Last active
September 26, 2025 20:05
-
-
Save mike-moreau/71619d26d40ce85858bfd1402e4a930e to your computer and use it in GitHub Desktop.
Reduce Bot Traffic with nginx.conf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| # Block traffic with no user agent - see comments | |
| # if ($http_user_agent = "") { | |
| # return 403; | |
| # } | |
| # Block traffic with - user agent | |
| if ($http_user_agent = "-") { | |
| return 403; | |
| } | |
| # Block binary protocol attacks | |
| if ($request_uri ~* "(%00|\\x[0-9a-fA-F]{2})") { | |
| return 403; | |
| } | |
| # Block hex-encoded attacks | |
| if ($args ~* "(%00|\\x[0-9a-fA-F]{2})") { | |
| return 403; | |
| } | |
| # Block WordPress paths | |
| location ~* (wp-includes|wp-admin|wp-content) { | |
| return 403; | |
| } | |
| # Craft CMS for reference | |
| location / { | |
| try_files $uri $uri/ /index.php?$query_string; | |
| } | |
| } |
Author
Author
Also with NGINX, a 444 response is a non-standard code that may offer slightly better performance than 403.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A note about potential issue with blocking empty user agent strings (from Craft Discord).
by default php.ini does not set a user-agent string so if you have anything locally using php curl commands to hit anything on your own site it will have an empty user agent string for example.