nginx and migrating from .htaccess

  • Resolved blau

    (@blau)


    8 years, 6 months ago

    What are the recommended settings for protecting the akismet directory under nginx?

    Nginx does not use .htaccess, akismet has this rules:

    # Only allow direct access to specific Web-available files.

# Apache 2.2
<IfModule !mod_authz_core.c>
        Order Deny,Allow
        Deny from all
</IfModule>

# Apache 2.4
<IfModule mod_authz_core.c>
        Require all denied
</IfModule>

# Akismet CSS and JS
<FilesMatch "^(form|akismet)\.(css|js)$">
        <IfModule !mod_authz_core.c>
                Allow from all
        </IfModule>

        <IfModule mod_authz_core.c>
                Require all granted
        </IfModule>
</FilesMatch>

# Akismet images
<FilesMatch "^(.+)\.(png|gif)$">
        <IfModule !mod_authz_core.c>
                Allow from all
        </IfModule>

        <IfModule mod_authz_core.c>
                Require all granted
        </IfModule>

    https://www.ads-software.com/plugins/akismet/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Christopher Finke

    (@cfinke)

    I’m not familiar with nginx configuration, but the plain-English explanation of these rules is that only akismet.js, akismet.css, form.js, *.png, and *.gif can be accessed directly by the browser. This prevents hackers from sticking definitely-not-a-hack.php in wp-content/plugins/akismet/ and getting users to load it; when they see akismet/ in the URL, they assume it’s part of Akismet and are more susceptible to the hack.

    This post: https://www.tinywp.in/akismet-nginx-rewrite-rules/ is a start, but it only denies access to .php, and not other susceptible types like .html, .php4, etc.

    Thread Starter blau

    (@blau)

    Thank you Christopher, the linked documentation is the starting point I was looking for. Have a nice day!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘nginx and migrating from .htaccess’ is closed to new replies.