Which "try_files" nginx directive is best for the zero-day exploit?

cortopy asked:

So far I have been using the following in the php location of my nginx config files

try_files $uri $uri/ /index.php?$query_string;

However, I just saw in the WordPress Codex guide that for the zero-day exploit the following should be used:

try_files $uri =404;

What are the differences between the two in terms of security?

My answer:


You use both, but in different locations.

The first try_files goes in your location / and handles all requests coming into the server. It has nothing to do with security, and is a pretty common setup.

The second try_files goes in the PHP location and prevents the attack. Note that this requires that nginx and PHP be reading the same files, on the same server.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.