include protect-uploads.conf;

        location ~ \.php$ {
# Common staff. Include should be above this block in config file
        }



protect-uploads.conf:

location ~ /sites/default/files/(.+)\.php$ { return 444; }
location ~ /sites/default/tmp/(.+)\.php$ { return 444; }
location ~ /sites/default/private/(.+)\.php$ { return 444; }