Prevent PHP execution

I have been trying to get PHP execution blocked in Defender, so I added the generated code into a .conf file in /nginx but it’s not verifying.

  • Adam
    • Support Gorilla

    Hello Nathan

    I hope you’re well today and thank you for your question!

    I’m afraid it’s quite difficult to “troubleshoot” this without any access to the site but let me start with the question: are you sure that site’s powered by nginx only or is it Apache + nginx? The latter is also a popular setup but it would need a different configuration.

    The code that you added seems proper but I’m not quite sure about where it is added. I mean: I see it’s been added to some separate .conf file and while it’s expected to be added to site specific .conf file, inside the “server” section, right before the PHP “location” block. If it’s in a separate file, I’m not quite sure if it’s actually loaded in a right/correct order or, for that matter, if it’s loaded at all.

    Is this where the Digital Ocean suggested to put it and they claim it should be working? Do you have access to other nginx configuration files for the site? If yes – what/what they contain?

    Best regards,
    Adam

  • Adam
    • Support Gorilla

    Hi Nathan

    I’ve consulted it with one of our devops and he suggests that there are two more things worth checking.

    1. Since the code is in its own file, this file should actually be included in a main nginx config file for the site. It shouldn’t be “free floating” file as it won’t be included/applied then even after nginx restart (unless it’s somehow set to automatically read those files but that’s highly unlikely, especially due to the second point below).

    2. it seems that your file is located in a home directory and that’s another “unexpected” aspect.

    In general:
    – create/put the file in web-root folder for the site
    – find the server name (like example.com – of course that’d be different for your site) and then include your file into the config for that that server name

    http://nginx.org/en/docs/ngx_core_module.html#include

    If that doesn’t work for you, we could possibly take a look inside to see if we could help but we’d need SSH access (if you’re fine with that, let me know and I’ll tell you how to provide it to us; do not post it here!), though I can’t guarantee success as it’s more of a server administration task rather than just WordPress issue and it’s related to 3rd-party hosting which, even though it’s Digital Ocean, can be configured in very different ways.

    Let me just mention though that it might be worth considering moving to our hosting. I’m not “pushing” of course but unlike a “bare DO droplets” we provide fully Managed Hosting which means we take care of such things and even if you do need something to be changed/added, you can always let us know and if it’s only possible (tech- or security-wise), our admins would take care of that :slight_smile:

    Best regards,
    Adam