NGINX + WordPress: block debug.log and other sensitive files

If your WordPress site is being served by an NGINX web-server there are a couple of configuration directives you will want to add to your server configuration. If you are uncertain about how to do this, consult with your hosting provider and they can help you.

WordPress Core: debug.log

WordPress has a debug feature that logs PHP errors to ‘/wp-content/debug.log’. you don’t want anyone unauthorized to see this as it could provide them with information they can use to hack your website. So to prevent access to this file you want to add the following location directive in your NGINX configuration:

location ~ /wp-content/debug\.log { deny all; }

WordFence Security Plugin: .user.ini

Wordfence uses a configuration file called .user.ini which is placed in the root folder of your website. This file contains the full path of your website’s files which is semi-sensitive information. To block access to this file, add the following location directive in your NGINX configuration:

location = /.user.ini { deny all; }

Securing Your Site with WP-Bruiser

What is WP-Bruiser?

WP-Bruiser, formerly known as “Goodbye Captcha” is a free plugin for WordPress which blocks bot spam in your comment forms. It also has some non-free extensions which integrate with various popular contact forms and other addons to block bot spam in those as well. It does this using a clever token system which bots cannot defeat. This eliminates the need to annoy your users with a “Captcha” and presents a more professional web experience to your visitors. WP-Bruiser also includes some security features which is and what we are going to focus on today.

Installing WP-Bruiser

From your WordPress dashboard you can go to Plugins -> Add New and search for WP-Bruiser. You’ll find it in the standard WordPress plugin repository where you can install and activate it. The WP-Bruiser settings has several tabs at the top of the screen. The first tab, labeled simply “Settigns” is not strictly security related.

Security Tab

This tab offers a number of useful security features. At the top you can see Brute Force settings. For maximum security you should enable all of these. If you want your website to be accessible from anonymous TOR nodes then leave the Anonymoux Proxy IPs option unchecked, but be warned a lot of attacks use the TOR network.

Next you’ll see ‘White Listed IPs’, where you can provide some IP addresses which should never be blocked from the website. This section helpfully tells you your own IP in case you want to add it, but be aware that your IP might change and if it does you’ll want to update this section.

Following that is ‘Black Listed IPs’ which is where you can manually enter IP addresses you would like to ‘ban’ from accessing your site.

WordPress Tab

I recommend enabling all of the options in the WordPress Standard Forms Settings box, the first one you see. This will extend WP-Bruiser to prevent bots from registering accounts, as well as preventing certain kinds of scripted bot behaviors. Chances are you don’t want bots doing anything on your website.

The next section is ‘Tweaking WordPress’. You should enable Hide WordPress Version. Nobody needs to know what version of WordPress you’re using, and hackers will use that information to find vulnerabilities in your site. Next you should enable Remove RSD Header and Remove WLW Header if you don’t explicitly require them. If you aren’t making use of XML-RPC, and most people aren’t, then you should enable both of those options as well.

The next few tabs are specific to various extensions and outside the scope of this tutorial. If you are using any of those plugins I recommend paying for the license to integrate WP-Bruiser’s features with them. I personally use the Contact Form 7 extension on many websites and it has completely eliminated contact form spam.

Notifications Tab

This is a very handy feature. You should configure your E-mail address in the field provided and enable both checkboxes. This will notify you any time an administrator logs into your website, which can inform you if someone has compromised your website. If you operate a site with many people, have everyone use ‘Editor’ level accounts or lower for day to day tasks.

That’s it! WP-Bruiser is a very lightweight plugin and still provides a lot of additional security to a WordPress site, as well as eliminating 100% of bot submissions in your comment and contact forms.

Securing WordPress


WordPress is the most popular and possibly best software for operating a modern website. The built in tools that it provides for free are extremely valuable for any web project. WordPress is built on top of PHP which is a “Server Side” programming language. That means when WordPress performs computational tasks it is performing them on the server, rather than in the visitor’s browser. This presents significant security risks, because hackers can exploit vulnerabilities in WordPress to take over the server, which they can then add to their botnets to perform DDoS for Hire attacks, or to act as Crypto-Miners, or to grow their BotNet by infecting the machines of your visitors.

Many people have the mistaken belief that if they are a small organization such as a new business or a non-profit, that they don’t have to worry about hackers. In fact, most hackers don’t care who you are. Every website is a target, and every website connected to the internet is being scanned and attacked on a daily basis by dozens of hackers. Hacking computers has become a global organized crime racket, and your website is a target.



The most important part of this process, while not necessarily directly related to security, is backups. Backups will not protect your website from attacks, and if your backup system is insecure they may actually increase your risk of compromise. What backups will do is significantly reduce your cost of recovery from an attack. Even the strongest and most comprehensive security policies sometimes fail to prevent attacks, and so backups are the most important piece of the puzzle.


