Working nginx server section for wordpress

Around the web there are many nginx server sections examples or parts of such for wordpress. Below is a working one for ubuntu 16.04 with some extras added (the real domain name is replaced with site.com):

server {
        server_name site.com www.site.com;

        access_log /var/log/nginx/site.access.log;
        error_log /var/log/nginx/site.error.log;

        root /srv/httpd/www/site.com;
        index index.php index.html;

        #error_page   404  /404.html;
        #error_page   403  /403.html;
        
        #location =/xmlrpc.php {
        #        deny all;
        #}

        #location /wp-json {
        #        deny all;
        #}

        location ~ /\.ht {
                deny all;
        }
        
        location ~ ^/\.user\.ini {
                deny all;
        }

        location / {
                try_files $uri $uri/ /index.php$is_args$args;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass 127.0.0.1:9000;
        }

        rewrite ^/sitemap.xml$ /index.php?aiosp_sitemap_path=root last;
        rewrite ^/sitemap_(.+)_(\d+).xml$ /index.php?aiosp_sitemap_path=$1&aiosp_sitemap_page=$2 last;
        rewrite ^/sitemap_(.+).xml$ /index.php?aiosp_sitemap_path=$1 last;
}

It’s very basic but working. Skipping the regular sections for sending the php traffic to the running php-fpm (on 127.0.0.1:9000), let’s go through some of the interesting parts.

If you want to use custom 404 (not found) and 403 (forbidden) pages then uncomment these two lines:

        #error_page   404  /404.html;
        #error_page   403  /403.html;

If you don’t need wordpress xml-rpc or json API support (for instance you won’t be posting from the wordpress mobile app), you might want to block all traffic to those by uncommenting these:

        #location =/xmlrpc.php {
        #        deny all;
        #}

        #location /wp-json {
        #        deny all;
        #}

This below is basically protecting all apache .htaccess/.htpasswd files in case you copied such from an apache wordpress installation:

        location ~ /\.ht {
                deny all;
        }

Do you use the Wordfence Security wordpress plugin? If yes is your answer then you highly likely need this as well:

        location ~ ^/\.user\.ini {
                deny all;
        }

And at the end there are the All in One SEO plugin rewrites required fro dynamic sitemaps:

        rewrite ^/sitemap.xml$ /index.php?aiosp_sitemap_path=root last;
        rewrite ^/sitemap_(.+)_(\d+).xml$ /index.php?aiosp_sitemap_path=$1&aiosp_sitemap_page=$2 last;
        rewrite ^/sitemap_(.+).xml$ /index.php?aiosp_sitemap_path=$1 last;

This is more than needed for a working wordpress over http.