Prevent Information Disclosure and Prevent PHP execution

My website currently run on cloudflare-nginx, which "Prevent Information Disclosure" and "Prevent PHP execution" has not yet supported. What can't I do? Please help.

With Regards

  • Nastia

    Hello Bart, I hope you are doing well today!

    Indeed, I see that the server you are using is cloudflare-nginx.

    So when you are trying to add the suggested code inside the .conf file in a subdirectory under /etc/nginx/... or /usr/local/nginx/conf/... :
    - The .conf file is not there or
    - the changes are not affecting the issues shown in the Defender?

    Please advise.


  • Hoang Ngo

    Hi Bart,

    I hope you are well today.

    So your server is nginx, you will need to manually update the config for make this work.
    Prevent information disclosure
    1. Copy the generated code into your site specific .conf file usually located in a subdirectory under /etc/nginx/... or /usr/local/nginx/conf/...
    2. Add the code below inside the server section in the file, right before the php location block. Looks something like:
    location ~ \.php$ {
    Here is the code

    ## WP Defender - Prevent information disclosure ##
    				# Turn off directory indexing
    autoindex off;
    # Deny access to htaccess and other hidden files
    location ~ /\. {
      deny  all;
    # Deny access to wp-config.php file
    location = /wp-config.php {
      deny all;
    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
      deny all;
    				## WP Defender - End ##

    3. Reload nginx

    For prevent php execution
    Basically, the steps is exact the above, but the code for this is

    ## WP Defender - Prevent PHP Execution ##
    				# Stop php access except to needed files in wp-includes
    location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
      internal; #internal allows ms-files.php rewrite in multisite to work
    # Specifically locks down upload directories in case full wp-content rule below is skipped
    location ~* /(?:uploads|files)/.*\.php$ {
      deny all;
    # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
    #  Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
    location ~* ^/wp-content/.*\.php$ {
      deny all;
    				## WP Defender - End ##

    And this should be add below the code you add for Prevent information disclosure module.

    If you have any additional issues, please let us know and we'll be happy to help.

    Best regards,