Articles, Tutorials

Securing your WordPress site running on Nginx

Nginx is a modern and fast web server software. If you are not familiar with Nginx, you might be familiar with the Apache HTTP web server software. Both of them can serve your WordPress-powered site, though there are notable differences in performance and the way they work. I won’t be comparing them in this article, we’ll do it the other day. Instead, I’m going to show you some useful Nginx server configuration for having a more secure WordPress site.

No PHP scripts in the uploads/ directory

The uploads directory located within the wp-content folder usually stores everything you and your users upload to your WordPress site. Pictures, videos, temporary files — you name it. A problem appears when an attacker decides to gain control of your site. He might be able to somehow get a few PHP scripts into the uploads directory. He can then easily run the scripts by calling the URL address of the file, for example

The Good news is that we can at least prevent him from being able to request the file. The following Nginx location directive inspects the incoming request and with regular expressions jujitsu detects whether it is pointing to a file ending in the .php. If it is, deny all. Nginx module deny limits access to certain client (= visitor) addresses — all of them in our case.

location ~* /(?:uploads|files)/.*.php$ {
    deny all;

Hide sensitive files

Not all files residing in your site’s main WordPress directory are PHP scripts executed by your web server. Some of them contain valuable information such as passwords, database SQL queries, backups and others. Why should a random visitor have access to these files? It’s none of his or her business!

The following location directive uses regular expressions to match these files and return “No Response”, closing the connection. Exactly what we need.

location ~* .(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(.php)?|xtmpl)$|^(..*|Entries.*|Repository|Root|Tag|Template)$|.php_
        return 444;

No other CGI scripts

CGI or Common Gateway Interface is the standard method to generate dynamic content on the web. If you are running Nginx web server, chances are you are already using a CGI — FastCGI (a present-day variation of CGI) — to render your WordPress site. Malicious attackers might want to execute or mask their viruses as CGI scripts of different languages like Python. You know what to do, don’t you.

location ~* .(pl|cgi|py|sh|lua)$ {
        return 444;

Restrict WordPress pain points

Several files located in the WordPress folder could possibly aid an attacker to obtain more information about our WordPress installation like its version. We might also accidentally expose the site database settings when we erroneously change the wp-config.php file. What is more, swarms of spammers are trying to put comments on our articles every day nowadays. My typical tactic is to use Disqus Comment System. However, it needs to do one more thing: deny access to the standard WordPress comment system. Otherwise, spammers would be still able to comment. While the comments wouldn’t show under the articles, they would be still stored in the database, unnecessary taking space and doing mess.

Solution? I’m glad you asked: deny them all!

location ~ /(.|wp-config.php|wp-comments-post.php|readme.html|license.txt) {
    deny all;

Stop image hotlinking

Let’s say you have an image uploaded on your site. Its URL is What if somebody decides to put this image on her or his site?

Any time a visitor loads his site, the image would be requested from your site, not his. This would eat your precious bandwidth and server CPU and RAM resources. We definitely need to protect against this (except if you are Imgur or any other image hosting service). The following Nginx config will do it:

location ~ .(gif|png|jpe?g)$ {
     valid_referers none blocked *;
     if ($invalid_referer) {
        return   403;

Put your site on the valid_referers line — the only sites enabled to request the images.

Additional links and resources

7 thoughts on “Securing your WordPress site running on Nginx

  1. Pingback: Security: WordPress | Finn på noe kult

  2. coconutstudio

    Thank you, this is really helpful. Also, do you think it’s ok to add “allow ;” line before “deny all;” in order for the owner to access login and admin page, since this will deny all access?


    • Yes, it should be okay as long as you have a static IP address at home. Otherwise your IP address might get assigned to another computer sometime in the future (e.g. restart your modem) which would open up a security hole.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s