Bulletproof WordPress via Nginx

I assume many developers consider WordPress as a joke since it’s made with “PHP”. However, WordPress is still powering a lot of websites. So quite often it is inevitable to do some work on a project that deals with WordPress.

Personally, I’ve had to deal with many WordPress sites and resolve security issues. The most common issues that I observed have been:

  • Backdoor attack to use the infected host to perform various types of attack
  • Stealing an admin cookie
  • Using the stolen cookie to post many dangerous posts
  • Using the stolen cookie to upload other scripts in wp-content directory
  • And so on

The most used attack paths the hackers/hacking tools seem to be wp-admin/(post-new|post|admin-post|).php and /wp-login.php.

Anyhow, the most impactful defense mechanism that I found was to whitelist IP address that belongs to a certain admin user. So far, nothing else has beaten that solution, so I call it a bulletproof Nginx config for WordPress site.

Here’s my Nginx config that I used for my clients to prevent hackers from attempting to intrude a WordPress site.

  location ~ /wp-admin/admin-ajax\.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_read_timeout 300;
    fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    allow all;
  }

  location ~ (/wp-admin/.*\.php|wp-login\.php$) {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_read_timeout 300;
    fastcgi_pass unix:/var/run/php/php7.1-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;

    ## whitelist IPs
    allow x.x.x.x;
    deny all;
    error_page 403 = @wp_ban;
  }

  location @wp_ban {
    rewrite ^(.*) https://mysite.com permanent;
  }

  location ~* /(?:uploads|files|wp-content|wp-includes|akismet)/.*.php$ {
    deny all;
    access_log off;
    log_not_found off;
  }

Glossary for SRE

This is a list of things for SRE, but mainly for myself. I easily forget terminologies and found myself look up terms even though I know what it is… (aging I guess?). So here’s the list of terms that I forget easily. (Not listing all the terms in SRE world since I know a lot of them already)

I don’t know why but I forget these so easily… >.<

  • Deployment Strategies
    • Canary Deployment
    • Rolling Deployment
    • Green Blue Deployment
  • MTTR – Mean Time To Repair
  • MTTF – Mean Time To Failure