Nginx .conf for WordPress multisite

I’m having trouble setting up the .conf file for WordPress Multisite running on Nginx and getting all the WPMUDEV plugins to work. The site in question is not hosted at WPMUDEV and the current hosting provider (who I’m rather happy with) doesn’t offer support for Multisite running on Nginx and I’m currently just “Copy & Paste” Nginx literate…

  • Adam Czajczyk
    • Support Gorilla

    Hello Seductful

    I hope you’re having a nice day!

    I understand that the Multisite itself is up and running but you’re having issues with some specific plugins that require some additional configuration on nginx level, right?

    Could you please elaborate a bit more on this? Which plugins (and/or their features) are those and what exact issues are you experiencing (and what have you tried so far)?

    Let me know please as this will help me better address your request (if necessary, I’ll also consult that with our developers for additional information).

    Best regards,
    Adam

  • Seductful
    • Flash Drive

    Hi Adam

    Correct, the multisite is running with a very basic .conf file that I copied and pasted from the current hosts knowledge base, then again I don’t know if that even works as I when I try use “pretty permalinks” in WordPress nothing wants to update or publish. So…

    The current “working” .conf file consists of:

    ##### Nginx for Seductful.xxx WordPress Multisite

    #### Stats – Start

    if ($request_uri ~* ^/(stats|doc|failed_auth\.html).*$)
    {
    break;
    }

    #### Stats – End

    #### Permalinks – Start

    if (!-e $request_filename) {
    rewrite ^/files(.*) /wp-includes/ms-files.php?file=$1 last;

    rewrite ^(/[^/]+)?(/wp-.*) $2 last;
    rewrite ^(/[^/]+)?(/.*.php) $2 last;

    rewrite ^.*$ /index.php last;
    }

    #### Permalinks – End

    but as I said, “pretty permalinks” aren’t even working with that.

    The code I need to add as per Defender for “Prevent Information Disclosure ” is:

    ### WP Defender – Start

    ## Prevent information disclosure

    # Turn off directory indexing
    autoindex off;

    # Deny access to htaccess and other hidden files
    location ~ /\. {
    deny all;
    }

    # Deny access to wp-config.php file
    location = /wp-config.php {
    deny all;
    }

    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
    deny all;
    }

    ### WP Defender – End

    and I don’t know how and where to add it as Defender said “Add the code above inside the server section in the file, right before the php location block. Looks something like: location ~ \.php$ {” but there is nothing likle that in the .conf file yet.
    I tried adding it both at the beginning and the end of the Stats and Permalinks code and then the site (WordPress) “breaks”.

    As I mentioned I’m currently only “Copy & Pates” Nginx literate and hence this is a fresh WordPress install I’m working with so the .conf file is also fresh as my previous “Copy & Paste” version got very large and I could notice duplication of the things I “Copy & Pasted” so I ended it, but I did notice server blocks (if that’s what they are called) so I had a Live Chat earlier today (which was disconnected) in which I wanted to know if the Defender code should be in a server block and can I just start one seeing there isn’t currently one, but the chat ended before I got a reply.

    So currently I’m stuck and the problem probably starts with just the basic .conf as I’m totally out of my depth with Nginxand just trying to get something to work.

    I hope that kind of covers everything you asked.

  • Rupok
    • Support Ninja

    Hi Seductful,

    It’s a complex task because different servers configure nginx in different ways and keep the nginx configuration file in different location. So your host would be able to tell you best about their configuration. But as you said, they are not helping in this case, let me try to help you with your nginx configuration.

    Can you send me a message with server SSH access credentials with *root* access through our secure contact form here: https://premium.wpmudev.org/contact/#i-have-a-different-question ?

    Subject: “Attn: Rupok”
    – SSH IP
    – SSH User
    – SSH Pass
    – SSH Certificate (if required to login to your server with root access)
    – Link back to this thread for reference
    – Any other relevant URLs

    The subject line ensures that it gets assigned to me.

    Please let us know here when you are done sending those. Also, please note, I’m not a server configuration specialist, but I’ll try my best to fix this for you.

    Regards,
    Rupok

  • Rupok
    • Support Ninja

    Hi Seductful,

    Thanks for providing the SSH credentials.

    I logged in using your SSH details. And from what I found, it seems like (I might be wrong though) your hosting environment is using Docker container and the nginx configuration is coming from the root OS shared nginx library.

