nginx configuration for WordPress


This article belongs to our video course series about WordPress security.

In this article, we will discuss how to configure Nginx on a Debian-based system for use with WordPress and Let’s Encrypt.

First, let’s install Nginx. This can be done by running the following command:

sudo apt install nginx-light nginx-extras php7.4-fpm

Once Nginx is installed, we will need to create a server block for our WordPress installation. This can be done by creating a new file in the /etc/nginx/sites-available/ directory with a .conf extension. For example, if our domain is, we would create a file named

In this file, we will need to include the following configuration:

server {
    listen 80;

    # NOTE: make sure to replace with your domain name!
    root /var/www/html;

    index index.php index.html index.htm;

    # let’s add the headers to mitigate clickjacking and mime sniffing
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;

    # let’s disable auto index function
    autoindex off;

    # let’s also hide the webserver’s software identification
    server_tokens off;

    # the following block will make sure no one can hotlink and 
    #  php files are not getting executed from the uploads directory
    #  make sure to have package nginx-extras installed as well
    location ~ ^/wp-content/uploads {
        expires max;

        valid_referers none blocked server_names;

        if ($invalid_referer) {
            return 403;

    # an additional layer of security: block access to backup files
    location ~* \.(sql|sql\..*|php[~_])$ {
        return 403;

    # block access to xmlrpc (remove that block, when you need the feature)
    location = /xmlrpc.php {
        return 403;

    # pass every other request that won’t lead to a file to WordPress
    location / {
        if (!-f $request_filename) {
            rewrite ^(.+)$ /index.php?q=$1 last;

        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;

    # pass PHP scripts to FastCGI server
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.4-fpm.sock;

    # deny access to .htaccess files, if Apache’s document root
    # concurs with nginx’s one
    location ~ /\.ht {
        deny all;

This configuration tells Nginx to listen on port 80 for requests to (as well as and to serve files from the /var/www/html directory. It also specifies that the index.php file should be used as the default index file and that requests for .php files should be passed to the PHP-FPM (FastCGI Process Manager) service. Further more, it denies access to certain sensible files such as configuration files, hidden files and .htaccess files.

Now we will enable the server block by creating a symbolic link from the /etc/nginx/sites-available/ directory to the /etc/nginx/sites-enabled/ directory:

sudo ln -s /etc/nginx/sites-available/ /etc/nginx/sites-enabled/

Then, to make sure the configuration is correct test the nginx configuration by running the command:

sudo nginx -t

If the configuration is correct, the output will say “configuration test is successful” and you can restart nginx by running the command:

sudo systemctl restart nginx

Now, it’s time to secure our server with Let’s Encrypt. You can install the Let’s Encrypt client by running the command:

sudo apt install certbot python3-certbot-nginx

Once the installation is complete, run the following command to generate and install the SSL/TLS certificate for HTTPS. Before executing the next command, please make sure that you configured the domain correctly to point to your new web server.

sudo certbot --nginx -d -d

This command will automatically configure Nginx to use the newly generated certificate. And also, it will set up automatic renewal of the certificate by adding a cron job.

Finally, you should configure your WordPress site to use HTTPS by updating the WordPress Address (URL) and Site Address (URL) in the General Settings to use https instead of http.

And with that, your Nginx server should now be fully configured for use with WordPress and Let’s Encrypt.

Related Posts

You are currently viewing a placeholder content from Google Calendar. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.

More Information