wo/cli/templates/wpcommon-php7.mustache

# WordPress COMMON SETTINGS - WO v3.9.5
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
# Limit access to avoid brute force attack
location = /wp-login.php {
    limit_req zone=one burst=1 nodelay;
    include fastcgi_params;
    fastcgi_pass php73;
}
# Disable wp-config.txt
location = /wp-config.txt {
    deny all;
    access_log off;
    log_not_found off;
}
location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
    try_files $uri $uri/ /index.php?$args @robots;
    access_log off;
    log_not_found off;
}
# fallback for robots.txt with default wordpress rules
location @robots {
   return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
    location ~ \.(png|jpe?g)$ {
        add_header Vary "Accept-Encoding";
        add_header "Access-Control-Allow-Origin" "*";
        add_header Cache-Control "public, no-transform";
        access_log off;
        log_not_found off;
        expires max;
        try_files $uri$webp_suffix $uri =404;
    }
    location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
        deny all;
    }
}
# webp rewrite rules for EWWW testing image
location /wp-content/plugins/ewww-image-optimizer/images {
    location ~ \.(png|jpe?g)$ {
        add_header Vary "Accept-Encoding";
        add_header "Access-Control-Allow-Origin" "*";
        add_header Cache-Control "public, no-transform";
        access_log off;
        log_not_found off;
        expires max;
        try_files $uri$webp_suffix $uri =404;
    }
    location ~ \.php$ {
#Prevent Direct Access Of PHP Files From Web Browsers
        deny all;
    }
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
    deny all;
}
simplify locations nginx template 2019-03-27 04:58:25 +01:00			`# WordPress COMMON SETTINGS - WO v3.9.5`
Refactored 2018-11-13 21:55:59 +01:00			`# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE`
			`# Limit access to avoid brute force attack`
			`location = /wp-login.php {`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`limit_req zone=one burst=1 nodelay;`
			`include fastcgi_params;`
fix stack issues * fix php7.2 stack detection * add php7.3 as php7.0 replacement 2019-03-02 20:38:31 +01:00			`fastcgi_pass php73;`
Refactored 2018-11-13 21:55:59 +01:00			`}`
			`# Disable wp-config.txt`
			`location = /wp-config.txt {`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`deny all;`
			`access_log off;`
			`log_not_found off;`
			`}`
Robots.txt fix and changelog update 2019-06-17 00:45:12 +02:00			`location = /robots.txt {`
			`# Some WordPress plugin gererate robots.txt file`
			`# Refer #340 issue`
			`try_files $uri $uri/ /index.php?$args @robots;`
			`access_log off;`
			`log_not_found off;`
			`}`
			`# fallback for robots.txt with default wordpress rules`
			`location @robots {`
			`return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";`
			`}`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`# webp rewrite rules for jpg and png images`
			`# try to load alternative image.png.webp before image.png`
			`location /wp-content/uploads {`
			`location ~ \.(png\|jpe?g)$ {`
			`add_header Vary "Accept-Encoding";`
			`add_header "Access-Control-Allow-Origin" "*";`
			`add_header Cache-Control "public, no-transform";`
			`access_log off;`
			`log_not_found off;`
			`expires max;`
			`try_files $uri$webp_suffix $uri =404;`
			`}`
			`location ~ \.php$ {`
			`#Prevent Direct Access Of PHP Files From Web Browsers`
			`deny all;`
			`}`
			`}`
Add ProFTPd setup 2019-07-19 13:47:29 +02:00			`# webp rewrite rules for EWWW testing image`
			`location /wp-content/plugins/ewww-image-optimizer/images {`
			`location ~ \.(png\|jpe?g)$ {`
			`add_header Vary "Accept-Encoding";`
			`add_header "Access-Control-Allow-Origin" "*";`
			`add_header Cache-Control "public, no-transform";`
			`access_log off;`
			`log_not_found off;`
			`expires max;`
			`try_files $uri$webp_suffix $uri =404;`
			`}`
			`location ~ \.php$ {`
			`#Prevent Direct Access Of PHP Files From Web Browsers`
			`deny all;`
			`}`
			`}`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`# Deny access to any files with a .php extension in the uploads directory`
			`# Works in sub-directory installs and also in multisite network`
			`# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)`
			`location ~* /(?:uploads\|files)/.*\.php$ {`
			`deny all;`
Refactored 2018-11-13 21:55:59 +01:00			`}`
new nginx configurations * letsencrypt validation in /var/www/html * new static files rules * robots.txt fallback for WP * harden nginx configurations 2018-12-11 01:37:36 +01:00			`# mitigate DoS attack CVE with WordPress script concatenation`
			`# add the following line to wp-config.php`
			`# define( 'CONCATENATE_SCRIPTS', false );`
			`location ~ \/wp-admin\/load-(scripts\|styles).php {`
Refactored 2018-11-13 21:55:59 +01:00			`deny all;`
			`}`