This article belongs to our video course series about WordPress security.
In this article, we will discuss how to configure Nginx on a Debian-based system for use with WordPress and Let’s Encrypt.
First, let’s install Nginx. This can be done by running the following command:
sudo apt install nginx-light nginx-extras php7.4-fpmOnce Nginx is installed, we will need to create a server block for our WordPress installation. This can be done by creating a new file in the /etc/nginx/sites-available/ directory with a .conf extension. For example, if our domain is example.com, we would create a file named example.com.conf.
In this file, we will need to include the following configuration:
server {
listen 80;
# NOTE: make sure to replace example.com with your domain name!
server_name example.com www.example.com;
root /var/www/html;
index index.php index.html index.htm;
# let’s add the headers to mitigate clickjacking and mime sniffing
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
# let’s disable auto index function
autoindex off;
# let’s also hide the webserver’s software identification
server_tokens off;
# the following block will make sure no one can hotlink and
# php files are not getting executed from the uploads directory
# make sure to have package nginx-extras installed as well
location ~ ^/wp-content/uploads {
expires max;
valid_referers none blocked server_names;
if ($invalid_referer) {
return 403;
}
}
# an additional layer of security: block access to backup files
location ~* \.(sql|sql\..*|php[~_])$ {
return 403;
}
# block access to xmlrpc (remove that block, when you need the feature)
location = /xmlrpc.php {
return 403;
}
# pass every other request that won’t lead to a file to WordPress
location / {
if (!-f $request_filename) {
rewrite ^(.+)$ /index.php?q=$1 last;
}
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
# pass PHP scripts to FastCGI server
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
# deny access to .htaccess files, if Apache’s document root
# concurs with nginx’s one
location ~ /\.ht {
deny all;
}
}This configuration tells Nginx to listen on port 80 for requests to example.com (as well as www.example.com) and to serve files from the /var/www/html directory. It also specifies that the index.php file should be used as the default index file and that requests for .php files should be passed to the PHP-FPM (FastCGI Process Manager) service. Further more, it denies access to certain sensible files such as configuration files, hidden files and .htaccess files.
Now we will enable the server block by creating a symbolic link from the /etc/nginx/sites-available/ directory to the /etc/nginx/sites-enabled/ directory:
sudo ln -s /etc/nginx/sites-available/example.com.conf /etc/nginx/sites-enabled/Then, to make sure the configuration is correct test the nginx configuration by running the command:
sudo nginx -tIf the configuration is correct, the output will say “configuration test is successful” and you can restart nginx by running the command:
sudo systemctl restart nginxNow, it’s time to secure our server with Let’s Encrypt. You can install the Let’s Encrypt client by running the command:
sudo apt install certbot python3-certbot-nginxOnce the installation is complete, run the following command to generate and install the SSL/TLS certificate for HTTPS. Before executing the next command, please make sure that you configured the domain correctly to point to your new web server.
sudo certbot --nginx -d example.com -d www.example.comThis command will automatically configure Nginx to use the newly generated certificate. And also, it will set up automatic renewal of the certificate by adding a cron job.
Finally, you should configure your WordPress site to use HTTPS by updating the WordPress Address (URL) and Site Address (URL) in the General Settings to use https instead of http.
And with that, your Nginx server should now be fully configured for use with WordPress and Let’s Encrypt.
