Support » Plugin: iThemes Security (formerly Better WP Security) » Suggested NGINX rules improvement

  • Looking at the nginx rules that iThemes Security generates, I believe it would be better to return a 404 instead a 403.

    For example:
    location ~ /readme\.html$ { deny all; }
    could be replaced with
    location ~ /readme\.html$ { return 404; }

    Given that most attacks are automated, my approach is to hide the fact that the site is WP by renaming wp-content, disallowing wp-admin, hiding headers, and so on.

    So I think it would be better if iThemes returned 404s for all forbidden/suspicious stuff. This would better throw off attacks (of course it won’t be a cure-all, but a step in the right direction).

  • You must be logged in to reply to this topic.