<|>|\|)" { deny all; } location ~* "(boot\.ini|etc/passwd|self/environ)" { deny all; } location ~* "(thumbs?(_editor|open)?|tim(thumb)?)\.php" { deny all; } location ~* "(\'|\")(.*)(drop|insert|md5|select|union)" { deny all; } location ~* "(https?|ftp|php):/" { deny all; } location ~* "(=\\\'|=\\%27|/\\\'/?)\." { deny all; } location ~ "(\{0\}|\(/\(|\.\.\.|\+\+\+|\\\"\\\")" { deny all; } location ~ "(~|`|<|>|:|;|%|\\|\s|\{|\}|\[|\]|\|)" { deny all; } location ~* "/(=|\$&|_mm|(wp-)?config\.|cgi-|etc/passwd|muieblack)" { deny all; } location ~* "(&pws=0|_vti_|\(null\)|\{\$itemURL\}|echo(.*)kae|etc/passwd|eval\(|self/environ)" { deny all; } location ~* "/(^$|mobiquo|phpinfo|shell|sqlpatch|thumb|thumb_editor|thumbopen|timthumb|webshell|config|settings|configuration)\.php" { deny all; } }