Unsecure security plugin? nginx.conf visible!

Add this to your nginx server block:

location ~ /nginx.conf {
    deny all;
}

but why this file is here in the site.com/nginx.conf path??

I am appaled by the lack of how-to guides – not even a single one – on configuring nginx with the security plugin.

The security plugin author promised that once it gets to version 4, there will be such a guide – so far, nothing.

When I upgraded to latest wordpress and latest plugin, nginx redirects stopped working – besides that, nginx.conf is now Worldwide visible!!!!!

NGINX configuration has always been in that location (it used to use the same .htaccess name as if it were apache but that was too confusing). This is the first release that allows you to move it anywhere on your server you can write to.

As for guides, there are a few on iThemes.com already with more on the way.

That’s false. None are for nginx.

It takes two seconds to add the deny rule to your server block which stops the file from being accessible from the outside. Or just change the path of the file to somewhere outside of your wwwroot via the options.

This v4 of iThemes allows for dynamic updating of the conf file so if you team it with automatic reloading of your nginx configuration you will always have up to date security. Pretty good if you ask me.

I recommend a minimal improvement to Wanderlusters solution – I’m working with a VPS running Plesk 11.5, which already sets a lot of location directives before including (as last job) any user config, so using ~ for regex-matching is both unneccessary (we know exactly where the file is) and may well be pre-empted (see here: Then regular expressions are checked, in the order of their appearance in the configuration file. The search of regular expressions terminates on the first match, and the corresponding configuration is used). SO:

location = /nginx.conf { deny all; }