The second most critical aspect of improving WordPress security is to keep your core WordPress software and all of your plugins updated every day. This might seem like a hassle, but malware programmers move quickly when they learn of new exploits. In very rare cases you might have issues due to upgrading your plugins but that is easy to recover from because you have backups, right?

We published a short guide on Updates and Backups that you can refer to for more detailed instructions. Click Here to Read More.

Responsible Plugin Management

Because the majority of attacks happen through vulnerable plugins you need to ensure that you are only using plugins which are being actively developed. They should be listed as compatible with the most recent version of WordPress, and if they require a license to keep them updated then you should have an active license. Deactivate or delete old plugins that you aren’t using anymore, or that you can’t update anymore.

Strong Passwords

Odds are your passwords are not good enough. In my 20 year career I’ve worked with a lot of people and most of you have weak passwords. For your WordPress administrator account your password should be a minimum of 64 random characters. Some mathematicians will tell you that is overkill, and they would be right, but in a few years it won’t be, so unless you want to frequently change your password as computers get more powerful, start at overkill.

Your Password needs to be completely unique. You should not re-use the same password anywhere.

In this day and age a password manager is an essential tool for managing passwords. You should be using a password Manager, we recommend KeePass or one of it’s cross-platform variations. We discourage the use of “Online” password managers because they are honey pots for hackers and there have been a quarter dozen compromises in recent years alone. I published a comprehensive guide on strong password habits which you can read at

Custom Administrator Username

As long as you are using only very strong passwords, this tip is a minor one. In order to reduce the success chance of brute force attacks, your administrator accounts should never be named “Administrator” or “Webmaster” or “Admin” or anything similarly obvious. We want to emphasize that Strong passwords are more important than custom usernames, and must come first.

Filesystem Security

This subject is a bit advanced for most users but it remains an essential piece of a comprehensive security plan. You have to ensure your Website files have the appropriate security settings. Your wp-config.php file should not be readable by anyone. It only needs to be accessed by your webserver, and that is the only ‘user’ who should have access to it. If you create backups of this file, ensure that they are also equally secure.

An especially strong permission guideline for other files in your website directory tree is to set ‘660’ for files and ‘770’ for directories. This allows the owner and group-members to access them, but nobody else. You may need to add your user account to the group to access files with these permissions. If setting file permissions is too advanced for you, please E-mail us at and we would love to help you.

Optional Advanced Techniques

These techniques are more advanced but they will help you to keep your website secure. If you would like help to implement these techniques please E-mail us at

Password Hashing

Passwords stored in the WordPress database are hashed so even if someone gains access to your database, they will have a difficult time cracking the passwords stored within. There is a free plugin available which can significantly increase the strength of the hashing technique. You can download the bCrypt Hashing plugin at This Github Page.


Fail2Ban is a popular security program which runs on your server and monitors server logs for suspicious activity. When it sees evidence of hackers, it automatically bans their IP address. There is a free plugin that allows Fail2Ban to monitor WordPress activity. You can find the plugin By Clicking Here. This method requires that your server have Fail2Ban installed, and if you’re using a low-quality host they might not offer Fail2Ban support. If that’s the case you should consider switching hosting providers. Pride Tech Design offers high quality hosting with an emphasis on security, including Fail2Ban support.


This free plugin WP-Bruiser offers a number of ways to improve the security of your WordPress website. It’s primary task is to block bots from submitting account registrations, logins, and comments. It does this without using any “Captchas”, which improves the user experience for your real visitors. WP-Bruiser has a 100% success rate blocking bots, so it’s actually more reliable than any existing Captcha system. When you are configuring the plugin you’ll notice it includes a number of basic security features as well, making it a great lightweight choice to improve the security of your website.

Directory Indexing

Directory Indexing is what allows a visitor to see a list of files contained in a directory when there is no index.html or index.php file in that directory. Generally this is considered a security risk as you do not want to allow random visitors to browse the file structure of your website.

This is an item that only effects misconfigured Apache based servers. Unfortunately many low quality hosting providers, some of whom are often listed as “Top 10” brand names, operate misconfigured Apache servers with Directory Indexing enabled by default. In these situations you can use .htaccess files to disable indexing.

Security Suites

There’s a number of well known security plugins for WordPress. They include a ton of features, however we recommend that these are the least important method to improve your security. Many of these plugins only support Apache based websites, their firewall features simply won’t work on Nginx based websites. That will hopefully change in time, but for now it’s an important fact. Many of their features are extreme and won’t really improve your website security, such as changing the login URL, and they can sometimes break your website. If you want to use one of these plugins, you should consult with a professional to configure them for your specific needs. You can E-mail us at to help you with configuring a security suite on your website.


