www.example.com {
  tls hostmaster@example.com {
    # Android 4 and IE 8-10 only support TLS 1.0.
    # Change tls1.0 to tls1.1 (or remove this block entirely) for better privacy.
    protocols tls1.0 tls1.3
  }

  log / /var/www/example.com/logs/access.log "{combined}" {
    rotate_size 100 # rotate after 100 MB
    rotate_age  14  # keep log files for 14 days
    rotate_keep 10  # keep at most 10 log files
    rotate_compress
  }

  ipfilter /wp-admin /wp-login.php {
    rule allow
    ip 1:2:3:4::/56
    strict
  }

  ipfilter /wp-admin/admin-ajax.php {
    rule block # disallow nobody === allow everybody
  }

  ratelimit /wp-login.php 5 7 minute

  # Protect secrets against misconfiguration.
  internal /wp-config.php
  # Disable XML-RPC (assuming you're not using it).
  internal /xmlrpc.php

  proxy / localhost:6081 {
    transparent
  }
}

www.example.com:2020 {
  bind localhost

  tls off

  errors /var/www/example.com/logs/error.log {
    rotate_size 100 # rotate after 100 MB
    rotate_age  14  # keep log files for 14 days
    rotate_keep 10  # keep at most 10 log files
    rotate_compress
  }

  root /var/www/example.com/wordpress

  rewrite {
    if {path} not_match ^/wp-admin
    to {path} {path}/ /index.php?_url={uri}
  }

  fastcgi / /run/php/php7.0-fpm.sock php

  filter rule {
    content_type (?:text|javascript)
    search_pattern https?://(?:www\.)?example\.(?:com|net|org)
    replacement https://www.example.com
  }

  # Set caching directives for static content. Caddy will automatically add
  # Last-Modified and ETag headers for files on disk. Neat!
  header /wp-content Cache-Control "max-age=2592000, s-maxage=86400"
  header /wp-includes Cache-Control "max-age=2592000, s-maxage=86400"
  
  # XML-RPC is disabled, so delete the header that points to it.
  header / -X-Pingback
}