# This file is automatically generated, all manual changes will be lost upon Pod restart!
# Make you changes in the CS Panel or the relevant Website object.

# Rate limits
location = /wp-cron.php {
  limit_req zone=wp burst=1 nodelay;
  include snippets/php-default.conf;
}

location = /xmlrpc.php {
  limit_req zone=one burst=1 nodelay;
  include snippets/php-default.conf;
}

location = /wp-login.php {
  limit_req zone=one burst=1 nodelay;
  include snippets/php-default.conf;
}

location /wp-admin {
  location ~ /wp-admin/admin-ajax.php$ {
    include snippets/php-default.conf;
  }
  location ~* /wp-admin/.*\.php$ {
    limit_req zone=wp burst=6 nodelay;
    include snippets/php-default.conf;
  }
}
# Disable wp-config.txt
location = /wp-config.txt {
  deny all;
  access_log off;
  log_not_found off;
}

# Disable access to easywp-backups folder where old website backups will be stored
location ~* "/easywp-backups/*" {
  deny all;
  access_log off;
  log_not_found off;
}

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
location ~* /(?:uploads|files)/.*\.php$ {
    access_log off;
    log_not_found off;
    deny all;
}

# Security settings for better privacy
# Deny hidden files
location ~ /\.(?!well-known\/) {
  deny all;
  log_not_found off;
}

# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) or other common git repository files
location ~*  "/(^$|readme|license|example|README|LEGALNOTICE|INSTALLATION|CHANGELOG)\.(txt|html|md)" {
  deny all;
  access_log off;
  log_not_found off;
}

# Deny common protected downloads folders
location ~* "/wp-content/uploads/(dlm_uploads|optimizecheckouts|leco-cp|wpo_wcpdf/attachments)/?" {
  access_log off;
  log_not_found off;
  deny all;
}

# Allow archive files download from wp-content/uploads/
location ~* "/wp-content/uploads/.*\.(zip|gz)$" {
  allow all;
}

# Deny backup extensions & log files and return 403 forbidden
location ~* "\.(old|orig|original|php#|php~|php_bak|save|swo|aspx?|tpl|sh|bash|bak?|cfg|cgi|dll|exe|git|hg|ini|jsp|log|mdb|out|sql|svn|swp|zip|tar|rdf|gz|bz2|pem|asc|conf|dump)$" {
  access_log off;
  log_not_found off;
  deny all;
}