PHP file is downloaded when attempting to secure Wordpress wp-admin and wp-login.php

July 18, 2019 313 views
Nginx PHP WordPress Debian

I have defined the following block for PHP:

location ~ \.php$ {
        fastcgi_pass   unix:/var/run/php/php7.3-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_intercept_errors on;
        fastcgi_send_timeout 180;
        fastcgi_read_timeout 180;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;

Whenever I attempt to define a location block to prevent access to wp-admin or wp-login.php, the PHP file is downloaded:

Root location:

location / {
                try_files $uri $uri/ /index.php?$args;

and directly underneath that:

        location ~ ^/(wp-admin|wp-login\.php) {
               try_files $uri $uri/ /index.php?$args;
               deny all;

I can’t for the life of me figure out why it’s bypassing PHP and downloading.

2 Answers

Hello mbdrake76 !

Are you using a .htaccess file and if so, do you have the default WordPress rewrite rules in it?

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Looking forward to your reply


You could try_files part from the deny block, I think that this should fix the issue for you.

So it should look something like:

  location ~ ^/(wp-admin|wp-login\.php) {
                deny all;

Hope that this helps!

  • Alas, I already tried that. The problem still persists - it downloads the PHP file rather than running it.

    • Another thing that could be the issue is order of the configuration file. The part containing “wp-admin” should go before the *.php block, as the blocks are being processed in the order.

      Can you try that and let me know how it goes?


Have another answer? Share your knowledge.