Nginx vs Litespeed/Apache for Wordpress security

I had been told different advice about security plugins for WordPress. Some designers highly recommend it like Sucuri or Wordfence, and some of designers insist they are too bloated for speed….

For example saying that if you have good web hosting and good plugins (quality one) is more important.

I have searched which server is good for security. And I found the topic about .htaccess is not using Nginx--

https://wordpress.org/support/topic/litespeed-vs-nginx-vs-apache-htaccess-malware/

In fact I did experience this before .htaccess malware is sending my website to Japanese redirect spam and I didn't realize for some days until all my site in Google results is disappeared.

so it seems Nginx is safer, because they do not use .htaccess file. But I never setup any Nginx servers, will Linode help me setup?

or what is your recommended tutorial (WP) thx

2 Replies

@aminprav --

You write:

I have searched which server is good for security. And I found the topic about .htaccess is not using Nginx--

NO server is going to have good security if you don't use the security facilities the server offers you. Implementing good security requires effort on your part to make your server secure. From the description of your troubles, it sounds like you expect server security to happen by magic.

That being said…

If you use apache2(8), you are not required to use .htaccess if you declare it as your AccessFileName.

That is exactly the setup I have… In my main apache2(8) conf file, I have:

AccessFileName .htaccess

but then I never use it…for exactly the reasons you cite. You can put all the stuff you'd put in .htaccess into /etc/apache2/sites-available/mysite.conf and then enable the site with

sudo a2ensite mysite

and disable it with

sudo a2dissite mysite

Enabling mod_rewrite and adding this to your main apache2(8) conf file (or any of your site configuration files in /etc/apache2/sites-available)

RewriteEngine on

RewriteCond %{THE_REQUEST} ^.*/\.
RewriteRule ^(.*)$ - [R=404]

Will generate a 404 for every attempt to access a file/directory beginning with dot; e.g.,

/myDir/.svn => 404
/.gitignore => 404
/dir1/dir2/dir3/…./.toHide => 404

This will prevent use of .htaccess for all sites (if in global apache2(8) conf file) or a particular site (if in /etc/apache2/sites-available/mysite.conf). However, given your troubles, it seems like that is something you would want to do…

I don't have any WP sites…

-- sw

P.S. You should check out:

https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker

mitchellkrogza has other security-related stuff too…phishing, malware sites, etc. Some are for use with WP sites…

@aminprav

I had been told different advice about security plugins for WordPress. Some designers highly recommend it like Sucuri or Wordfence, and some of designers insist they are too bloated for speed….

I have used both of them. They are good for "clueless" website owners who never login to check their site and never update plugins and really not aware of how to manage their WordPress.

Cloudflare also has some free security features but not so specific to WordPress like WordFence can discover a security hole in your site and block malware from coming but Cloudflare is slower to add patches.

Sometimes "less is more" for WordPress performance.

One of the best and easy features is using Port Firewall (blocking port scanning) on your VMs which Linode has (free).

https://www.linode.com/docs/guides/getting-started-with-cloud-firewall/

In fact I did experience this before .htaccess malware is sending my website to Japanese redirect spam and I didn't realize for some days until all my site in Google results is disappeared.

The ironic part is that WordFence can also crash your WordPress if you uninstall it improperly because it adds hidden files and rules to your wp-config.php and .htaccess etc.

What I dislike is how much data WordFence adds to your MySQL, but the benefit is that you do not require any SaaS.

so it seems Nginx is safer, because they do not use .htaccess file

Maybe but like @stevewi mentioned you can keep your configuration for Apache (or Openlitespeed) in a central location and disable .htaccess files if you prefer, they are mostly for shared hosting environment.

But yes, using .htaccess can result in malware redirects or crashed WordPress sites from plugins like WordFence (ironic), so .htaccess gets a lot of hate.

In the end you either need to understand what you are doing and keep your server lightweight and secure or you can hire a server management agency or freelancer to manage your Linode VMs for Nginx or other applications.

You can check also free scripts like SlickStack for Nginx/WordPress servers that will automatically configure rate-limiting (anti-brute-force) and anti-DDOS (blocks xmlrpc.php) and some other features like security headers.

https://github.com/littlebizzy/slickstack

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct