#
# A sample .conf file for enhancing wordpress security
# Include this file in your wordpress vhost
#

# httpblock: limit_req_zone $binary_remote_addr zone=WPRATELIMIT:10m rate=2r/s;
location ~ \wp-login.php$ {
    limit_req zone=WPRATELIMIT;
}

location = /favicon.ico {
    log_not_found off;
    access_log off;
}

location = /robots.txt {
    allow all;
#    log_not_found off;
#    access_log off;
}

location ~ /\. {
    deny all;
}

#Deny access to wp-content folders for suspicious files
location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z|sql|bak|txt|orig|confbak|log|old|orig|original|php#|php~|php_bak|save|swo|swp)\$ {
  deny all;
}

location ~ ^/wp-content/uploads/sucuri {
  deny all;
}

location ~ ^/wp-content/updraft {
  deny all;
}

# nginx block wpscann on plugins folder
location ~* ^/wp-content/plugins/.+\.(txt|log|md)$ {
  deny all;
  error_page 403 =404 / ;
}

# block access to install.php and upgrade.php
location ^~ /wp-admin/install.php {
  deny all;
  error_page 403 =404 / ;
}

location ^~ /wp-admin/upgrade.php {
  deny all;
  error_page 403 =404 / ;
}

# Stop scann for the follow files on themes folder
location ~* ^/wp-content/themes/.+\.(txt|log|md)$ {
      deny all;
      error_page 403 =404 / ;
}

#Disable execution of scripts other than PHP from your document root
location ~* .(pl|cgi|py|sh|lua|asp)$ {
   return 444;
}

#Disable access to your configuration files and other files that you don’t want to users are able to see
location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
   deny all;
}

# Disable wp-config.txt
location = /wp-config.txt {
    deny all;
    access_log off;
    log_not_found off;
}

location ~* /xmlrpc.php$ {
    allow 172.30.0.0/16;
    deny all;
}

if ($request_method !~ ^(GET|POST|HEAD)$ ) {
    return 444;
}

# Deny access to uploads that aren’t images, videos, music, etc.
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
    deny all;
}

location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
    deny all;
    #    access_log off;
    #    log_not_found off;
}

location ~ /\.(svn|git)/* {
    deny all;
    access_log off;
    log_not_found off;
}
location ~ /\.ht {
    deny all;
    access_log off;
    log_not_found off;
}
location ~ /\.user.ini {
    deny all;
    access_log off;
    log_not_found off;
}

#location ~ ^/(?!(blog)/?) {
#    deny all;
#    access_log off;
#    log_not_found off;
#}

# PLUGINS : Enable Rewrite Rules for Yoast SEO SiteMap
#        rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
#        rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;