Securing a WordPress installation running on Nginx is essential to protect your website from malicious attacks. In this tutorial, we will go through the steps to secure a WordPress installation running on Nginx. This will include setting file and folder permissions, adding security enhancements to the Nginx server profile, and installing security plugins to protect the WordPress installation.
Step 1: Set File and Folder Permissions
Setting the correct file and folder permissions is crucial to ensuring that your WordPress installation is secure. To do this, connect to your server via SSH and navigate to your WordPress root directory. Then, run the following commands to set the permissions for files and folders:
sudo find . -type d -exec chmod 755 {} \var\www\; sudo find . -type f -exec chmod 644 {} \var\www\; sudo chown -R www-data:www-data .
These commands will set the folder permissions to 755, file permissions to 644, and the ownership to www-data:www-data. These permissions will ensure that the files and folders are only writable by the web server and cannot be modified by other users.
Step 2: Add Security Enhancements to Nginx Server Profile
In addition to setting file and folder permissions, you can add security enhancements to the Nginx server profile to further protect your WordPress installation. Here are some recommended enhancements:
Preventing Clickjacking
Clickjacking is a technique that tricks users into clicking on malicious links or buttons.
To prevent this, you can add the following line to your Nginx server profile:
add_header X-Frame-Options "SAMEORIGIN";
Disabling Server Signature
Server signatures can reveal information about the software and version being used, making it easier for attackers to target vulnerabilities.
To disable server signatures, add the following line to your Nginx server profile:
server_tokens off;
Enabling SSL/TLS Encryption
Encrypting your website traffic with SSL/TLS is essential to protecting your users’ sensitive information. You can enable SSL/TLS encryption by following the steps in the tutorial for installing SSL/TLS certificates using Let’s Encrypt or Cloudflare.
Step 3: Install Security Plugins
In addition to setting file and folder permissions and adding security enhancements to the Nginx server profile, you can install security plugins to protect your WordPress installation.
Here are some recommended security plugins:
Wordfence
Wordfence is a popular security plugin that includes a firewall, malware scanner, and login security features. You can install Wordfence by following the steps in the WordPress dashboard.
Jetpack
Jetpack is a security plugin that includes features such as brute force attack protection, downtime monitoring, and spam filtering. You can install Jetpack by following the steps in the WordPress dashboard.
Sucuri Security
Sucuri Security is a comprehensive security plugin that includes features such as malware scanning, blacklist monitoring, and website firewall. You can install Sucuri Security by following the steps in the WordPress dashboard.
In Conclusion
Securing a WordPress installation running on Nginx requires setting file and folder permissions, adding security enhancements to the Nginx server profile, and installing security plugins. By following the steps outlined in this tutorial, you can protect your WordPress installation from malicious attacks and ensure that your website is secure.
We’ve made a part 2 for this tutorial, check it out here.