Prevent Information Disclosure in Plesk Onyx for NGINX server

Often our servers are incorrectly configured, and can allow an attacker to get access to sensitive information that can compromise our WordPress website. None of the  servers can be 100% secure but you can harden your server to a point to secure your WordPress website. I will be writing a blog post soon, listing all the major points to harden your server for maximum WordPress security.

For now, here are the steps on how you can prevent information disclosure in Plesk Onyx (nginx) based server.

  1. Login to your server as “root” user via ssh.
  2. Now you have to navigate to Plesk’s vhosts directory.
    cd /etc/nginx/plesk.conf.d/vhosts
  3. Here you will find .conf file for the domains hosted on your server. You can edit a particular domain’s .conf file on which WordPress is installed and you want to secure against the information disclosure (substitute “mydomain.com” with your domain name).
    nano mydomain.com.conf
  4. Scroll down to the part where you will find these codes. If you are using ssl for your website, you have to look for server part with both port* 80 and port* 443.
    Server {
           listen ipaddress:port*
           ...
           ...
           location ~* wp-config.php { deny all; }
           location / {
           ...
           ...
    }
  5. You have to input this given code just before location ~* wp-config.php { deny all; }
    ## RebootInternet.com - Prevent information disclosure ##
    # Turn off directory indexing
    autoindex off;
    
    # Deny access to htaccess and other hidden files
    location ~ /\. {
      deny  all;
    }
    
    # Deny access to wp-config.php file
    location = /wp-config.php {
      deny all;
    }
    
    # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
    location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
      deny all;
    }
    				## RebootInternet.com - End ##
  6. This is how your .conf file should look like after you input the given code.
    Server {
           listen ipaddress:port
           ...
           ...
    
           ## RebootInternet.com - Prevent information disclosure ##
           # Turn off directory indexing
           autoindex off;
    
           # Deny access to htaccess and other hidden files
           location ~ /\. {
           deny  all;
            }
    
           # Deny access to wp-config.php file
           location = /wp-config.php {
           deny all;
           }
    
           # Deny access to revealing or potentially dangerous files in the /wp-content/ directory (including sub-folders)
           location ~* ^/wp-content/.*\.(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$ {
           deny all;
           }
    				## RebootInternet.com - End ##
    
          location ~* wp-config.php { deny all; } 
          location / { 
          ... 
          ... 
    }
  7. Now simply reload nginx
    service nginx reload

 

Once you have successfully completed all the above steps, important details of your WordPress installation will be prevented from unauthorized outside access.

6 Comments

  1. Jacklyn January 16, 2017
  2. Amee March 15, 2017
  3. www.linkedin.com May 4, 2017
  4. Calvin May 13, 2017
  5. broderie September 30, 2017
  6. minecraft September 13, 2018

Leave a Reply