How to hide .user.ini in my NGINX server to use Wordfence in Wordpress?

Question

Hello, i just got a fresh install of wordpress and i installed Wordfence and it recommends me to hide user.ini because is public and anybody can have access to it.

Link to the screenshot of wordfence

Answer 1

tomnguyen September 20, 2020

Show answer This answer has been marked as resolved by tomnguyen.

Hi @hcmendez:

You can make Nginx drop all requests to the file .user.ini by returning a HTTP 400 status code (or any other error code of your choice). Add the following to the Nginx server block for your WordPress site:

    location = /.user.ini { return 400; }

This location block should be at the same level as other existing location blocks.

Then your server block should look like this:

server {
...
    server_name yoursite.com;
...
    location = /.user.ini { return 400; }
...
    location / {
        try_files $uri $uri/ /index.php$is_args$args;
    }
....
}

Reply Report

hcmendez September 20, 2020

thanks for that it’s working now, wordfences doesnt give me the alert anymore :D

PD. do you know what other methods can i do to increase the security of my wordpress and/or my vps?
Reply Report
- tomnguyen September 20, 2020
  
  Security is a broad topic and requires a lot of practice.
  
  Regarding your server, you can read the tutorial Recommended Security Measures to Protect Your Servers to learn general principles.
  
  Regarding WordPress, you should carefully follow the tutorial corresponding to your operating system. The DigitalOcean editorial team has tested it for the best results. Also, it would help if you keep the number of WordPress plugins to a minimum. Only install well-known plugins to avoid malicious code.
  
  Recommended Security Measures to Protect Your Servers
  by Justin Ellingwood
  by Lisa Tagliaferri
  by Jamon Camisso
  by dbrian
  When setting up infrastructure, getting your applications up and running will often be your primary concern. However, making your applications to function correctly without addressing the security needs of your infrastructure could have devastating consequences down the...
  
  Reply Report
  
  hcmendez September 20, 2020
  
  Thanks for sharing, i’ll check those.
  
  Reply Report

Answer 2

hcmendez September 20, 2020

thanks for that it’s working now, wordfences doesnt give me the alert anymore :D

PD. do you know what other methods can i do to increase the security of my wordpress and/or my vps?
Reply Report
- tomnguyen September 20, 2020
  
  Security is a broad topic and requires a lot of practice.
  
  Regarding your server, you can read the tutorial Recommended Security Measures to Protect Your Servers to learn general principles.
  
  Regarding WordPress, you should carefully follow the tutorial corresponding to your operating system. The DigitalOcean editorial team has tested it for the best results. Also, it would help if you keep the number of WordPress plugins to a minimum. Only install well-known plugins to avoid malicious code.
  
  Recommended Security Measures to Protect Your Servers
  by Justin Ellingwood
  by Lisa Tagliaferri
  by Jamon Camisso
  by dbrian
  When setting up infrastructure, getting your applications up and running will often be your primary concern. However, making your applications to function correctly without addressing the security needs of your infrastructure could have devastating consequences down the...
  
  Reply Report
  
  hcmendez September 20, 2020
  
  Thanks for sharing, i’ll check those.
  
  Reply Report

Related

Question

How to hide .user.ini in my NGINX server to use Wordfence in Wordpress?

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

How to hide .user.ini in my NGINX server to use Wordfence in Wordpress?

Leave a comment

Related

question

WordPress site compromised before completing installation

question

Connect to DB installed into dedicated VPS (private networking)

question

Running a web-based video game on a droplet

question

my site i down please see http://www.cheri3a.com/

Looking for something else?