server { listen 80; server_name {{ domain_name | default('_') }}; root {{ wordpress_path }}; index index.php index.html index.htm; # Logging access_log {{ log_dir }}/nginx/wordpress_access.log; error_log {{ log_dir }}/nginx/wordpress_error.log; # WordPress specific rules location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { fastcgi_pass unix:{{ php_fpm_socket }}; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; # Security fastcgi_hide_header X-Powered-By; } # Deny access to hidden files location ~ /\. { deny all; access_log off; log_not_found off; } # WordPress uploads location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { expires 1y; add_header Cache-Control "public, immutable"; access_log off; } # WordPress security location ~* ^/(wp-config\.php|wp-config-sample\.php|readme\.html|license\.txt)$ { deny all; access_log off; log_not_found off; } # Deny access to any files with a .php extension in the uploads directory location ~* /(?:uploads|files)/.*\.php$ { deny all; access_log off; log_not_found off; } # WordPress REST API and XMLRPC protection location = /xmlrpc.php { deny all; access_log off; log_not_found off; } # Block access to wp-includes folders and files location ~* ^/wp-includes/.*.php$ { deny all; access_log off; log_not_found off; } # Block wp-content/uploads php files location ~* ^/wp-content/uploads/.*.php$ { deny all; access_log off; log_not_found off; } }