Hello, i just got a fresh install of wordpress and i installed Wordfence and it recommends me to hide user.ini because is public and anybody can have access to it.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hi @hcmendez:
You can make Nginx drop all requests to the file
.user.ini
by returning a HTTP 400 status code (or any other error code of your choice). Add the following to the Nginx server block for your WordPress site:This location block should be at the same level as other existing location blocks.
Then your server block should look like this:
Hiding or restricting access to the
.user.ini
file in Nginx (when using WordPress and Wordfence) is a good security practice. The.user.ini
file, like.htaccess
in Apache, can be used to override PHP settings and is read by PHP-FPM.Here’s how you can restrict access to the
.user.ini
file in your Nginx configuration:Edit Nginx Configuration File
First, locate and open your Nginx configuration file for your WordPress site. This file is typically found in
/etc/nginx/sites-available/
. If you’re unsure about which file to edit, it’s usually the one with your domain name.Add a Location Block to Deny Access
Inside the server block, add a new location directive to deny access to the
.user.ini
file. Add this location block:Here’s what it does:
Reload Nginx
After you’ve made these changes, you need to reload Nginx to apply the new configuration. You can do this with the following command:
Test the Configuration
Make sure that your website is still functioning correctly after making these changes. Try accessing
http://yourdomain.com/.user.ini
directly in your browser to see if access is denied.Additional Considerations
File Permissions: Ensure that the
.user.ini
file has the correct file permissions. It should be readable by the user that PHP or PHP-FPM is running as.Regular Backups: Always have regular backups of your website and its database, especially before making configuration changes.
Security Plugins: While Wordfence is a good start, consider using additional security measures and plugins to harden your WordPress installation further.
Nginx Best Practices: Familiarize yourself with Nginx best practices, especially in regards to securing PHP applications like WordPress.