From 243746e96f35fe8d052f6c60ce2991555ef47634 Mon Sep 17 00:00:00 2001
From: Altan Sarisin <altansarisin@gmail.com>
Date: Wed, 12 Nov 2025 23:59:39 +0100
Subject: [PATCH 1/2] feat(plugins): deny access to .txt and .md files

---
 .../wordpress-setup/templates/wordpress-site.conf.j2  | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2
index c792f77ef..cea0f5811 100644
--- a/roles/wordpress-setup/templates/wordpress-site.conf.j2
+++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2
@@ -170,6 +170,17 @@ server {
   }
   {% endblock %}
 
+  {% block plugin_docs_files -%}
+  # Block .txt and .md files in plugins and mu-plugins directories to prevent version disclosure
+  location ~* /plugins/.+\.(txt|md)$ {
+    deny all;
+  }
+
+  location ~* /mu-plugins/.+\.(txt|md)$ {
+    deny all;
+  }
+  {% endblock %}
+
   {% block location_primary -%}
   location / {
     try_files $uri $uri/ /index.php?$args;

From 9938144517020d14d13e0443808ab8a5aabb927b Mon Sep 17 00:00:00 2001
From: Altan Sarisin <altansarisin@gmail.com>
Date: Tue, 18 Nov 2025 11:11:26 +0100
Subject: [PATCH 2/2] feat: improve docs file blocking for plugins and themes

---
 roles/wordpress-setup/templates/wordpress-site.conf.j2 | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2
index cea0f5811..300a4265c 100644
--- a/roles/wordpress-setup/templates/wordpress-site.conf.j2
+++ b/roles/wordpress-setup/templates/wordpress-site.conf.j2
@@ -170,13 +170,9 @@ server {
   }
   {% endblock %}
 
-  {% block plugin_docs_files -%}
-  # Block .txt and .md files in plugins and mu-plugins directories to prevent version disclosure
-  location ~* /plugins/.+\.(txt|md)$ {
-    deny all;
-  }
-
-  location ~* /mu-plugins/.+\.(txt|md)$ {
+  {% block plugin_theme_docs_files -%}
+  # Block .txt and .md files in plugins, mu-plugins, and themes directories to prevent version disclosure
+  location ~* /app/(plugins|mu-plugins|themes)/.+\.(txt|md)$ {
     deny all;
   }
   {% endblock %}