I added this code Defender suggested.
For NGINX servers:
Copy the generated code into your site specific .conf file usually located in a subdirectory under /etc/nginx/… or /usr/local/nginx/conf/…
Add the code above inside the server section in the file, right before the php location block. Looks something like:
location ~ .php$ {
Reload NGINX.
## WP Defender – Prevent PHP Execution ##
# Stop php access except to needed files in wp-includes
location ~* ^/wp-includes/.*(?<!(js/tinymce/wp-tinymce)).php$ {
internal; #internal allows ms-files.php rewrite in multisite to work
}
# Specifically locks down upload directories in case full wp-content rule below is skipped
location ~* /(?:uploads|files)/.*.php$ {
deny all;
}
# Deny direct access to .php files in the /wp-content/ directory (including sub-folders).
# Note this can break some poorly coded plugins/themes, replace the plugin or remove this block if it causes trouble
location ~* ^/wp-content/.*.php$ {
deny all;
}
## WP Defender – End ##
