Nginx+ WordPress 的组合是目前非常流行的组合。我们可以利用 Nginx 规则来增强 WordPress 的安全性。今天我将分享一些我个人使用的 Nginx 针对 WordPress 的防护规则,你可以根据自己的需求进行调整。
#隐藏 nginx 版本. server_tokens off; #隐藏 PHP 版本 fastcgi_hide_header X-Powered-By; proxy_hide_header X-Powered-By; #禁止目录列表 autoindex off; #验证浏览器行为防 CC #if ($cookie_say != "hbnl$remote_addr"){ # rewrite .* "$scheme://$host$uri" redirect; #return 444; #} #屏蔽 IP 访问 deny 158.69.243.0/24; # MJ12bot deny 46.229.168.0/24; # SemRush deny 54.36.148.0/24; # AhrefsBot deny 54.36.149.0/24; # AhrefsBot #禁止 17ce.com 的测速 if ($http_referer ~* 17ce.com) { return 444; } #禁止恶意 UA 以及为空的请求(^$) if ($http_user_agent ~ "Go-http-client|Apache-HttpClient|lua-resty-http|loli_spider|ngx_lua"){ return 444; } # 禁止 Scrapy 等工具的抓取 if ($http_user_agent ~* (cdnunion_monitor|python-httpx|Wget|Scrapy|HttpClient|PostmanRuntime|ApacheBench|python-requests|Python-urllib|node-fetch)) { return 499; } #禁止一些特殊的 UA if ($http_user_agent ~ "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)") { return 444; } # 屏蔽恶意后缀文件访问请求 if ($document_uri ~* .(asp|aspx|jsp|swp|git|env|yaml|yml|sql|db|bak|ini|docx|doc|rar|tar|gz|zip|log|bak|conf)$) { return 444; } #禁止直接访问任何 php 文件 location ~* /(?:uploads|files|akismet)/.*.php$ { deny all; access_log off; log_not_found off;} # 保护 WordPress 系统文件 location = /wp-admin/install.php { deny all; } location = /nginx.conf { deny all; } location ~ ^/user_extention/ { deny all; } location ~ /.htaccess$ { deny all; } location ~ /readme.html$ { deny all; } location ~ /readme.txt$ { deny all; } location ~ ^/wp-config.php$ { deny all; } location ~ ^/wp-admin/includes/ { deny all; } location ~ ^/wp-includes/[^/]+.php$ { deny all; } location ~ ^.*/.git/.*$ { deny all; } location ~ ^.*/.svn/.*$ { deny all; } # 禁用 Uploads 目录的 PHP location ~ ^/wp-content/uploads/.*.(?:php[1-7]?|pht|phtml?|phps)$ { deny all; } # 禁用 Plugins 目录的 PHP location ~ ^/wp-content/plugins/.*.(?:php[1-7]?|pht|phtml?|phps)$ { deny all; } # 禁用 Themes 目录的 PHP,慎重使用会影响到部分主题的缩略图裁剪哦! location ~ ^/wp-content/themes/.*.(?:php[1-7]?|pht|phtml?|phps)$ { deny all; } # 不记录 favicon.ico 请求 location = /favicon.ico { log_not_found off; access_log off;} # 不记录 robots.txt 请求 location = /robots.txt { log_not_found off; access_log off;} location ~ .*.(gif|jpg|jpeg|png|bmp|swf)$ {expires 30d;} location ~ .*.(js|css)?$ { expires 30d;} location ~ /. {deny all;} location ~ /.ht { deny all; access_log off; log_not_found off;} location ~ /.user.ini { deny all; access_log off;log_not_found off;}