1

I'm trying to serve the static files from a Wordpress installation and I'm using a symbolic link placed in the NGINX folder pointing to the wp-content/uploads folder.

Every file is being served correctly, but unfortunately there are some plugins that include some of their .php files inside this folder, so NGINX serve them as static files, leading to potential security risks.

Is there any way to instruct NGINX to return a Forbidden 403 error when trying to access .php files?

Thanks in advance.

Improve this question

1 Answer 1

Reset to default
1

You can exclude an extension under a location block using a sub location

E.G. 

location /wp-content/uploads { location ~ \.(php|any|other|ext)$ { return 403; } .... }
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

thanks for your answer! noob subquestion, should I just add it to the .htaccess file? It didn't work for me that way.
Nginx does not use htaccess files. You add the above to the nginx conf file for the site in question and reload nginx.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.