EnglishSecuring Your WordPress wp-config.php on Nginx: A Step-by-Step Guide
1. Update File Permissions
The first line of defense in securing your wp-config.php file is to set the correct file permissions.
Ideally, you should set the wp-config.php file permissions to 400 or 440, which means only the owner can read the file, and no one can write to it.
This can be accomplished via SSH or an FTP client by running:
chmod 400 wp-config.php
2. Use Nginx Server Blocks to Deny Access
Nginx configuration allows you to deny access to specific files directly within your server block configuration.
To deny access to your wp-config.php file, add the following inside the server block in your Nginx configuration file (nginx.conf or a domain-specific config file):
location ~* /wp-config.php {
deny all;
return 404;
}
This configuration ensures that any attempt to access the wp-config.php file directly via a browser results in a 404 Not Found error, effectively hiding the file from unauthorized access.
3. Secure PHP Files
Securing all PHP files in your WordPress installation can also protect the wp-config.php file indirectly.
By restricting the execution of PHP within specific directories, you limit the potential for exploit scripts to run.
To secure PHP files, include the following directive in your Nginx configuration:
location ~* \.php$ {
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock; # Adjust to match your PHP-FPM version
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
Ensure that you adjust the fastcgi_pass parameter to match the socket or TCP/IP address of your PHP-FPM service.
4. Implement Access Restrictions
Implementing access restrictions can further secure your WordPress admin area and, by extension, your wp-config.php file.
Restricting access to the WordPress admin area to specific IP addresses can reduce unauthorized access attempts.
Add the following to your Nginx configuration:
location /wp-admin {
allow YOUR.IP.ADD.RESS; # Replace with your IP address
deny all;
}
Remember to replace YOUR.IP.ADD.RESS with your actual IP address.
This setup denies access to the /wp-admin directory for everyone except requests coming from your specified IP.
5. Use Strong Security Keys
Just as with Apache configurations, ensuring your WordPress installation uses strong, unique security keys is vital for protecting your wp-config.php file.
While this is not specific to Nginx, it's an essential step in securing your WordPress installation.
Use the WordPress Security Key Generator to create strong keys and update your wp-config.php file accordingly.
Conclusion
Securing your wp-config.php file on an Nginx server involves setting correct file permissions, denying direct access through server blocks, securing PHP files, implementing access restrictions, and using strong security keys.
These steps form a comprehensive strategy for protecting your WordPress installation on Nginx without relying on plugins or moving sensitive files.
Regularly review and update your security practices to defend against new threats and maintain a secure WordPress environment.
