nginx + wordpress: What to do beyond the guides?
So for the veteran Linode users, especially those offering WP on the LEMP stack, what should I do? Here are a few of my particular concerns/questions … but at this point, I'm really open to anything.
1. What permissions should I set on each of wp folders?
Users will need to upload various assets (images, pdfs, office docs, audio, video). What user:group should everything under "publichtml" run under? What is the best way to set the appropriate permissions? I found this article (
2. What is the/a recommended configuration for nginx?
Attached is mine, but as I'm new to nginx I'm not all that confident that I have the best configuration of if it is even a good one. I plan on hosting multiple domains for separate clients.
3. w3 Total Cache or WP Supercache?
What are the better/best caching options and how are folks managing their cache?
4. How do you set up a CDN and what should you put up in it?
I have an Amazon S3 account to store any and all goods, just not sure how to use it in setting up a CDN.
5. What should I use to perform and manage backups of Wordpress sites (content and database)?
Are the $5/month backups offered by Linode enough? Should I pursue something like WP Remote (
6. What should I install for a robust security infrastructure?
Followed everything in the guides … anything beyond that especially as WP and Nginx is concerend?
7. What should I be using to monitor the performance and potential problems (whether it be performance or security breaches)?
"How do I know I've been hacked or my server/sites are under an attack?" "How do I know that performance is starting to suffer for reason X?"
8. Generally speaking, in what ways should folks deviate from the Guides?
Basically, is there any where in these guides where you go, "That is just plain wrong!" or "This would be better"?
Thanks much in advance for your input. Hopefully this thread can serve as a helpful resource for folks in the same boat.
Following the guides is good start and that is what I do. I have started documenting where I deviate from the guides for myself. HowToForge has some good manuals:
I don't use CDN even though I could. My sites don't attract the numbers of visitors to warrant that. I have setup ufw (allow all outgoing, deny all incoming except http, https and ssh), only login via ssh with public/private key and use fail2ban. So I think my server is secure, but I have no idea what to do if I ever get hacked and how to know that. Fail2ban stops hundreds to many thousands of break-in attempts each day. I use Munin for monitoring, but apart from the fact that it shows that my Linode512 has plenty of resources to spare I don't know how to interpret it.
I use W3 Total Cache (followed a guide), huge improvement vs no caching, but I haven't made an attempt at fine tuning.
Main difference with the sources you list is that my directories containing websites and wordpress blogs are owned by [username]:[username]. Only directories like 'upload' are writable by the group www-data. W3TC needs write access for www-data to some extra directories.
If you use S3 to store images and such, there's really no reason not to use cloudfront CDN, which is priced the same and trivially easy to set up.
Not really a Wordpress expert but you will probably want to secure the wp-admin directory with htaccess/htpasswd. Permissions should be www-data:www-data if you installed nginx through ubuntu, the user specifically for the web server.
Your entire web content shouldn't be writeable from your web server at all times. There are some upload/cache directories that need to be but other's don't.
Having said that you'll need to make them writeable in some way for Wordpress updates however do that when required. Automate the change in permissions so you can secure the premissions after the update.
The guide meskarune said is good.