Nginx Configuration Not Detected By Defender

In all our Nginx host files we have a restrictions.conf which has all the necessary execution blocking, rate limiting, etc.

Defender still says we need to Prevent PHP Execution and Prevent Information Disclosure. Maybe I haven't had the include file working or the plugin isn't detecting my setup properly.

Here's the contents of the restrictions.conf:

autoindex off;
if ($request_method ~* "^(TRACE|DELETE|TRACK)"){
return 403;
}
if ($http_user_agent ~* LWP::Simple|BBBike|wget) {
return 403;
}
location /readme.html {
deny all;
}
location /license.txt {
deny all;
}
location /wp-config-sample.php {
deny all;
}
location /wp-config.php {
deny all;
}
location ~ ^/\.user\.ini {
deny all;
}
location ~ ^/wp-admin/includes/ {
return 403;
}
location ~ ^/wp-includes/[^/]+\.php$ {
return 403;
}
location ~ ^/wp-includes/js/tinymce/langs/.+\.php {
return 403;
}
location ~ ^/wp-includes/theme-compat/ {
return 403;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ~ /\\. {
deny all;
}
location ~* /(?:uploads|files)/.*\\.php$ {
deny all;
}
location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf)$ {
deny all;
}
location ~ ^/wp-content/uploads/edd/(.*)\.(.*)$ {
rewrite / permanent;
}
location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
deny all;
}

It is included in the main nginx.conf in a http block. Maybe I need to move this include to a per-host file basis?

It'd be great to hear some insight on this. Thanks.

  • Ash

    Hello Jason

    Defender plugin can't access any conf file. It uses php functions to check if the information disclosure is prevented. So, if your code is working, then php on your server should act like that.

    Would you please make sure you have restarted the nginx server after making those changes? If so, would you please remove the suggested nginx code from this file and put it into the host file of a specific site? And then restart nginx and check in the site if Defender can detect that. If it works by then, we will be sure that restrictions.conf file is not properly included in your site host file.

    So, please let us know how it goes. Have a nice day!

    Cheers,
    Ash