From cd65475d0dbdd91429685ba6c63f2a3de1794ea6 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Thu, 26 Feb 2015 17:05:50 +0300
Subject: [PATCH] roles/nginx: Add protection for PHP scripts in uploads
 directory

By the way, :? starts a non-capturing group (ie, don't save the
back references).

Signed-off-by: Alan Orth <alan.orth@gmail.com>
---
 roles/nginx/templates/wordpress.j2 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/nginx/templates/wordpress.j2 b/roles/nginx/templates/wordpress.j2
index 832c8f0..1bae75b 100644
--- a/roles/nginx/templates/wordpress.j2
+++ b/roles/nginx/templates/wordpress.j2
@@ -13,6 +13,13 @@
     # Add trailing slash to */wp-admin requests.
     rewrite /wp-admin$ $scheme://$host$uri/ permanent;
 
+    # Deny access to any files with a .php extension in the uploads directory
+    # Works in sub-directory installs and also in multisite network
+    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+    location ~* /(?:uploads|files)/.*\.php$ {
+        deny all;
+    }
+
     # Yoast SEO plugin
     # https://yoast.com/wordpress/plugins/seo/
     rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;