You can see there are a lot of steps you can take to improve the security of your website. A well-secured WordPress site is extremely difficult to break into and can reliably serve as the main customer portal for your business, non-profit organization, or global enterprise. If you need any further guidance on this subject, please E-mail me at and I will be happy to provide you with personal support for your business. You may also want to sign up for one of my WordPress Maintenance Plans.

Updating and Backing Up WordPress

Creating Backups

The most important maintenance task for any website is keeping regular backups. You should be backing up your website at least every week. That might seem like a lot if your content remains static, but a well-maintained website is also going to be receiving regular updates to the WordPress core software as well as plugins, and if something breaks you will be thankful that your backup strategy was thorough.


The easiest way to create backups of your WordPress website is using plugins. There are a lot of plugins to choose from, but the one that we recommend here at Pride Tech Design is called BackWPUp. This plugin is free, it creates backups of both your website files and your database, it allows you to schedule your backups so you can set it and forget it, and it allows you to save your backups to various cloud storage platforms, which you want to do.


BackWPUp has a lot of configuration options, many of which you can safely ignore. If you’re really uncertain of how to configure your backups, you should consult with a professional, but we will show you a standard configuration that works for most websites.

Add New Job

The first step is to give your new backup job a name. Something like “Weekly Backup” is adequate. Beneath the name field you’ll see “Job Tasks”. You can safely check all of these items however the essential ones you want are Database Backup and File Backup. You may also want to enable the Installed Plugin List.

Add New Job: Backup File Creation

In the next section you’ll see “Archive Name”, which allows you to configure the filename of your backups, using a number of variables which you’ll see on the screen. Unless you know what you’re doing here you should probably leave the default in place. After the Archive Name you will see “Archive Format”. If you work primarily in Windows, choose .Zip if it is available. .zip, .tar.gzip, and .tar.bzip2 are all fine, but you should not use .Tar because it does not compress the data, which results in a lot of wasted storage space.

Add New Job: Destination

This section allows you to choose one or more destinations for your backup file. These are mostly self-explanatory and the most important thing to consider is the security of the location. You need to be certain that wherever your backups are stored, only authorized users will have access to them. Your database backup will contain full details of your website’s administrator accounts so this is important.

The remaining options on this page can be left as default. You may want to configure an E-mail address for error reports. The next step is to switch to the “Schedule” tab at the top of the screen.

Schedule Job

Now that you’ve created your backup job, we need to schedule it. By default it will only run when manually activated. You should select “WordPress Cron”, which will display a new section of options below, where you can schedule the time the job will run. This is the easiest method to schedule your backups.

Destination Options

Depending on what destinations you chose when creating the job, you will see additional tabs at the top. There are too many options to cover all of them in this article, but one important option is Number of Files to Keep. The best number for you is going to vary depending on the frequency of your backups. You should keep your backups for at least 90 days, so if you’re making weekly backups then you should keep at least ~15. If you’re taking daily backups then you would want ~90.

Updating WordPress

Once you have a good backup system in place, the next thing to cover is updating your website. By default your WordPress software should update itself automatically when new minor versions are released. Major versions are not updated automatically and this is for the best, so when a new major version is released you should log in to update it manually.

What are Major and Minor versions?

WordPress uses a versioning scheme like #.#.#, where the first digit is the “Major” version, the second and third digits are “Minor” updates. Major updates, that is, the first digit, will include significant changes to the software’s code, and the introduction of new features. Minor updates are usually bug fixes, or security patches. Some minor updates will include new features which were not ready in time for the Major update.

Plugin Updates, Automatic vs Manual

Updating the core WordPress software is important but equally important is updating your plugins. By default, WordPress plugins do not automatically update at all. There are a couple of ways that you can change this, the most easy being a free plugin Automatic Plugin Updates. It is important that you have a backup system in place before setting up automatic updates, so if you haven’t done that yet please scroll up and do that first.

If you prefer to update your plugins manually that is fine, but you need to ensure that you are doing it at least every week. New vulnerabilities are found in plugins every day, and hackers use these vulnerabilities to attack sites like yours, without concern for the content of your site or your global visibility. You can deploy manual plugin updates from the Plugins screen of your WordPress dashboard, or from the Updates screen.

Let Pride Tech Design help you

We understand some people do not have the time or confidence to perform these tasks. Your website is important and you need to have the peace of mind that it is being protected. We offer very low cost maintenance plans which will provide you with daily backups and updates of your WordPress website and plugins, with free restorations in case of problems. You can read more about these programs and sign up at our Maintenance Page.