• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question How to override WP Toolkit Nginx "Deny All" for PHP script in WordPress wp-content directory

Christopher McBride

Basic Pleskian
Hi,

I have a WordPress installation with a plugin to combat spam that has a PHP file to dynamically create a Javascript file located in the plugin's directory within the wp-content folder.

Utilising the WP Toolkit to "secure" the WordPress installation, it adds .htaccess and nginx configurations to prevent the accessing of php files within the wp-content and wp-includes directories.

The plugin has overridden the .htaccess file itself with it's own .htaccess in the plugin folder, however the nginx configuration to override this is eluding me.


The WP Toolkit adds the following into the vhosts's nginx configuration file:
#extension wp-toolkit begin
location ~* wp-config.php { deny all; }

location ~* "^/wp-content/.*\.php" { deny all; }
location ~* "^/wp-includes/.*\.php" { deny all; }

#extension wp-toolkit end


I wish to override this to allow access to the file at /wp-content/plugins/wp-spamshield/js/jscripts.php at a global server level.

I have tried doing this on an individual vhost level with the additional nxginx directives, but nothing appears to be working.

I've tried simply:

location /wp-content/plugins/wp-spamshield/js/jscripts.php {allow all;}

And more advanced:

location /wp-content/plugins/wp-spamshield/js/jscripts.php {
proxy_pass http://x.x.x.x:7080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Accel-Internal /internal-nginx-static-location;
access_log off;
allow all;
}



Can anyone help to get this overridden for all vhosts, please?
 
Hi. I have similar problem, and I disabled "wp-config deny rule" in the WordPress menu in Plesk.
Go to WordPress, choose the installation you want disable some secure rules, and then click “View” next to “Security status” on the installation card.
Find needed wp-config rule and disable
Screenshot_17.png
 
Back
Top