##
# Deny access to any files with a .php extension in any uploads / files directory
# add more folder names to protect as you like
##

location ~* /(?:uploads|files)/.*\.php$ {
    return 418;
}

##
# Block attempts to access PHPMyAdmin. 
# If you use phpmyadmin, DO NOT activate this rule !!!
# Disabled by default
##

location ~* .(administrator|[pP]hp[mM]y[aA]dmin) {
    return 418;
}

##
# Protect any config files in your web root
##

location ~* /(wp-config.php|nginx.conf|wp-config-sample.php) { 
    return 418; 
}

##
# Block access to anything non image/video/music/document related from your uploads folder.
##

location ~* ^/wp-content/uploads/.*.(asp|cgi|htm|html|js|jsp|php|pl|py|sh|shtml|swf)$ {
    return 418;
}

##
# Disallows Access to plugin or theme readme files
# Also helps block Wordpress Theme Detectors
##

location ~* /wp-content/.*.txt$ {
    return 418;
}