Nginx vs Litespeed/Apache for Wordpress security
I had been told different advice about security plugins for WordPress. Some designers highly recommend it like Sucuri or Wordfence, and some of designers insist they are too bloated for speed….
For example saying that if you have good web hosting and good plugins (quality one) is more important.
I have searched which server is good for security. And I found the topic about .htaccess is not using Nginx--
https://wordpress.org/support/topic/litespeed-vs-nginx-vs-apache-htaccess-malware/
In fact I did experience this before .htaccess malware is sending my website to Japanese redirect spam and I didn't realize for some days until all my site in Google results is disappeared.
so it seems Nginx is safer, because they do not use .htaccess file. But I never setup any Nginx servers, will Linode help me setup?
or what is your recommended tutorial (WP) thx
3 Replies
@aminprav --
You write:
I have searched which server is good for security. And I found the topic about .htaccess is not using Nginx--
NO server is going to have good security if you don't use the security facilities the server offers you. Implementing good security requires effort on your part to make your server secure. From the description of your troubles, it sounds like you expect server security to happen by magic.
That being said…
If you use apache2(8), you are not required to use .htaccess if you declare it as your AccessFileName.
That is exactly the setup I have… In my main apache2(8) conf file, I have:
AccessFileName .htaccess
but then I never use it…for exactly the reasons you cite. You can put all the stuff you'd put in .htaccess into /etc/apache2/sites-available/mysite.conf and then enable the site with
sudo a2ensite mysite
and disable it with
sudo a2dissite mysite
Enabling mod_rewrite and adding this to your main apache2(8) conf file (or any of your site configuration files in /etc/apache2/sites-available)
RewriteEngine on
RewriteCond %{THE_REQUEST} ^.*/\.
RewriteRule ^(.*)$ - [R=404]
Will generate a 404 for every attempt to access a file/directory beginning with dot; e.g.,
/myDir/.svn => 404
/.gitignore => 404
/dir1/dir2/dir3/…./.toHide => 404
This will prevent use of .htaccess for all sites (if in global apache2(8) conf file) or a particular site (if in /etc/apache2/sites-available/mysite.conf). However, given your troubles, it seems like that is something you would want to do…
I don't have any WP sites…
-- sw
P.S. You should check out:
https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker
mitchellkrogza has other security-related stuff too…phishing, malware sites, etc. Some are for use with WP sites…
@aminprav
I had been told different advice about security plugins for WordPress. Some designers highly recommend it like Sucuri or Wordfence, and some of designers insist they are too bloated for speed….
I have used both of them. They are good for "clueless" website owners who never login to check their site and never update plugins and really not aware of how to manage their WordPress.
Cloudflare also has some free security features but not so specific to WordPress like WordFence can discover a security hole in your site and block malware from coming but Cloudflare is slower to add patches.
Sometimes "less is more" for WordPress performance.
One of the best and easy features is using Port Firewall (blocking port scanning) on your VMs which Linode has (free).
https://www.linode.com/docs/guides/getting-started-with-cloud-firewall/
In fact I did experience this before .htaccess malware is sending my website to Japanese redirect spam and I didn't realize for some days until all my site in Google results is disappeared.
The ironic part is that WordFence can also crash your WordPress if you uninstall it improperly because it adds hidden files and rules to your wp-config.php and .htaccess etc.
What I dislike is how much data WordFence adds to your MySQL, but the benefit is that you do not require any SaaS.
so it seems Nginx is safer, because they do not use .htaccess file
Maybe but like @stevewi mentioned you can keep your configuration for Apache (or Openlitespeed) in a central location and disable .htaccess files if you prefer, they are mostly for shared hosting environment.
But yes, using .htaccess can result in malware redirects or crashed WordPress sites from plugins like WordFence (ironic), so .htaccess gets a lot of hate.
In the end you either need to understand what you are doing and keep your server lightweight and secure or you can hire a server management agency or freelancer to manage your Linode VMs for Nginx or other applications.
You can check also free scripts like SlickStack for Nginx/WordPress servers that will automatically configure rate-limiting (anti-brute-force) and anti-DDOS (blocks xmlrpc.php) and some other features like security headers.
TL;DR Nginx is usually more secure, because no .htaccess files and the file/user permissions are usually stricter (although obviously this depends on your configuration too).
Leaving this here:
https://www.linode.com/community/questions/22244/openlitespeed-litespeed-vs-nginx-benchmark
Remember that Litespeed shares a commission (%) for each premium license their affiliates sell to customers. So it has created a sort of "affiliate bros" community similar like Warrior Forum where dozens of guys are all cheering each other and trying to hype Litespeed like some magic software and hoping that you will join their SEO or web hosting service from that. It seems most of those guys never used Linux before and do not understand much about web stacks, their knowledge is mostly GUI point-and-click using cPanel and doing marketing and blogging and really not about DevOps experience. So the Litespeed Tech homepage created these ambiguous graphics showing Openlitespeed 1000x faster than Nginx and Apache and immediately all their affiliates started re-sharing these images on social media and reblogging about it for more hype.