Prevent Information Disclosure and Prevent PHP execution

My website currently run on cloudflare-nginx, which "Prevent Information Disclosure" and "Prevent PHP execution" has not yet supported. What can't I do? Please help.

With Regards

  • Nastia
    • Support Rock Star

    Hello Bart, I hope you are doing well today!

    Indeed, I see that the server you are using is cloudflare-nginx.

    So when you are trying to add the suggested code inside the .conf file in a subdirectory under /etc/nginx/... or /usr/local/nginx/conf/... :
    - The .conf file is not there or
    - the changes are not affecting the issues shown in the Defender?

    Please advise.


  • Sajid
    • DEV MAN’s Sidekick

    Hi @bbiedron,
    Hope you are doing good today :slight_smile:

    Thanks for sharing the information with us. I have pinged the developer (@webexperts09) here and I am sure he will post a reply here as soon as possible.

    Take care and have a nice day :slight_smile:
    Cheers, Sajid

  • Hoang Ngo
    • Code Slayer

    Hi Bart,

    I hope you are well today.

    So your server is nginx, you will need to manually update the config for make this work.
    Prevent information disclosure
    1. Copy the generated code into your site specific .conf file usually located in a subdirectory under /etc/nginx/... or /usr/local/nginx/conf/...
    2. Add the code below inside the server section in the file, right before the php location block. Looks something like:
    location ~ \.php$ {
    Here is the code

    ## WP Defender - Prevent information disclosure ##
    				# Turn off directory indexing
    autoindex off;
    # Deny access to htaccess and other hidden files
    location ~ /\. {
      deny  all;
    # Deny access to wp-config.php file
    location = /wp-config.php {
      deny all;
    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
      deny all;
    				## WP Defender - End ##

    3. Reload nginx

    For prevent php execution
    Basically, the steps is exact the above, but the code for this is

    ## WP Defender - Prevent PHP Execution ##
    				# Stop php access except to needed files in wp-includes
    location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
      internal; #internal allows ms-files.php rewrite in multisite to work
    # Specifically locks down upload directories in case full wp-content rule below is skipped
    location ~* /(?:uploads|files)/.*\.php$ {
      deny all;
    # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
    #  Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
    location ~* ^/wp-content/.*\.php$ {
      deny all;
    				## WP Defender - End ##

    And this should be add below the code you add for Prevent information disclosure module.

    If you have any additional issues, please let us know and we'll be happy to help.

    Best regards,

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.