Akismet WordPress plugin is one of the popular plugins for personal WordPress blogs. Nginx is one of the evolving web server, just surpassing Microsoft’s IIS in terms of the usage to be just behind Apache. The ‘bad’ guys always find new ways to exploit a site. Ever since version 2.5.7, Akismet introduced a new .htaccess
file to block direct access to PHP files. The content of that .htaccess file goes like this…
Order Deny,Allow
Deny from all
<FilesMatch "^akismet\.(css|js)$">
Allow from all
The meaning of this code is to allow only CSS and JS files within the Akismet plugin directory (and its sub directories) and block access to everything else. In other terms, it means to block access to PHP files inside Akismet plugin directory and its sub directories, if the request comes from a browser. It basically means the PHP files should only be executed, if accessed from the localhost. It roughly translates into the following code in Nginx…
location ~* /akismet/.*\.php$ {
allow 127.0.0.1;
deny all;
}
I already updated my Github configuration, incorporating the above rules in the restrictions.conf
file. If your host uses Nginx, please sure to ask your host to make sure, the PHP files within Akismet directory are protected. If you’d want even better protection, just deny access to any PHP files within wp-content directory from a browser.
Checking the Nginx rules
If you are unsure about the above protection in your site, you may verify it using curl. Here is the output before enabling the Akismet protection…
curl -I https://www.tinywp.in/wp-content/plugins/akismet/akismet.php
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 21 Mar 2013 11:02:29 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Cache-Control: max-age=0, no-cache, no-store
Here is the output after enabling the Akismet protection via Nginx rewrite rules…
curl -I https://www.tinywp.in/wp-content/plugins/akismet/akismet.php
HTTP/1.1 403 Forbidden
Server: nginx
Date: Thu, 21 Mar 2013 11:06:14 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Vary: Accept-Encoding