# WordPress COMMON SETTINGS
# DO NOT MODIFY, ALL CHANGES LOST AFTER UPDATE Webinoly

# Limit access to avoid brute force attack
# https://baraktawily.blogspot.com/2018/02/how-to-dos-29-of-world-wide-websites.html
location /wp-admin {
	location ~ /wp-admin/admin-ajax.php$ {
		limit_req zone=wp burst=6 nodelay;
		include fastcgi_params;
		fastcgi_pass php;
	}
	location ~* /wp-admin/.*\.php$ {
		limit_req zone=wp burst=6 nodelay;
		include common/acl.conf;
		include fastcgi_params;
		fastcgi_pass php;
	}
}
location = /wp-login.php {
	limit_req zone=one burst=1 nodelay;
	include common/acl.conf;
	include fastcgi_params;
	fastcgi_pass php;
}

# Disable wp-config.txt
location = /wp-config.txt {
	deny all;
	access_log off;
	log_not_found off;
}

# Disallow php in upload folder
location /wp-content/uploads/ {
	location ~ \.php$ {
		#Prevent Direct Access Of PHP Files From Web Browsers
		deny all;
	}
}