How to secure my Woocommerce site in Nginx server ?



  • Hi lankadevs,

    I'm new to nginx server i want to know how to secure my woocommerce site, i'm selling digital contents to my customers (photos, art works , etc), i want to protect digital content in the server side. please help me to achieve this task .

    Thanks guys.


  • Linux Help

    Add following content to /etc/nginx/sites-available/example.com file

    #Deny access to wp-content folders for suspicious files
    location ~* ^/(wp-content)/(.*?)\.(zip|gz|tar|bzip2|7z)\$ { deny all; }
    location ~ ^/wp-content/uploads/sucuri { deny all; }
    location ~ ^/wp-content/updraft { deny all; }
    
    # Block nginx-help log from public viewing
    location ~* /wp-content/uploads/nginx-helper/ { deny all; }
    location ~ ^/(wp-includes/js/tinymce/wp-tinymce.php) {
      include /usr/local/nginx/conf/php.conf;
    }
    
    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    location ~* /(?:uploads|files)/.*\.php\$ { deny all; }
    
    # Deny access to uploads that aren’t images, videos, music, etc.
    location ~* ^/wp-content/uploads/.*.(html|htm|shtml|php|js|swf|css)$ {
        deny all;
    }
    
    # Block PHP files in content directory.
    location ~* /wp-content/.*\.php\$ {
      deny all;
    }
    
    # Block PHP files in includes directory.
    location ~* /wp-includes/.*\.php\$ {
      deny all;
    }
    
    # Block PHP files in uploads, content, and includes directory.
    location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php\$ {
      deny all;
    }
    
    # Make sure files with the following extensions do not get loaded by nginx because nginx would display the source code, and these files can contain PASSWORDS!
    location ~* \.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)\$|^(\..*|Entries.*|Repository|Root|Tag|Template)\$|\.php_
    {
    return 444;
    }
    
    #nocgi
    location ~* \.(pl|cgi|py|sh|lua)\$ {
    return 444;
    }
    
    #disallow
    location ~* (w00tw00t) {
    return 444;
    }
    location ~* /(\.|wp-config\.php|wp-config\.txt|changelog\.txt|readme\.txt|readme\.html|license\.txt) { deny all; }
    

    Add Following Headers to /etc/nginx/sites-available/example.com file

    add_header X-Frame-Options SAMEORIGIN;
    
    add_header X-Content-Type-Options nosniff;
    
    add_header X-XSS-Protection "1; mode=block";
    
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
    

    Source


    1. https://gist.github.com/ethanpil/1bfd01a817a8198369efec5c4cde6628
    2. https://gist.github.com/plentz/6737338

  • Linux Help

    Special Block for woocommerce digital content security

    location ~ /woocommerce_uploads {
       deny  all;
    }
    


  • Thnaks yo very much @root , this is awesome