The way I got it working is by adding a rule allowing TinyMCE
followed by a rule denying all php files in the wp-includes directory.
The rule for allowing TinyMCE MUST contains directives connecting Nginx to PHP application server (php5-fpm in my case).
Basically i copied over the directives i had under the location ~ \.php$
block.
So for me the solution looked like this:
# Allowing TinyMCE only
location = /wp-includes/js/tinymce/wp-tinymce.php {
allow all;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_read_timeout 300s;
}
# Blocking other PHP files in wp-includes
location ~* /wp-includes/.*.php$ {
deny all;
}
Task finished with pull-request #2 [1] and more specifically with commit 7666c43 [2]; once the changes are merged in the master branch and pushed to the WordPress repositories you will see the new Nginx rules in the hardening panel.
PS. @ramdamnest thanks for your help.
[1] https://github.com/Sucuri/sucuri-wordpress-plugin/pull/2
[2] https://github.com/cixtor/sucuri-wordpress-plugin/commit/7666c43