NGINX

This is the NGINX config I use for most Wordpress / PHP projects. I've updated it throughout the years with optimal configurations. Give it a try if you're using LEMP stack in your work.

Also available on Github.

server { listen 80 default_server; listen [::]:80 default_server; set $base /var/www/PROJECTDIRECTORY; root $base; index index.php index.html index.htm index.nginx-debian.html; server_name _ IPADDRESS DOMAINADDRESS; client_max_body_size 8M; # security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # gzip gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml; # assets, media location ~ \.(js|css|png|jpg|jpeg|gif|ico|html|woff|woff2|ttf|svg|eot|otf)$ { add_header "Access-Control-Allow-Origin" "*"; expires 1M; access_log off; add_header Cache-Control "public"; } # default location / { try_files $uri $uri/ /index.php?q=$uri&$args; # Bad IPS deny 45.40.254.224; deny 46.246.58.10; deny 88.208.236.239; deny 108.162.229.0/24; # alaafood.us, bstbikerepair.us deny 128.199.141.0/24; deny 119.29.64.0/24; # "-" deny 141.101.69.0/24; # cleanfoodd.us deny 141.101.88.0/24; # lolrental.us, walkerrentals.us, allnaturalfood.us deny 141.101.96.0/24; # villarental.us, batteryrepair.us, "-" deny 159.65.32.0/24; # walkerrentals.us, bot hitting cron deny 162.158.79.191; # "http://www.google.com.hk" deny 162.158.134.0/24; deny 162.158.142.0/24; # textbookrentalstender.us, alaafood.us deny 172.68.59.0/24; # walkerrentals.us deny 172.68.211.0/24; # feelfood.us deny 172.68.246.0/24; # textbookrentalstender.us } # fastcgi location ~ \.php$ { # fastcgi fastcgi_pass unix:/run/php/php7.2-fpm.sock; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/; fastcgi_intercept_errors off; fastcgi_buffer_size 128k; fastcgi_buffers 256 16k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; # default fastcgi_params include fastcgi_params; include snippets/fastcgi-php.conf; } # apache location ~ /\.ht { deny all; } # xmlrpc location = /xmlrpc.php { deny all; access_log off; log_not_found off; } # favicon location = /favicon.ico { log_not_found off; access_log off; } # robots location = /robots.txt { allow all; log_not_found off; access_log off; } # no php in uploads location ~* /(?:uploads|files)/.*\.php$ { deny all; } # no scripts location ~* .(pl|cgi|py|sh|lua)$ { return 444; } # sensitive files # location ~* .(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(.php)?|xtmpl)$|^(..*|Entries.*|Repository|Root|Tag|Template)$|.php_ { # return 444; # } # no executable code in uploads location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ { deny all; } # no executable code in uploads location ~* /(?:uploads|files)/.*.php$ { deny all; } # includes execution location ~* ^/(?:wp-content|wp-includes)/.*\.php$ { deny all; } # deny wp-content, wp-includes php files location ~* ^/(?:wp-content|wp-includes)/.*\.php$ { deny all; } # deny wp-content/uploads nasty stuff location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ { deny all; } # deny wp-content/plugins (except earlier rules) location ~ ^/wp-content/plugins { deny all; } # deny scripts and styles concat location ~* \/wp-admin\/load-(?:scripts|styles)\.php { deny all; } # deny general stuff location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ { deny all; } # assets, media location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ { expires max; log_not_found off; } # assets, media location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { expires 7d; access_log off; } # . files location ~ /\. { deny all; } }