WordPress基于Nginx的安全设置指南

基础安全配置

1. 禁用目录浏览

   location ~ /\. {
      deny all;
      access_log off;
      log_not_found off;
   }
   
   location ~* ^/wp-content/uploads/.*\.(php|php5|phtml|pl|py|jsp|asp|sh|cgi)$ {
      deny all;
   }
   

2. 限制敏感文件访问

   location = /wp-config.php {
      deny all;
   }
   
   location = /xmlrpc.php {
      deny all;
   }
   
   location ~* ^/(readme\.html|license\.txt|wp-config-sample\.php|wp-includes/version\.php) {
      deny all;
   }
   

强化认证安全

1. 限制登录尝试

   location = /wp-login.php {
      limit_req zone=one burst=3 nodelay;
      include fastcgi_params;
      fastcgi_pass php-handler;
   }
   

2. 添加HTTP基本认证

   location ~ ^/wp-admin {
      auth_basic "Admin Area";
      auth_basic_user_file /etc/nginx/.htpasswd;
   }
   

内容安全策略(CSP)

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.example.com; img-src 'self' data: *.example.com; style-src 'self' 'unsafe-inline' *.example.com; font-src 'self' *.example.com; connect-src 'self' *.example.com; frame-src 'self' *.example.com;";

其他安全头设置

add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";

文件上传限制

client_max_body_size 10M;
client_body_buffer_size 128k;

PHP执行限制

location ~* ^/wp-content/uploads/.*\.(?:php[1-7]?|pht|phtml?)$ {
    deny all;
}

防止SQL注入和XSS攻击

set $block_sql_injections 0;
if ($query_string ~ "union.*select.*\(") {
    set $block_sql_injections 1;
}
if ($block_sql_injections = 1) {
    return 403;
}

实施建议

1. 定期更新Nginx和WordPress核心及插件
2. 使用SSL/TLS加密所有流量
3. 设置定期备份策略
4. 监控Nginx访问和错误日志
5. 考虑使用Web应用防火墙(WAF)如ModSecurity

这些配置应根据您的具体环境进行调整，并在实施前进行充分测试。