Nginx configuration file to be included with WordPress. Covers all major cases for 2021.

wp-common.conf

# WordPress COMMON SETTINGS - WordOps 3.13.2
# DO NOT MODIFY, ALL CHANGES WILL BE LOST AFTER AN WordOps (wo) UPDATE
# Limit access to avoid brute force attack

#Yoast SEO Sitemaps
location ~ ([^/]*)sitemap(.*).x(m|s)l$ {
  ## this rewrites sitemap.xml to /sitemap_index.xml
  rewrite ^/sitemap.xml$ /sitemap_index.xml permanent;
  ## this makes the XML sitemaps work
  rewrite ^/([a-z]+)?-?sitemap.xsl$ /index.php?yoast-sitemap-xsl=$1 last;
  rewrite ^/sitemap_index.xml$ /index.php?sitemap=1 last;
  rewrite ^/([^/]+?)-sitemap([0-9]+)?.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
  ## The following lines are optional for the premium extensions
  ## News SEO
  rewrite ^/news-sitemap.xml$ /index.php?sitemap=wpseo_news last;
  ## Local SEO
  rewrite ^/locations.kml$ /index.php?sitemap=wpseo_local_kml last;
  rewrite ^/geo-sitemap.xml$ /index.php?sitemap=wpseo_local last;
  ## Video SEO
  rewrite ^/video-sitemap.xsl$ /index.php?yoast-sitemap-xsl=video last;
}

# Disable wp-config.txt
location = /wp-config.txt {
    deny all;
    access_log off;
    log_not_found off;
}

location = /robots.txt {
# Some WordPress plugin gererate robots.txt file
# Refer #340 issue
    try_files $uri $uri/ /index.php?$args @robots;
    access_log off;
    log_not_found off;
}
# fallback for robots.txt with default wordpress rules
location @robots {
    return 200 "User-agent: *\nDisallow: /wp-admin/\nAllow: /wp-admin/admin-ajax.php\n";
}
# webp rewrite rules for jpg and png images
# try to load alternative image.png.webp before image.png
location /wp-content/uploads {
    location ~ \.(png|jpe?g)$ {
        add_header Vary "Accept-Encoding";
        more_set_headers 'Access-Control-Allow-Origin : *';
        more_set_headers  "Cache-Control : public, no-transform";
        access_log off;
        log_not_found off;
        expires max;
        try_files $uri$avif_suffix $uri$webp_suffix $uri =404;
    }
    location ~* \.(php|gz|log|zip|tar|rar|xz)$ {
        #Prevent Direct Access Of PHP Files & Backups from Web Browsers
        deny all;
    }
    # Try to load .pdf files through WordPress
    location ~ \.(pdf)$ {
        log_not_found off;
        try_files $uri $uri/ /index.php?$args;
    }
}
# webp rewrite rules for EWWW testing image
location /wp-content/plugins/ewww-image-optimizer/images {
    location ~ \.(png|jpe?g)$ {
        add_header Vary "Accept-Encoding";
        more_set_headers 'Access-Control-Allow-Origin : *';
        more_set_headers  "Cache-Control : public, no-transform";
        access_log off;
        log_not_found off;
        expires max;
        try_files $uri$avif_suffix $uri$webp_suffix $uri =404;
    }
    location ~ \.php$ {
    #Prevent Direct Access Of PHP Files From Web Browsers
        deny all;
    }
}
# enable gzip on static assets - php files are forbidden
location /wp-content/cache {
# Cache css & js files
    location ~* \.(?:css(\.map)?|js(\.map)?|.html)$ {
        more_set_headers 'Access-Control-Allow-Origin : *';
        access_log off;
        log_not_found off;
        expires 30d;
    }
    location ~ \.php$ {
        #Prevent Direct Access Of PHP Files From Web Browsers
        deny all;
    }
}
# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
    deny all;
}
# mitigate DoS attack CVE with WordPress script concatenation
# add the following line to wp-config.php
# define( 'CONCATENATE_SCRIPTS', false );
location ~ \/wp-admin\/load-(scripts|styles).php {
    deny all;
}
# Protect Easy Digital Download files from being accessed directly.
location ~ ^/wp-content/uploads/edd/(.*?)\.zip$ {
    rewrite / permanent;
}