Bad nginx rules

The nginx rules for suspicious sites cause all requests to be accepted due to a possible logic error.

The problem lies in the whitelistening where the match is by not match (last 6 matches).

Example all requests that don’t match loggedout=true are allowed, instead of requests that match loggedout=true.

Generated rules:

# Rules to block suspicious URIs
            set $susquery 0;
            if ($args ~* "\.\./") { set $susquery 1; }
            if ($args ~* "\.(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
            if ($args ~* "etc/passwd") { set $susquery 1; }
            if ($args ~* "boot.ini") { set $susquery 1; }
            if ($args ~* "ftp:") { set $susquery 1; }
            if ($args ~* "http:") { set $susquery 1; }
            if ($args ~* "https:") { set $susquery 1; }
            if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
            if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
            if ($args ~* "base64_encode") { set $susquery 1; }
            if ($args ~* "(%24&x)") { set $susquery 1; }
            if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; }
            if ($args ~* "(127.0)") { set $susquery 1; }
            if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
            if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; }
            if ($args !~ "^loggedout=true"){ set $susquery 0; }
            if ($args !~ "^action=jetpack-sso"){ set $susquery 0; }
            if ($args !~ "^action=rp"){ set $susquery 0; }
            if ($http_cookie !~ "^.*wordpress_logged_in_.*$"){ set $susquery 0; }
            if ($http_referer !~ "^http://maps.googleapis.com(.*)$"){ set $susquery 0; }
            if ($susquery = 1) { return 403; }

https://wordpress.org/plugins/better-wp-security/