Up until a few years ago, installing WordPress on an Nginx server still tended to be a little bit janky. In the early days, many websites were forced to deal with ugly permalink schemes that included the “/index.php/” root in every single link. Even after that hurdle was eliminated, other issues existed such as poor compatibility of several WordPress plugins with Nginx, rendering many of them useless. In other cases, special rules needed to be written to the Nginx server block to make a plugin or script work properly, which left many WordPress webmasters at a complete loss of what to do.
While many of these rumors still abound, the truth is that Nginx now works perfectly with WordPress with very little configuration required (if any at all) after initial server setup has been completed. Even popular WordPress plugins like Yoast SEO erroneously claim that special re-write rules are (still) required for their plugin to work properly, which is simply not true (and hasn’t been true for at least a few years already). Moreover, even WordPress.com and other enterprise-level websites owned by Automattic (the company behind WordPress) are powered by Nginx servers and have been for years!
Unlike Apache’s “virtual hosts” or having to upload messy .htaccess files all over your server, Nginx is renowned for its powerful simplicity. Pretty much all required server security and rewrite rules can take place directly in the server block located under /etc/nginx/sites-available/default
and can overwrite default rules in /etc/nginx/nginx.conf
The below Nginx server block code has been specifically optimized for WordPress speed and security, although many of the rules would apply to other CMS systems too. In general, this is the setup that we use for all LittleBizzy clients.
Note: This server block is meant to be used in conjunction with our recommended Nginx configuration. Specifically, the section on rate limiting will cause errors unless rate limiting is also enabled in your nginx.conf
file too.
First, you will need to edit the default “site available” on your Nginx server:
sudo nano /etc/nginx/sites-available/default
Copy and paste entire code below, making sure to change the domain name as appropriate:
## this block redirects all HTTP non-www to HTTP www version server { server_name example.com; listen *:80; listen [::]:80 ipv6only=on; return 301 http://www.example.com$request_uri; } ## this block is the default configuration for the live website server { server_name www.example.com; listen *:80 default_server; listen [::]:80; root /home/example/www; index index.php index.html index.htm; autoindex off; ## improve public caching (no need for Last Modified too, and eTag is enabled by default in new Nginx versions) expires 30d; add_header Cache-Control "public"; add_header Pragma public; if_modified_since before; ## first try files, then directories, otherwise query index location / { ## force trailing slashes (don't enable for bbPress/BuddyPress) # rewrite ^([^.]*[^/])$ $1/ permanent; try_files $uri $uri/ /index.php?$args; } ## make sure PHP loads via FCGI for better performance location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; ## if using PHP7 # fastcgi_pass unix:/run/php/php7.0-fpm.sock; fastcgi_index index.php; ## older nginx versions use: include fastcgi_params include fastcgi.conf; ## below line should not be needed # include snippets/fastcgi-php.conf; } location = /wp-login.php { ## prevent brute force attacks (must enable in nginx.conf) limit_req zone=one burst=1 nodelay; ## re-include basic FCGI settings for PHP files fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; ## older nginx versions use: include fastcgi_params include fastcgi.conf; } ## block any attempted access to dotfiles location ~ /\. { deny all; log_not_found off; access_log off; } ## no need to log any access requests for favicon location = /favicon.ico { ## 204 > 404 if favicon not found try_files $uri =204; log_not_found off; access_log off; } ## don't log robots file and allow any requests location = /robots.txt { allow all; log_not_found off; access_log off; } ## block any attempted XMLRPC attacks location = /xmlrpc.php { deny all; } ## comment this until WP is properly setup (blocks access) location = /wp-config.php { deny all; } ## block access to hackers checking WP version location ~* (licence|readme|license)\.(html|txt) { deny all; } ## deny access to PHP files in various directories location ~* /(?:uploads|files|wp-content|wp-includes)/.*\.php$ { deny all; } ## avoid any font problems in Firefox and IE location ~ \.(eot|ttf|ttc|otf|woff|woff2|svg|css|js)$ { add_header Access-Control-Allow-Origin "*"; } ## set maximum expiry times for static files location ~* \.(js|css|png|jpg|jpeg|gif|ico|mp4|svg|svgz|ogg|ogv|webm|htc)$ { log_not_found off; access_log off; } ## define error pages in the web directory error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } ## flag to tell Comet Cache to shhh location ~* \.php$ { fastcgi_param WP_NGINX_CONFIG done; } }
Before you restart the Nginx service be sure to test it:
sudo nginx -t
Then go ahead and restart it:
sudo service nginx restart
Tags: Apache, Nginx, security, server configuration, server tuning, WordPress
Last modified: 16 May, 2016https://www.littlebizzy.com/?p=1981"After being hosted on GoDaddy for years, I didn't realize how negatively it was impacting my search traffic. Soon after moving to LittleBizzy, my homepage went from page 3 on Google to #1 world-wide for my target market, and I also reached the top 3 on Google Maps, with no additional SEO work."
Juliette S."Before moving to LittleBizzy, whenever our news website was featured on the Drudge Report, it often slowed to a crawl or even froze up during big traffic spikes. Now, that never happens anymore, and we've been able to focus on publishing more articles instead of worrying about our web hosting."
Tony H."The research by Amazon is definitely true, because our slow WooCommerce store was bleeding sales. After LittleBizzy stabilized our performance and moved us closer to our target customers, we saw a measurable improvement in shopping cart checkouts, esp. during holidays... much better!"
Mohammed H.No contracts, free migration, and free SSL forever. What are you waiting for? Order Hosting Now.
WordPress Gossip, Technical SEO News, And Other Goodies.
Free. Unsubscribe anytime.