server {
    listen       80;
    server_name  mydomain.com www.mydomain.com;
	
    root   /path/to/document/root;
    index  index.php index.html;	

	error_page 404 /404.html;
	location  /404.html {
 		 internal;
	}

	error_log  /var/log/nginx/error.log;
	access_log  /var/log/nginx/access.log;

	# Disable hotlinking 
	location ~ .(gif|png|jpe?g)$ {
        	valid_referers *.mydomain.com;
        		if ($invalid_referer) {
        		return   403;
    		}
	}  

	# No other file types than pictures are allowed in uploads
	location ~* /(?:uploads|files)/.*\.(html|htm|shtml|php|js|swf|py|jsp|asp|sh|cgi)$ {
		deny all;
	}

	# Deny access to hidden files	
	location ~ /\. {
		deny all;
	}

	# Allow access to robots.txt from everywhere
	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

	# Allow only GET, POST and HEAD	
	if ($request_method !~ ^(GET|POST|HEAD)$ ) {
               return 444;
     }
	
	# Deny access to includes
	location ~* wp-admin/includes { 
		deny all; 
	}
	
	location ~* wp-includes/theme-compat/ {
		deny all; 
	}
	
	location ~* wp-includes/js/tinymce/langs/.*.php {
		deny all; 
	}

	location /wp-includes/ {
		internal; 
	}

	# Disable execution of scripts in your document root
	location ~* .(pl|cgi|py|sh|lua|asp)$ {
  	      	return 444;
	}

	# Disable access to configuration and other files
        location ~* /(wp-config.php|readme.html|license.txt|nginx.conf) {
		 deny all;
	}

	# Redirect wordpress administriton to HTTPS	
	location ~ /wp-(?:admin|login) {
    		return 301 https://$host$request_uri;
 	 }

 	# Wordpress permalinks
	location / {
		try_files $uri $uri/ /index.php?$args;
	}

	# Prevent brute force attacks on wp-login.php	
	location = /wp-login.php {
   		limit_req   zone=one  burst=1 nodelay;
   		include fastcgi_params;
   		fastcgi_pass 127.0.0.1:9000;
	}
	
	# pass php to php-fpm
        location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            include        fastcgi_params;
        }
}