iThemes Security creates public nginx.conf file

  • Hello!

    iThemes Security created the file nginx.conf file in the wordpress main directory with this content:

    
# BEGIN iThemes Security - Do not modify or remove this line
# iThemes Security Config Details: 2
	# Protect System Files - Security > Settings > System Tweaks > System Files
	location = /wp-admin/install.php { deny all; }
	location = /nginx.conf { deny all; }
	location ~ /\.htaccess$ { deny all; }
	location ~ /readme\.html$ { deny all; }
	location ~ /readme\.txt$ { deny all; }
	location ~ /wp-config.php$ { deny all; }
	location ~ ^/wp-admin/includes/ { deny all; }
	location ~ ^/wp-includes/[^/]+\.php$ { deny all; }
	location ~ ^/wp-includes/js/tinymce/langs/.+\.php$ { deny all; }
	location ~ ^/wp-includes/theme-compat/ { deny all; }
	location ~ ^.*/\.git/.*$ { deny all; }
	location ~ ^.*/\.svn/.*$ { deny all; }

	# Disable PHP in Uploads - Security > Settings > System Tweaks > PHP in Uploads
	location ~ ^/wp\-content/uploads/.*\.(?:php[1-7]?|pht|phtml?|phps)$ { deny all; }

	# Disable PHP in Plugins - Security > Settings > System Tweaks > PHP in Plugins
	location ~ ^/wp\-content/plugins/.*\.(?:php[1-7]?|pht|phtml?|phps)$ { deny all; }

	# Disable PHP in Themes - Security > Settings > System Tweaks > PHP in Themes
	location ~ ^/wp\-content/themes/.*\.(?:php[1-7]?|pht|phtml?|phps)$ { deny all; }

	# Disable XML-RPC - Security > Settings > WordPress Tweaks > XML-RPC
	location ~ xmlrpc.php { deny all; }
# END iThemes Security - Do not modify or remove this line

    And I can access it directly through domain.xyz/ngnix.conf – why could everybody read it?
    Did I miss some settings at my server to protect this file for public access?

Viewing 3 replies - 1 through 3 (of 3 total)

  • The entry below (which is included) should protect the nginx.conf file from accessing it directly:

    location = /nginx.conf { deny all; }

    …that is if the nginx.conf file is being included from the main nginx configuration AND nginx is either stopped/restarted or the nginx config is reloaded.

    When using the .htaccess file on Apache you don’t have to worry about these things. It just works.

    +++++ To prevent any confusion, I’m not iThemes +++++

    I’m pretty sure that nginx does not allow frontloading .conf files and location is only allowed in server blocks. The reason the nginx.conf file does not work where it has been created is because nginx does not allow frontloading .conf files like Apache does = .htaccess files. So the actual problem is that the nginx.conf file should not have been created where it was created since it has absolutely no effect on the server.

    Hi AITpro,

    Thank you for sharing that thought.

    I have run an nginx test env on a Windows local machine in the past and and I can assure you it worked exactly as described in my previous post.

    That said, I’ve always wondered how this would work in a shared hosting env… (eg while using Plesk).

    Anyway never found an answer and due to the extra operational/administrative steps required I decided to stick to using Apache.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘iThemes Security creates public nginx.conf file’ is closed to new replies.