wordpress-skeleton/nginx/wordpress

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html/wordpress;

	index index.php index.html index.htm index.nginx-debian.html;

        # We will come back to this later when we configure Certbot for HTTPS, but for now, a catch-all is fine
	server_name _;

        # Change this to a more rational value if you want an actual limit
	client_max_body_size 999G;

	location / {
		try_files $uri $uri/ /index.php?$args;
	}

	# pass PHP scripts to FastCGI server
	#
	location ~ \.php$ {
		include snippets/fastcgi-php.conf;
		fastcgi_intercept_errors on;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		include fastcgi_params;
		fastcgi_pass unix:/run/php/php-fpm.sock;
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Permitted-Cross-Domain-Policies none;
		add_header X-Frame-Options "SAMEORIGIN";
	}

	# Don't log access to favicon.ico and robots.txt
	location = /favicon.ico {
		log_not_found off;
		access_log off;
	}

	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}
	
	# Deny access to hidden files
	location ~ /\.ht {
		deny all;
	}
	
	# Prevent PHP from running from upload directories
	location ~* /(?:uploads|files)/.*\.php$ {
		deny all;
	}

	# Caching and gzip configuration, change as you see fit
	location ~* \.(jpg|jpeg|gif|png|webp|svg|woff|woff2|ttf|css|js|ico|xml)$ {
		expires 30d;
		log_not_found off;
	}

    # Most stuff should already be covered under gzip_types, but you can add or remove as needed
	gzip on;
	gzip_vary on;
	gzip_min_length 1000;
	gzip_types
		text/plain
		text/css
		text/javascript
		application/javascript
		application/x-javascript
		application/json
		application/xml
		application/rss+xml
		application/atom+xml
		application/xhtml+xml
		image/svg+xml
		image/x-icon
		font/ttf
		font/otf
		font/woff
		font/woff2
		application/vnd.ms-fontobject;
	gzip_proxied any;

}