Wordpress permalinks unauthorized error in nginx

Question

So i'm trying to run wordpress on LEMP. I did fix the permalinks by adding this

location / {
        try_files $uri $uri/ /index.php?$args;
}

But now i'm greeted with unauthorized error. More specifically -

A password is required to access this web server. Please try again. 

My virtual server's config file

server {
    server_name test.com www.test.com;
    listen x.x.x.x;
    listen 80;
    #return 301 https://$host$request_uri;

}


server {
    server_name test.com www.test.com;
    listen x.x.x.x;
    root /home/test/public_html;
    index index.php;

    access_log /var/log/virtualmin/test.com_access_log;
    error_log /var/log/virtualmin/test.com_error_log;
    fastcgi_param GATEWAY_INTERFACE CGI/1.1;
    fastcgi_param SERVER_SOFTWARE nginx;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_param REQUEST_METHOD $request_method;
    fastcgi_param CONTENT_TYPE $content_type;
    fastcgi_param CONTENT_LENGTH $content_length;
    fastcgi_param SCRIPT_FILENAME /home/test/public_html$fastcgi_script_name;
    fastcgi_param SCRIPT_NAME $fastcgi_script_name;
    fastcgi_param REQUEST_URI $request_uri;
    fastcgi_param DOCUMENT_URI $document_uri;
    fastcgi_param DOCUMENT_ROOT /home/test/public_html;
    fastcgi_param SERVER_PROTOCOL $server_protocol;
    fastcgi_param REMOTE_ADDR $remote_addr;
    fastcgi_param REMOTE_PORT $remote_port;
    fastcgi_param SERVER_ADDR $server_addr;
    fastcgi_param SERVER_PORT $server_port;
    fastcgi_param SERVER_NAME $server_name;
    fastcgi_param HTTPS $https;

    access_log /var/log/nginx/test.com.access.log;
    error_log /var/log/nginx/test.com.error.log;




    location = /favicon.ico {
        log_not_found off;
        access_log off;
    }

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~ /\. {
        deny all;
    }

    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }


    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/var/php-nginx/156327396130368.sock/socket;
    }

    location / {

        auth_basic off;
        try_files $uri $uri/ /index.php?$args;

    }


    listen x.x.x.x:443 ssl;
    ssl_certificate /home/test/ssl.cert;
    ssl_certificate_key /home/test/ssl.key;
    fastcgi_read_timeout 60;
}

PS :- i'm using virtual min's preview site feature

I tried adding auth_basic off to default as well as per site config. It just wouldn't work

Answer 1

The directories we need to protect

The wp-includes directory will always be named that. The directories for uploads, themes and plugins are by default subfolders within wp-content (media, wp-content/themes and wp-content/plugins respectively), but may be moved elsewhere. The same goes for the wp-content directory itself.

Oh, and the access_log and log_not_found statements in the examples on this page are here just to not fill up our logs with crap requests. If you want to log the requests, remove the statements accordingly.

Block PHP files in the includes directory

This location should always be the same.

location ~* /wp-includes/.*.php$ {
    deny all;
    access_log off;
    log_not_found off;
    }

Block PHP files in the content directory

This directory is by default /wp-content, but you can easily define it to be elsewhere, e.g. by simply setting the WP_CONTENT_DIR/WP_CONTENT_URL constants, so adjust the config accordingly.

location ~* /wp-content/.*.php$ {
    deny all;
    access_log off;
    log_not_found off;
    }

Block PHP files in the uploads directory

The uploads directory may or may not be a subdirectory of wp-content and may or may not have been renamed to something entirely different. Adjust the config accordingly.

location ~* /(?:uploads|files)/.*.php$ {
    deny all;
    access_log off;
    log_not_found off;
    }

The files part is for the default multisite/network path. You can remove it if you want to, but it doesn’t cause any harm to stay in there.

Plugin and theme directories

I think most people leave the themes and plugins directories as subdirectories within the content directory, but they can also easily be moved to somewhere else. You define the constant pair WP_PLUGIN_DIR/WP_PLUGIN_URL for plugins, and use the function register_theme_directory() for themes to do so. Add similar location blocks for plugins and themes if you have moved them out of the content directory as well.

If you haven’t tampered with the plugin or theme locations, skip this part.

If you moved the plugins dir to e.g. /modules:

location ~* /modules/.*.php$ {
    deny all;
    access_log off;
    log_not_found off;
}

If you moved the themes dir to e.g. /skins:

location ~* /skins/.*.php$ {
    deny all;
    access_log off;
    log_not_found off;
}

If you use both, you should be able to combine them in the same way as we did with the upload folders above.

Block access to xmlrpc.php

If you don’t need XML-RPC (you most likely don’t – you only do if you use Jetpack or the WordPress phone app), you can block requests to it. Even though some people claim XML-RPC isn’t the culprit to the well-known attacks using it (notably people involved in services that use XML-RPC), it is beyond any doubt that you simply can not be attacked through XML-RPC if you block it entirely. All XML-RPC requests are routed through the file xmlrpc.php:

location = /xmlrpc.php {
    deny all;
    access_log off;
    log_not_found off;
}

You have now reduced the public surface of your application similar to standing sideways in a gunfight: Your vulnerable surface that an attacker can hit is now much smaller.