How to configure Nginx to protect WordPress/PHP website security

Nginx is a popular web server. It not only has the characteristics of high performance, low consumption, and strong concurrency, but also supports the configuration of reverse proxy, load balancing, HTTPS and many other functions. For WordPress/PHP websites, how to use Nginx configuration for security protection is very important. This article will introduce some Nginx configuration methods to ensure the security of WordPress/PHP websites.

1. Configure reverse proxy

Reverse proxy refers to forwarding client requests to the internal server, and the internal server returns a response to the client. Through reverse proxy, the real IP address of the internal server can be hidden, thereby achieving the purpose of protecting the server. In Nginx, you can use the proxy_pass directive to configure the reverse proxy, as shown below:

server {
    listen 80;
    server_name yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

In the above configuration, the address of the reverse proxy server is http://127.0.0.1:8080, and $host represents the client. The requested domain name, $remote_addr represents the real IP address of the client.

2. Configuring restricted IP access

Configuring restricted IP access can control access to certain IPs or IP segments to protect the server from illegal access. In Nginx, you can use the allow and deny directives to configure IP access control, as shown below:

location / {
    deny 192.168.1.1;
    allow all;
}

The above configuration will deny access requests with the IP address 192.168.1.1 and allow access requests from other IP addresses. You can use commas to separate multiple IP addresses or IP segments.

3. Configuring HTTPS

Configuring HTTPS can encrypt the transmitted data, thereby protecting the data from being stolen or tampered with during transmission. In Nginx, you can use the ssl_certificate and ssl_certificate_key instructions to configure HTTPS, as follows:

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /path/to/yourdomain.crt;
    ssl_certificate_key /path/to/yourdomain.key;

    location / {
        ...
    }
}

In the above configuration, /path/to/yourdomain.crt and /path/to/yourdomain.key are the SSL certificate and The path to the private key.

4. Configuring anti-hotlinking

Configuring anti-hotlinking can prevent other websites from displaying pictures or resources of this site through direct links, thereby protecting resources from illegal use. In Nginx, you can use the valid_referers directive to configure anti-hotlinking, as shown below:

location /images/ {
    valid_referers none blocked yourdomain.com;
    if ($invalid_referer) {
        return 403;
    }
}

In the above configuration, /images/ is the resource path to be protected, valid_referers is used to specify a valid source domain name, and none means not to use it. Domain name restrictions, blocked means denying all illegal sources, yourdomain.com means allowing access from sources of this domain name. If the requested origin is not in the valid origin list, a 403 error will be returned.

5. Configuring the cache

Configuring the cache can reduce the load on the server, improve the access speed of the website, and maintain the accessibility of the website when the server is down. In Nginx, you can use the proxy_cache_path directive to configure the cache, as shown below:

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:10m inactive=60m;

location / {
    proxy_cache my_cache;
    proxy_cache_valid 200 60m;
    proxy_cache_valid 404 1m;
}

In the above configuration, /var/cache/nginx is the cache path, and levels=1:2 indicates the hierarchical level of the cache path. keys_zone=my_cache:10m means using my_cache as the cache storage space, the size is 10M, inactive=60m means the cache will be cleared after 60 minutes. The proxy_cache directive is used to enable caching, and the proxy_cache_valid directive is used to set the cache time.

Summary

Through the above five Nginx configuration methods, you can effectively protect the security of WordPress/PHP websites. Reverse proxy can hide the real IP address of the server, restricting IP access can control access rights to the server, HTTPS can encrypt data transmission, anti-leeching can protect resources from illegal use, and caching can improve the access speed and accessibility of the website. Of course, these configuration methods cannot completely guarantee the security of the website. You also need to pay attention to other security issues, such as password protection, file permissions, etc.

The above is the detailed content of How to configure Nginx to protect WordPress/PHP website security. For more information, please follow other related articles on the PHP Chinese website!