NGINX + WordPress: block debug.log and other sensitive files

If your WordPress site is being served by an NGINX web-server there are a couple of configuration directives you will want to add to your server configuration. If you are uncertain about how to do this, consult with your hosting provider and they can help you.

WordPress Core: debug.log

WordPress has a debug feature that logs PHP errors to ‘/wp-content/debug.log’. you don’t want anyone unauthorized to see this as it could provide them with information they can use to hack your website. So to prevent access to this file you want to add the following location directive in your NGINX configuration:

location ~ /wp-content/debug\.log { deny all; }

WordFence Security Plugin: .user.ini

Wordfence uses a configuration file called .user.ini which is placed in the root folder of your website. This file contains the full path of your website’s files which is semi-sensitive information. To block access to this file, add the following location directive in your NGINX configuration:

location = /.user.ini { deny all; }

Leave a Reply

Your email address will not be published. Required fields are marked *