Prevent Information Disclosure and Prevent PHP execution

My website currently run on cloudflare-nginx, which "Prevent Information Disclosure" and "Prevent PHP execution" has not yet supported. What can't I do? Please help.

With Regards

  • Hoang Ngo

    Hi Bart,

    I hope you are well today.

    So your server is nginx, you will need to manually update the config for make this work.
    Prevent information disclosure
    1. Copy the generated code into your site specific .conf file usually located in a subdirectory under /etc/nginx/... or /usr/local/nginx/conf/...
    2. Add the code below inside the server section in the file, right before the php location block. Looks something like:
    location ~ \.php$ {
    Here is the code

    ## WP Defender - Prevent information disclosure ##
    				# Turn off directory indexing
    autoindex off;
    # Deny access to htaccess and other hidden files
    location ~ /\. {
      deny  all;
    # Deny access to wp-config.php file
    location = /wp-config.php {
      deny all;
    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
      deny all;
    				## WP Defender - End ##

    3. Reload nginx

    For prevent php execution
    Basically, the steps is exact the above, but the code for this is

    ## WP Defender - Prevent PHP Execution ##
    				# Stop php access except to needed files in wp-includes
    location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce))\.php$ {
      internal; #internal allows ms-files.php rewrite in multisite to work
    # Specifically locks down upload directories in case full wp-content rule below is skipped
    location ~* /(?:uploads|files)/.*\.php$ {
      deny all;
    # Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
    #  Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
    location ~* ^/wp-content/.*\.php$ {
      deny all;
    				## WP Defender - End ##

    And this should be add below the code you add for Prevent information disclosure module.

    If you have any additional issues, please let us know and we'll be happy to help.

    Best regards,

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.