# Deny access to any files with a .php extension in the files directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:files)/.*\.php$ {
	deny all;
}

location ~ ^/([^/]+/)?files/(.+) {
	try_files /wp-content/blogs.dir/0/files/$2 /wp-includes/ms-files.php?file=$2;
	access_log off;
	log_not_found off;
	expires 5m;
}

if (!-e $request_filename) {
	rewrite /wp-admin$ $resolved_scheme://$host$uri/ permanent;
	rewrite ^(/[^/]+)?(/wp-.*) $2 last;
	rewrite ^(/[^/]+)?(/.*\.php) $2 last;
}

location / {
	try_files $uri $uri/ /index.php$is_args$args;
}

# Add trailing slash to */wp-admin requests.
rewrite ^(.*)(wp-admin)$ $1$2/ permanent;