Related

Product App Platform: Run PHP apps without managing servers Product
NGINX Config Generator Tool
someone is pointing my ip to his domain name Question Question
Running a web-based video game on a droplet Question Question

Question

PHP file is downloaded when attempting to secure Wordpress wp-admin and wp-login.php

Posted July 18, 2019 1.1k views
NginxPHPWordPressDebian

I have defined the following block for PHP:

location ~ \.php$ {
        fastcgi_pass   unix:/var/run/php/php7.3-fpm.sock;
        fastcgi_index  index.php;
        fastcgi_intercept_errors on;
        fastcgi_send_timeout 180;
        fastcgi_read_timeout 180;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
        }

Whenever I attempt to define a location block to prevent access to wp-admin or wp-login.php, the PHP file is downloaded:

Root location:

location / {
                try_files $uri $uri/ /index.php?$args;
        }

and directly underneath that:

        location ~ ^/(wp-admin|wp-login\.php) {
               try_files $uri $uri/ /index.php?$args;
               allow xxx.xxx.xxx.xxx;
               allow xxx.xxx.xxx.xxx;
               deny all;
       }

I can’t for the life of me figure out why it’s bypassing PHP and downloading.

Add a comment
mbdrake76
By:
mbdrake76

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers
alexdo July 18, 2019

Hello mbdrake76 !

Are you using a .htaccess file and if so, do you have the default WordPress rewrite rules in it?

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Looking forward to your reply
Alex

Reply Report
bobbyiliev July 19, 2019

Hello,

You could try_files part from the deny block, I think that this should fix the issue for you.

So it should look something like:

  location ~ ^/(wp-admin|wp-login\.php) {
                allow 1.2.3.4;
                deny all;
  }

Hope that this helps!
Bobby

Reply Report
  • mbdrake76 July 19, 2019

    Alas, I already tried that. The problem still persists - it downloads the PHP file rather than running it.

    Reply Report
    • bobbyiliev July 19, 2019

      Another thing that could be the issue is order of the configuration file. The part containing “wp-admin” should go before the *.php block, as the blocks are being processed in the order.

      Can you try that and let me know how it goes?

      Bobby

      Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help