    [ps614220]$ ps aux | grep nginx
    sed_xxx  12319  0.0  0.0 120516   908 pts/17   S+   07:37   0:00 grep nginx
    root     55559  0.0  0.3  94500  3316 ?        SNs  00:55   0:00 nginx: master process /dh/nginx/bin/nginx-be -c /dh/nginx/servers/httpd-ps614220/nginx.conf -p /dh/nginx/servers/httpd-ps614220/var/
    dhapache 55560  0.0  0.6  94500  6176 ?        SN   00:55   0:01 nginx: worker process
    dhapache 55561  0.0  0.6  94500  6164 ?        SN   00:55   0:00 nginx: worker process

    As we don’t have access to that using given SSH credentials, I can’t edit that nginx configuration file or check if the main nginx files included any other path for custom nginx rules configuration file.

    So, please contact with them and simply ask them – “In which file (including the path for that file) should we add our custom nginx rules?”

    Please let us know their answer. If your SSH user can access that custom nginx rules file, we can help you in adding the required nginx rules in that file.

    I’m looking forward to hearing from you and resolving this issue as soon as possible.

    Regards,
    Rupok

  • Rupok
    • Support Ninja

    Hi Seductful,

    Thanks a lot for the update. I found the nginx.conf file at the location they mentioned. Now, to test the nginx rules, we need access to your WordPress dashboard. Can you send me a message with access credentials through our secure contact form here: https://premium.wpmudev.org/contact/#i-have-a-different-question

    Subject: “Attn: Rupok”
    – WordPress admin Username
    – WordPress admin Password
    – Login URL
    – Link back to this thread for reference
    – Any other relevant URLs

    The subject line ensures that it gets assigned to me.

    Please confirm here when you are done sending those. We will then test custom nginx rules and will update you with our findings.

    Regards,
    Rupok

  • Aditya
    • Staff

    Hi Seductful

    I have logged into your site and checked, seems like defender doesn’t show any other security recommendations now and also visiting /wp-content /wp-config.php shows a blank page which seems like they are blocked as well. I think its all working good, can you check and confirm if there are any issues you face with it?

    Best,
    Aditya Shah

  • Seductful
    • Flash Drive

    Hi there Aditya

    Just logged into the site and checked but this is a screenshot of what the Defender dashboard is showing me.

    https://paste.pics/6QVPW

    Am I doing something wrong?

    I also checked the .conf file at /home/sed_xxx/nginx/seductful.xxx/nginx.conf and I see no change as I thought I’d be able to figure out once Rupok has edited it for the Defender code where to add any further Nginx configuration as I think Hummingbird is also requesting more code be added.

  • Aditya
    • Staff

    Hi Seductful

    I am not really sure what went wrong last time i checked your site there were no recommendation last time but i can now see the suggestions same as in the screenshot you shared. I checked the SSH access you shared and could notice the file “wordpress-ms-subdomain.conf” which has a “location ~ \.php$” block where you can put the defender rules and reload nginx.

    I tried to add the rules in there but since the ssh credentials you shared with us is limited shell so we can’t reload nginx and so can’t observe and changed we did. The best solution for this is to contact your hosting provider as they have the root access and can reload nginx. If you have the root access or the user with permission to reload nginx, please send that to us using the same contact form and we can then get that sorted too.

    Also, it has nothing to do with the site being multisite but just nginx rules so even if the host doesn’t offer support for multisite so you can ask them to place nginx rules it has nothing to do with the multisite.

    Please let us know your views. :slight_smile:

    Best,
    Aditya Shah

  • Seductful
    • Flash Drive

    Hi there Aditya/Rupok

    I’ve replied via the secure contact form with credentials to the host’s panel so you can restart the Nginx (restart the VPS) to test as Defender is still complaing when I check via WordPress admin or “The Hub” from my side.

  • Aditya
    • Staff

    Hi Seductful

    Hope you are doing good. :slight_smile:

    I can see your reply in the email along with the additional credentials i tried logging in to the Dreamhost panel and could notice that they have given a button to restart the server. I am afraid but we can’t restart the server directly after making a change in the nginx config file as that might make your site permanently down if there is even a small error in that code.

    I think you might be a bit confused with nginx restart and server restart, the nginx is a server software on the VPS which needs reloading. There are commands like “nginx -t” to test if the nginx configuration that is done is correct or not. If that shows correct then we use a command like “service nginx reload” or “systemctl reload nginx” to reload nginx which is different from the server restart. the command when run from the ssh user you provided says: “command not found” which cetainly means that the ssh user doesn’t have rights to reload nginx.

