To improve performance while enhancing security in Nginx for WordPress, follow these best practices:
1. Enable Security Headers
bash
add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;
This ensures that only approved sources can load assets, reducing the risk of XSS attacks[4].
2. Implement Rate Limiting
bash
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
limit_req_status 444;
This prevents brute-force attacks by limiting the number of requests from a single IP address within a given time period[3].
3. Configure Nginx Modules
bash
load_module modules/ngx_http_length_hiding_filter_module.so;
load_module modules/ngx_http_immutable_module.so;
load_module modules/ngx_http_security_headers_module.so;
These modules enhance security by hiding the length of responses, making it harder for attackers to exploit BREACH attacks, and enabling security headers[1].
4. Use a Whitelist Approach
bash
location ~ ^[^.]*$ {
length_hiding on;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
include includes/php-example.com.conf;
}
This configuration ensures that only approved PHP files are executed, reducing the risk of malicious scripts[1].
5. Disable PHP Execution in Sensitive Directories
bash
location /wp-content/ {
deny all;
}
This prevents PHP execution in sensitive directories like `wp-content`, reducing the risk of vulnerabilities[2].
6. Optimize Server Configuration
bash
server {
server_name _;
return 302 $scheme://example.com$request_uri;
}
This redirects all requests to the main site, improving performance and security by avoiding unnecessary processing[5].
7. Use a Comprehensive Security Plugin
bash
sudo nano /etc/nginx/nginx.conf
This ensures that the Nginx configuration includes security headers and other security measures, such as Content Security Policy, to protect against various types of attacks[4].
8. Regularly Update and Monitor
bash
sudo yum -y install nginx-module-length-hiding nginx-module-immutable nginx-module-security-headers
Regularly update Nginx modules and monitor server logs to detect and respond to potential security threats[1].
9. Implement Additional Security Measures
bash
location = /wp-login.php {
limit_req zone=one burst=1 nodelay;
include fastcgi_params;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_index index.php;
}
This configuration implements rate limiting and other security measures for the WordPress login page, reducing the risk of brute-force attacks[3].
10. Regularly Back Up and Update
bash
sudo yum -y install https://extras.getpagespeed.com/release-latest.rpm
Regularly back up your WordPress site and update Nginx and PHP-FPM to ensure that your site remains secure and performs well[1].
By implementing these best practices, you can significantly improve the performance and security of your WordPress site running on Nginx.
Citations:[1] https://www.getpagespeed.com/server-setup/nginx/best-practice-secure-nginx-configuration-for-wordpress
[2] https://stackoverflow.com/questions/63753876/wordpress-nginx-security-best-practice
[3] https://www.codeable.io/blog/significantly-improve-wordpress-security/
[4] https://spinupwp.com/hosting-wordpress-yourself-nginx-security-tweaks-woocommerce-caching-auto-server-updates/
[5] https://developer.wordpress.org/advanced-administration/server/web-server/nginx/