# try for WordPress index.php in /
    # fall back to index.php + args (passed to php-fpm later)
    # also serves static files from the disk instead of passing to interpreter.
    location / {
        try_files $uri $uri/ /index.php?$args;

        {% if enable_hsts == true %}
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/
        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
        {% endif %}
    }

    location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
        add_header Cache-Control "max-age=604800";

        {% if enable_hsts == true %}
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/
        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
        {% endif %}
    }   

    # Add trailing slash to */wp-admin requests.
    rewrite /wp-admin$ $scheme://$host$uri/ permanent;

    # Deny access to any files with a .php extension in the uploads directory
    # Works in sub-directory installs and also in multisite network
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
    }