I found this snippet on the net and I really like the idea:
# Security: deny access to any files with a .php extension in
# WP upload directory.
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
Googling around I found several other alternatives but they don't seem to work: I copied a simple info.php containing only phpinfo(); into wp-content/uploads/ and it still gets executed even after restarting nginx.
Any ideas? I think this could be extended to also prevent loading php from within say wp-conte wp-includes folder, right?