Hi all,

I'm using a pretty simple WordPress nginx config that is documented on the WordPress codex.

http://codex.wordpress.org/Nginx

All works fine except for 1 critical aspect.

The config uses a restrictions.conf which has some fairly simple rules for blocking unauthorized access to specific files and file patterns like the following:

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}


What I've found is rather than actually denying requests, raw php files are being served up via nginx - which is very odd.

Any ideas why this would be happening?

Ed