Try follow these steps:
Disable directory listing
Enable logging
Enable HTTPS
Restrict access to certain IP addresses
Disable unnecessary modules
Harden the server security
Hide server version information
Use a strong SSL/TLS cipher suite
Configure HTTP Strict Transport Security (HSTS)
Enable Content Security Policy (CSP)
Implement a web application firewall
Regularly patch and update the server
If anything is unclear, just search for that step in your favorite search engine plus nginx and I'm sure the question is answered by someone.