# allow tinymce
location = /wp-includes/js/tinymce/wp-tinymce.php {
	include _php_fastcgi.conf;
}

# wp-content, wp-includes php files
location ~* ^/(wp-content|wp-includes)/.*\.php$ {
	deny all;
}

# wp-content/uploads nasty stuff
location ~* ^/wp-content/uploads/.*\.(html|htm|shtml|php|js|swf|css)$ {
	deny all;
}

# wp-content/plugins nasty stuff
location ~* ^/wp-content/plugins/.*\.(?!jpe?g|gif|png|svg|heic|js|css) {
	deny all;
}

# WordPress stuff
location ~* ^/(xmlrpc\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
	deny all;
}<span ng-if="data.limit_req">

# wp-login.php throttle
location = /wp-login.php {
	limit_req zone=login burst=2 nodelay;
	include _php_fastcgi.conf;
}</span>