disable file uploads

Jonathan Vanasco nginx at 2xlp.com
Tue Mar 24 22:40:03 UTC 2015


On Mar 23, 2015, at 11:15 PM, Steve Holdoway wrote:

> Well, I'm going for the multiple levels of protection approach, but am
> trying to mate that with a 'simple to maintain' methodology.
> 
> So, yes I'd like to do both, but without being heavy-handed on the
> website owners.


I understand the frustration of this.  You don't need to have compromised software to be affected by it.  Once someone finds out you have wordpress installed, you become subject to a lot of attacks and random POSTs -- as scripters try to exploit known issues.

If you can do this -- one of the simplest things to do is to put as much of the wordpress "dashboard" behind a httpauth block in nginx, and disable POST everywhere but there.  I've seen some large properties heavily configure wordpress to run on "admin.example.com" behind heavy auth, and then have "public.domain.com" simply handle GET requests.

That may not work on your setup though.  If you're using the internal wordpress comments tool or any of their api/web hooks, you'd need to open up those urls to POST -- but you can limit it to something arbitrarily small (e.g. 1k or less)

There are also a few integration how-tos for using nginx with fail2ban.


More information about the nginx mailing list