Question Hardening Wordpress on Plesk with Nginx

[BizMarquee]

I've got Wordpress running with permalinks no problem using pure NGinx, but have one major issue and that is security. Usually with Wordpress I use an .htaccess file to block any .php file from running in the uploads folder. I found this directive from several resources:

location ~* /(?:uploads|files)/.*.php$ {
deny all;
access_log off;
log_not_found off;
}

However, when I plug it into Plesk's window for the nginx directives and save it, it has no effect and php runs just fine in the uploads folder.

Has anyone gotten this to work somehow? Or am I putting this code in the wrong place?

 

[Linulex]

.htaccess rewrite rules are different then nginx rewrite rules. There is an extention that is called "htaccess to nginx" to "Convert apache htaccess rewrite rules to nginx rewrite rules automatically."

maybe that is what you need?

regards
Jan

 

[BizMarquee]

Nope, the rewrites for the pages and permalinks work great with that extension, it's the restricting of executing PHP in the uploads folder that I can't seem to make happen.

 

[danami]

You are actually making your setup less secure running with a pure Nginx setup. Mod security only works when PHP is being processed by Apache. See the section "Nginx and ModSecurity Notes (Linux)" here:
https://docs.plesk.com/en-US/onyx/a...n/web-application-firewall-modsecurity.73383/

Personally I would never host any site without a working mod_security, good set of rules and some sort of automatic rule trigger blocking.

 

[BizMarquee]

Ah that makes sense! Thanks! Speed needs to be sacrificed for security, but security is more important, to me.