Raise WordPress upload limits and prevent false-positive upload 403s#33
Merged
Conversation
Copilot
AI
changed the title
Raise nginx upload body-size limits for WordPress plugins and media
Raise WordPress upload limits: nginx body-size + PHP-FPM per-directory overrides
Jun 13, 2026
Copilot created this pull request from a session on behalf of
MaximillianGroup
June 13, 2026 21:33
View session
MaximillianGroup
approved these changes
Jun 19, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Raises WordPress upload limits end-to-end by aligning PHP-FPM per-directory upload caps with the (per-route) Nginx request body limits, addressing 413s and PHP’s default 2M upload ceiling.
Changes:
- Add PHP-FPM per-directory overrides via a new
var/www/html/.user.ini. - Set
upload_max_filesize/post_max_sizeto support larger plugin and media uploads.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com>
Contributor
|
@copilot - this solution will not solve the 403 error. The user upload limits is 120M already. This is not a solution |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com>
Contributor
Author
Updated in |
Copilot
AI
changed the title
Raise WordPress upload limits: nginx body-size + PHP-FPM per-directory overrides
Raise WordPress upload limits and prevent false-positive upload 403s
Jun 19, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com>
MaximillianGroup
approved these changes
Jun 19, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com>
MaximillianGroup
approved these changes
Jun 19, 2026
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com>
Comment on lines
+32
to
+33
| upload_max_filesize = 95M | ||
| post_max_size = 100M |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Max Barrett <34328348+MaximillianGroup@users.noreply.github.com>
MaximillianGroup
approved these changes
Jun 19, 2026
Comment on lines
+32
to
+33
| upload_max_filesize = 95M | ||
| post_max_size = 100M |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uploading large plugins (e.g. Gutenberg at ~35 MB) returned
413 Request Entity Too Largefrom nginx because/wp-admin/update.phpinherited the global10mdefault. PHP-FPM'supload_max_filesizedefaulted to2M, silently blocking media uploads that nginx would otherwise pass. Upload handlers were also returning403in some valid cases due to$block_reasonUA/geo checks.nginx (
nginx/snippets/spx-upload-limits.conf)Per-route
client_max_body_sizeoverrides, included by the HTTPS vhost:/wp-admin/update.php64m— plugin/theme ZIPs/wp-admin/async-upload.php100m— media library uploader/wp-json/wp/v2/media100m— REST API media endpointAll values stay at or below Cloudflare's 100 MB per-request cap. Global default remains
10m.Upload routes now bypass soft UA/geo
$block_reasonfalse-positive checks but still enforce hard malicious-signature blocks via$hard_block_reason(fromnginx/conf.d/spx-bot-mitigation-logic.conf). Method restrictions and rate limiting remain in place, and upload authorization is still enforced by WordPress.PHP-FPM (
var/www/html/.user.ini) — new filePHP-FPM scans
.user.inifrom the document root for every request.upload_max_filesize/post_max_sizearePHP_INI_PERDIRand cannot be set viaini_set()at runtime.Direct web access is blocked by perimeter dotfile deny rules.