I've got myself a budget VPS around a month ago and run a combination of nginx, MariaDB, PHP5-FPM and Drupal7 running. While following the Administration docs to optimize my Drupal installation, I found out that my nginx (at that time using the nginx-wiki config for Drupal) was serving all files in the drupal folder (except the specifically blocked directories and file types), which seemed like quite a huge security risk to me. After being concerned about this for a longer time (I don't have any content on the site yet, it's pretty much private) I joined the IRC today to ask what I should do. One of the helpful users there suggested me this configuration, which I'm using in a slightly modified version now, but it still serves - for example - '/profiles/standard/standard.profile'. The "dangerous" types like .inc or .sql are blocked now, but having those other directories in the open still concerns me.
Should I take any action against this? Like just blocked all directories other than /sites from being accessed from anyone else than localhost?
Thanks in advance, especially for enduring my inexperience. ^^"