Whitelisting wordpress blog urls OR f____ you haxor!!

WordPress seems to be a big collection of bugs and holes or it is just the most attacked project on the planet.
Nevertheless its actually quite easy to make it completely secure by denying access to all but the content links.

In our setup we have a dedicated Apache host that is serving the PHP Pages and contains the Database.
Protecting that is a nginx in front of this system, Therefore we will put the security stuff into the nginx system (which also gets more trust from me than apache httpd)

The nginx in front of our wordpress (SEO optimized) blog just gets those rules.
All but the last location block Allow access to Content (or rather forward it to our apache host).
The Last catch-all Block denies access and asks for an authentication, so we admins/moderators, etc. can use the admin pages.

location ~* ^/$ {
proxy_pass http://10.5.8.12:80;
proxy_set_header Host $host;
}

location ~* ^/[a-z-]*/$ {
proxy_pass http://10.5.8.12:80;
proxy_set_header Host $host;
}

location ~* ^/wp-content/.*$ {
proxy_pass http://10.5.8.12:80;
proxy_set_header Host $host;
}

location ~* ^/sitemap(index)?.xml$ {
proxy_pass http://10.5.8.12:80;
proxy_set_header Host $host;
}

location ~* ^/robots.txt$ {
proxy_pass http://10.5.8.12:80;
proxy_set_header Host $host;
}

location ~* ^/wp-includes/js/jquery/jquery(-migrate)?(.min)?.js$ {
proxy_pass http://10.5.8.12:80;
proxy_set_header Host $host;
}

location ~* ^/wp-includes/images/smilies/[a-z-_]*.gif$ {
proxy_pass http://10.5.8.12:80;
proxy_set_header Host $host;
}

location / {
proxy_pass http://10.5.8.12:80/;
proxy_set_header Host $host;
proxy_set_header Authorization "";
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/htpasswd;
}

And for directories that we know of to not have php content we need to disable PHP also.
This is done by adding a .htaccess file with the following content.

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
php_flag engine off

Do this for the directory wp-content which only contains css and so on.