Putting it all together
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mysite.com;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/mysite.com/chain.pem;
root /var/www/mysite.com/public_html;
access_log /var/log/nginx/mysite.access.log;
error_log /var/log/nginx/mysite.error.log;
client_max_body_size 8M;
# --- WordPress security blocks ---
include wp_security.conf;
include wp_installed.conf;
# --- Housekeeping ---
include drop.conf;
# --- Static caching ---
include static_caching.conf;
# --- WordPress front controller ---
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# --- Rate-limited login ---
location = /wp-login.php {
limit_req zone=login burst=2 nodelay;
try_files $uri =404;
include fastcgi_params;
fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
}
# --- PHP processing ---
include php.conf;
}WordPress is now running behind Nginx with directory protection, security blocks for the most common attack vectors, aggressive static caching, wp-cron offloaded to the system scheduler, and rate limits on both the login page and all PHP handlers.
Technical Audit Summary
This guide is maintained as part of a modular, SSL-first framework.
Last Audit: May 2026
Environment: Debian Trixie (13)
Nginx: 1.30.0
PHP-FPM: 8.5.5
Compatibility: Tested against current stable releases. While optimized for the stack above, core logic remains relevant for Nginx 1.26+ and PHP 8.2+ environments.