# Global restrictions configuration file.
# Designed to be included in any server {} block.

# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac), .git.
location /.git { deny all; }
location /.htaccess { deny all; }
location /.htpasswd { deny all; }
location /.user.ini { deny all; }
# this actually covers every dot file, except what follows below it (ex: CertBot)
location ~ ^/\. { deny all; }

# but allow CertBot - see http://stackoverflow.com/a/34262192
location ^~ /.well-known/acme-challenge {
    auth_basic off;
    try_files $uri =404;
    expires -1;
}

# Deny access to any files with a .php extension in the uploads directory
location ~* /uploads/.*\.php$ { deny all; }

# Deny access to any files with a .php extension in the uploads directory for multisite
location ~* /files/.*\.php$ { deny all; }

# Since version 2.5.7, Akismet introduced a new .htaccess file to block direct access to php files
# Ref: http://wordpress.org/extend/plugins/akismet/changelog/
location ~* /akismet/.*\.php$ { deny all; }

# Restrict direct access to cached content
location /wp-content/cache/ { deny all; }

# Deny access to backup files!
location ~ ~$ { deny all; }