server { listen 80; server_name {{ domain_name }}; root /var/www/html; index index.php index.html index.htm; # Sicherheits-Headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; # Gzip-Kompression gzip on; gzip_vary on; gzip_min_length 1024; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/javascript application/xml+rss application/json; # WordPress-spezifische Regeln location / { try_files $uri $uri/ /index.php?$args; } # PHP-Dateien verarbeiten location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # WordPress-Admin-Bereich optimieren location ~ ^/wp-admin/(.*)$ { try_files $uri $uri/ /wp-admin/index.php?$args; } # Statische Dateien cachen location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; access_log off; } # WordPress-Uploads-Verzeichnis location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf)$ { expires 1y; add_header Cache-Control "public"; } # Sensible Dateien blockieren location ~* /(?:uploads|files)/.*\.php$ { deny all; } location ~ /\. { deny all; access_log off; log_not_found off; } location ~ ~$ { access_log off; log_not_found off; deny all; } # wp-config.php schützen location ~ wp-config.php { deny all; } # xmlrpc.php begrenzen (gegen Brute-Force) location = /xmlrpc.php { deny all; access_log off; log_not_found off; } # Logs access_log /var/log/nginx/wordpress_access.log; error_log /var/log/nginx/wordpress_error.log; }