Hi Francis,

after some testing I use this rules now. These are working fine with my environment.

**Nginx Site Config /etc/nginx/sites-available/default :**
map $request_uri $bit_of_qs {
default "";
~/(?P<name>.*)\.html $name;
}
...
server {
...
location ^~ /config/phpwcms/ { deny all; }
location ^~ /filearchive/ { deny all; }
location ^~ /upload/ { deny all; }
location ~ /\. { access_log off; log_not_found off; deny all; }
location / {
try_files $uri @phpwcms;
}
location @phpwcms {
fastcgi_pass unix:/var/run/php5-fpm/default.sock;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
fastcgi_param QUERY_STRING $bit_of_qs&$query_string;
}
location ~* ^.+\.php$ { return 404; }
...
}

I hope this rules will catch all the following needs.
1. Deny access to folders /config/phpwcms, /filearchive, /upload
2. Deny all hidden files
3. Rewrite /index.php...
4. Ignore and do not show any other php file at root folder or any other sub folder to the internet

Is there something that should be improved?

One thing that is still happen is the following error message. No idea which "undefined constant Y" means.

**Nginx Error Log**
[error] 2798#0: *14 FastCGI sent in stderr: "PHP message: PHP Notice: Use of undefined constant Y - assumed 'Y' in /xxx/xxx/xxx/xxx/public_html/include/inc_front/front.func.inc.php(2287) : eval()'d code on line 1" while reading response header from upstream, client: 192.x.x.x, server: hometest.home.local, request: "GET /home_de.html HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm/default.sock:", host: "hometest.home.local", referrer: "https://hometest.home.local/"

Thanks
Daniel