So far I have been using the following in the php location of my nginx config files
try_files $uri $uri/ /index.php?$query_string;
However, I just saw in the WordPress Codex guide that for the zero-day exploit the following should be used:
try_files $uri =404;
What are the differences between the two in terms of security?
You use both, but in different locations.
try_files goes in your
location / and handles all requests coming into the
server. It has nothing to do with security, and is a pretty common setup.
try_files goes in the PHP
location and prevents the attack. Note that this requires that nginx and PHP be reading the same files, on the same server.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.