How to secure my Woocommerce site in Nginx server ?
-
Hi lankadevs,
I'm new to nginx server i want to know how to secure my woocommerce site, i'm selling digital contents to my customers (photos, art works , etc), i want to protect digital content in the server side. please help me to achieve this task .
Thanks guys.
-
Add following content to /etc/nginx/sites-available/example.com file
#Deny access to wp-content folders for suspicious files location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; } location ~ ^/wp-content/uploads/sucuri { deny all; } location ~ ^/wp-content/updraft { deny all; }# Block nginx-help log from public viewing location ~* /wp-content/uploads/nginx-helper/ { deny all; } location ~ ^/(wp-includes/js/tinymce/wp-tinymce.php) { include /usr/local/nginx/conf/php.conf; }# Deny access to any files with a .php extension in the uploads directory # Works in sub-directory installs and also in multisite network location ~* /(?:uploads|files)/.*\.php\$ { deny all; }# Deny access to uploads that aren’t images, videos, music, etc. location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ { deny all; }# Block PHP files in content directory. location ~* /wp-content/.*\.php\$ { deny all; }# Block PHP files in includes directory. location ~* /wp-includes/.*\.php\$ { deny all; }# Block PHP files in uploads, content, and includes directory. location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ { deny all; }# Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS! location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_ { return 444; }#nocgi location ~* \.(pl|cgi|py|sh|lua)\$ { return 444; }#disallow location ~* (w00tw00t) { return 444; } location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }Add Following Headers to /etc/nginx/sites-available/example.com file
add_header X-Frame-Options SAMEORIGIN;add_header X-Content-Type-Options nosniff;add_header X-XSS-Protection "1; mode=block";add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";Source
-
Special Block for woocommerce digital content security
location ~ /woocommerce_uploads { deny all; } -
Thnaks yo very much @root , this is awesome
