# Block php files for all wp directories location ~* /wp-includes/.*.php$ { deny all; access_log off; log_not_found off; } location ~* /wp-content/.*.php$ { deny all; access_log off; log_not_found off; } location ~* /themes/.*.php$ { deny all; access_log off; log_not_found off; } location ~* /plugins/.*.php$ { deny all; access_log off; log_not_found off; } location ~* /(?:uploads|files)/.*.php$ { deny all; access_log off; log_not_found off; } location = /xmlrpc.php { deny all; access_log off; log_not_found off; } # We prohibit requests that are the following occurrences location ~* /((wp-config|plugin_upload|xmlrpc).php|(readme|license|changelog).(html|txt|md)|(debug|access|error)(.|_)log)$ { return 444; } # We prohibit requests that are the following occurrences location ~* /.*((wp-config|xmlrpc).*(php(_bak|~|#)|txt|old|bak|save|orig(|inal)|swp|swo)).*$ { return 444; } # Block all URL-s, with parameter (..?a=evil) which have the following occurrences if ($query_string ~* "^(.*)(wp-config.php|dl-skin.php|xmlrpc.php|uploadify.php|admin-ajax.php|local.xml)(.*)$") { return 444; } #Let SQL-inj if ($query_string ~* "(concat.*\(|union.*select.*\(|union.*all.*select)") { return 444; } # Block author links (if using Author, comment it) if ($query_string ~* "author=[0-9]") {return 301 $scheme://$host/;} # Block links //blog.ru/wp/wp-content/.. and //blog.ru/page/wp-content/.. location ~* /(wp|page)/.*wp-.*/.*$ {return 444;} # Let for fingerprinting utility WPScan (http://wpscan.org/) location = /wp-includes/css/buttons-rtl.css { if ($http_referer !~* "/wp-admin") {return 404;} } location = /wp-includes/js/tinymce/wp-tinymce.js.gz { if ($http_referer !~* "/wp-admin") {return 404;} } # Return 404 for the root directories: location = /wp-content/ {return 404;} location = /wp-includes/ {return 404;} location = /wp-content/plugins/ {return 404;} location = /wp-content/uploads/ {return 404;} location = /wp-content/themes/ {return 404;} location = /wp-content/languages/ {return 404;} location = /wp-content/languages/plugins/ {return 404;} location = /wp-content/languages/themes/ {return 404;} # Block access for languages files (to close the WP version) location ~ /wp-content/languages/(.+)\.(po|mo)$ {return 404;}