Lanka Developers Community

    Lanka Developers

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Shop

    How to secure my Woocommerce site in Nginx server ?

    Information Security
    wordpress nginx php mysql security
    2
    4
    1109
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lkdev
      lkdev last edited by lkdev

      Hi lankadevs,

      I'm new to nginx server i want to know how to secure my woocommerce site, i'm selling digital contents to my customers (photos, art works , etc), i want to protect digital content in the server side. please help me to achieve this task .

      Thanks guys.

      1 Reply Last reply Reply Quote 1
      • root
        root Linux Help last edited by

        Add following content to /etc/nginx/sites-available/example.com file

        #Deny access to wp-content folders for suspicious files
        location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; }
        location ~ ^/wp-content/uploads/sucuri { deny all; }
        location ~ ^/wp-content/updraft { deny all; }
        
        # Block nginx-help log from public viewing
        location ~* /wp-content/uploads/nginx-helper/ { deny all; }
        location ~ ^/(wp-includes/js/tinymce/wp-tinymce.php) {
          include /usr/local/nginx/conf/php.conf;
        }
        
        # Deny access to any files with a .php extension in the uploads directory
        # Works in sub-directory installs and also in multisite network
        location ~* /(?:uploads|files)/.*\.php\$ { deny all; }
        
        # Deny access to uploads that aren’t images, videos, music, etc.
        location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ {
            deny all;
        }
        
        # Block PHP files in content directory.
        location ~* /wp-content/.*\.php\$ {
          deny all;
        }
        
        # Block PHP files in includes directory.
        location ~* /wp-includes/.*\.php\$ {
          deny all;
        }
        
        # Block PHP files in uploads, content, and includes directory.
        location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ {
          deny all;
        }
        
        # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
        location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_
        {
        return 444;
        }
        
        #nocgi
        location ~* \.(pl|cgi|py|sh|lua)\$ {
        return 444;
        }
        
        #disallow
        location ~* (w00tw00t) {
        return 444;
        }
        location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
        

        Add Following Headers to /etc/nginx/sites-available/example.com file

        add_header X-Frame-Options SAMEORIGIN;
        
        add_header X-Content-Type-Options nosniff;
        
        add_header X-XSS-Protection "1; mode=block";
        
        add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
        

        Source


        1. https://gist.github.com/ethanpil/1bfd01a817a8198369efec5c4cde6628
        2. https://gist.github.com/plentz/6737338
        1 Reply Last reply Reply Quote 1
        • root
          root Linux Help last edited by root

          Special Block for woocommerce digital content security

          location ~ /woocommerce_uploads {
             deny  all;
          }
          
          1 Reply Last reply Reply Quote 0
          • lkdev
            lkdev last edited by

            Thnaks yo very much @root , this is awesome

            1 Reply Last reply Reply Quote 0
            • 1 / 1
            • First post
              Last post

            1
            Online

            3.7k
            Users

            1.3k
            Topics

            5.3k
            Posts

            • Privacy
            • Terms & Conditions
            • Donate

            © Copyrights and All right reserved Lanka Developers Community

            Powered by Axis Technologies (PVT) Ltd

            Made with in Sri Lanka

            | |