Nginx配置WordPress/PHP网站安全防护指南

为WordPress/PHP网站配置Nginx安全防护需要从多个层面进行加固。以下是一套全面的安全配置方案：

1. 基础安全配置

1.1 隐藏Nginx版本信息

server_tokens off;

1.2 禁用不必要的HTTP方法

if ($request_method !~ ^(GET|HEAD|POST)$ ) {
    return 405;
}

1.3 防止点击劫持

add_header X-Frame-Options "SAMEORIGIN";

1.4 XSS防护

add_header X-XSS-Protection "1; mode=block";

1.5 内容安全策略(CSP)

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https: data:";

2. WordPress专用防护

2.1 限制敏感文件访问

location ~* /(wp-config\.php|wp-config-sample\.php|readme\.html|license\.txt|wp-includes/|wp-admin/|xmlrpc\.php) {
    deny all;
    return 403;
}

2.2 防止PHP文件直接访问

location ~* ^/(uploads|files)/.*\.php$ {
    deny all;
    return 403;
}

2.3 防止目录浏览

location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
}

3. PHP安全配置

3.1 PHP-FPM配置优化

location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;

    # 安全相关参数
    fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/:/var/www/wp-content/uploads/";
    fastcgi_param PHP_VALUE "disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source";
    fastcgi_param PHP_VALUE "expose_php=Off";
    fastcgi_param PHP_VALUE "allow_url_fopen=Off";
    fastcgi_param PHP_VALUE "allow_url_include=Off";
}

4. SSL/TLS安全配置

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

5. 速率限制与防暴力破解

# 登录页面限速
location = /wp-login.php {
    limit_req zone=login burst=3 nodelay;
    limit_req_status 444;
    try_files $uri =404;
    fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    include fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

# 定义限速区域
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;

6. 文件上传限制

client_max_body_size 20M;
client_body_buffer_size 128k;

7. 日志记录与监控

access_log /var/log/nginx/wordpress-access.log;
error_log /var/log/nginx/wordpress-error.log;

# 记录可疑请求
log_format security '$remote_addr - $remote_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent" "$http_x_forwarded_for"';

8. 定期维护建议

1. 保持Nginx、PHP和WordPress核心及插件的最新版本
2. 定期检查Nginx错误日志
3. 使用安全插件如Wordfence或Sucuri
4. 定期备份网站和数据库
5. 使用fail2ban阻止恶意IP

以上配置应根据实际环境进行调整，并在应用前进行充分测试。安全是一个持续的过程，需要定期审查和更新防护措施。