server { listen 80; server_name _; root /var/www/html; index index.php; client_max_body_size 64M; # Security headers add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy strict-origin-when-cross-origin; location / { try_files $uri $uri/ /index.php?$args; } location ~ \.php$ { fastcgi_pass wordpress:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; fastcgi_read_timeout 300; fastcgi_buffers 16 16k; fastcgi_buffer_size 32k; } # WordPress uploads location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; try_files $uri =404; } # Block sensitive files location ~ /\.(ht|git|env) { deny all; } location = /xmlrpc.php { deny all; } location /wp-json/ { try_files $uri $uri/ /index.php?$args; } }