diff --git a/roles/nginx/templates/wordpress.j2 b/roles/nginx/templates/wordpress.j2
index 832c8f0..1bae75b 100644
--- a/roles/nginx/templates/wordpress.j2
+++ b/roles/nginx/templates/wordpress.j2
@@ -13,6 +13,13 @@
     # Add trailing slash to */wp-admin requests.
     rewrite /wp-admin$ $scheme://$host$uri/ permanent;
 
+    # Deny access to any files with a .php extension in the uploads directory
+    # Works in sub-directory installs and also in multisite network
+    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+    location ~* /(?:uploads|files)/.*\.php$ {
+        deny all;
+    }
+
     # Yoast SEO plugin
     # https://yoast.com/wordpress/plugins/seo/
     rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;