    However, as per the Dreamhost support you can simply paste the below code in the nginx/seductful.xxxx/nginx.conf to make it work and reload nginx to show the affect of the applied rules.

    location ~ \.php$ {
    ## WP Defender - Prevent PHP Execution ##
    # Stop php access except to needed files in wp-includes
    location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
      internal; #internal allows ms-files.php rewrite in multisite to work
    }
    
    # Specifically locks down upload directories in case full wp-content rule below is skipped
    location ~* /(?:uploads|files)/.*\.php$ {
      deny all;
    }
    
    # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
    #  Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
    location ~* ^/wp-content/.*\.php$ {
      deny all;
    }
    
    ## WP Defender - End ##
    }

    Also, about the “wordpress-ms-subdomain.conf” it is available in “Nginx_off/global” which already have a block with “location ~ \.php$” in which the defender code should be put in, you can however, go with the recommendation of Dreamhost support and ask them to reload nginx since you don’t have permission to do that. :slight_smile:

    Hope that helps. Let me know if you need any further help. :slight_smile:

    Best,
    Aditya Shah

  • Seductful
    • Flash Drive

    Hi there Aditya

    The content in the Nginx_off was my previous “copy & paste” attempt at the configuration, but as I mentioned to Rupok, even I can see duplication as it was all snipets copied from various sources each trying to achieve someting different. I eventually gave up with it, renamed the directory to Nginx_off and started this chat as I couldn’t get the WPMUDEV plugins working.

    So with you referring to the Nginx_off content tells me there might be value at re-looking that code, but my current Nginx.conf literacy is still just at “copy & paste” level so I can’t really debug any of it.

    Could you perhaps glance through all the code in the Nginx_off directory and clean/repair it a bit so it can be enabled, the relevant code for the WPMUDEV plugins inserted and we can see if that might get the plugins working then?

  • Rupok
    • Support Ninja

    Hi Seductful,

    Sorry for the delay from our end. I wanted to have a detailed look at your nginx configuration but your site is not even loading. Did you make any changes which made your site down? If yes, can you please revert the changes so I can check your configuration and try to do as much as we can? I’m seeing this now: https://monosnap.com/file/7ChGI92jZUgrMycTeAWCddLjZhRKpL

    Update: After a few minutes, it loaded. I logged in using SSH and then suddenly it logged me out saying that the server is going to restart automatically.

    Can you please check this with your host? Ask them why the server is rebooting automatically? And ask them why the rules added in their given path is not being applied. I’ve added proper nginx rules in the file they mentioned. So it should work.

    Please let us know the update. I’m looking forward to hearing from you and resolving this issue as soon as possible.

    Regards,
    Rupok

  • Seductful
    • Flash Drive

    Hi there Rupok

    Thought I lost you seeing Aditya took over the weekend.

    I just had a chat with the hosting company as all four my sites seem down just to find out there was a request (they claim) to move them all onto the Seductful.xxx VPS and now something caused the “Site Down” issue we’re currently experiencing. I’ve requested they restore things to what it was before the “request” and they’re busy with it and told me to watch for the confirmation they’ll send me via email when done.

    So I await their email and will let you know via a post here and a message using the secure contact from when it’s received.

    ;-( apologies…

  • Seductful
    • Flash Drive

    Hi there again for today Rupok

    Just finished a online chat with the hosting company in question as they moved all the domains to where they’re supposed to be but Seductful.xxx remained down. Apparently some sync issue between servers, but all is sorted so you should have normal access to do what you need to for the implementation and testing of the nginx configuration that you’ve so kindly done for me.

  • Rupok
    • Support Ninja

    Hi Seductful,

    Thanks for the updates.

    Did you get a chance to ask them why the rules added in their given path are not being applied? I’ve added proper nginx rules in the file they mentioned. So it should work.

    Please let us know what they say about this. We will assist further according to their responses.

    Regards,
    Rupok

  • Seductful
    • Flash Drive

    Hi there Rupok

    “Did you get a chance to ask them why the rules added in their given path are not being applied?” – Nope, that slipped me as getting things back up was higher on my to-do list. ;-(

    I’ve replied via the secure contact form supplying you with needed credential to start a direct chat with one of their support agents, if you’re ok with that, as it will decrease turnaround time of any “roadblock” encountered (it will take the technically challenged out of the loop – me :smiley:). I’ll just chip-in if required as I’ll be able to rather follow any chats as an outside viewing party.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.