Nginx Security for wordpress & phpmyadmin

March 13, 2013 11.2k views
desiredpersona
By:
desiredpersona
Hi all, How do i protect phpmyadmin. Currently anyone can access example.com/phpmyadmin how do i protect wordpress files and folders. I have seen tutorials on the web where nginx config links to a made up global restrictions file so you can link to it when creating new server blocks but im not sure if its up to date. http://codex.wordpress.org/Nginx
Log In to Comment
6 Answers
desiredpersona March 13, 2013
Also how can i restrict phpmyadmin by ip?
Reply
dave March 14, 2013
echo "allow 127.0.0.1;" > /etc/nginx/allow_list
echo "allow 192.168.0.155; # whatever your ip is" >> /etc/nginx/allow_list
echo "deny all;" >> /etc/nginx/allow_list

then wherever you want restrictions inplace

include allow_list;

Example that will restrict an entire domain:

server {
server_name domain.com;

root /var/www/;
error_log /var/log/nginx/error.log warn;
access_log /var/log/nginx/access.log;
include allow_list;

}

Example that will restrict one folder under one domain


server {
server_name domain.com;

root /var/www/;
error_log /var/log/nginx/error.log warn;
access_log /var/log/nginx/access.log;

location /wordpress/ {
include allow_list;
}
}
Reply
desiredpersona March 16, 2013
Thanks Dave ;-)
Reply
roozbehk March 17, 2013
Hi, The easier way would be to protect the folder with auth_basic module . I am guessing you have fastcgi


location ~* /phpmyadmin/.*\.php$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+.php)(.*)$;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;

auth_basic "Password Protected Folder";
auth_basic_user_file /var/www/.htpasswd;

}

This will protect the folder and will ask for your username and password from .htpasswd file that you put somewhere on the server that is not accessible by web in my case is /var/www/.htpasswd

to create .htpasswd file you can use this site or do it from command line. http://www.htaccesstools.com/htpasswd-generator/
Reply
roozbehk March 17, 2013
Here is what I use for wordpress:

# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

location /wp-admin {
location ~ /wp-admin/admin-ajax.php$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+.php)(.*)$;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;

}

location ~* /wp-admin/.*\.php$ {
try_files $uri = 404;
fastcgi_split_path_info ^(.+.php)(.*)$;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_ignore_client_abort off;
fastcgi_connect_timeout 60;
fastcgi_send_timeout 180;
fastcgi_read_timeout 180;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;

auth_basic "You shall not pass!";
auth_basic_user_file /var/www/.htpasswd;

}
Reply
desiredpersona March 20, 2013
thanks roozbehk
Reply
Have another answer? Share your knowledge.