New to Nginx? Setting up your first server? These guides are organized by what you're trying to accomplish — pick the path that matches what you're building.
Got a shiny new VPS? Before you install anything, lock the doors. The Security Series walks through hardening in order — SSH first, then Nginx and PHP, then fail2ban, then Cloudflare. The guides below assume a reasonably hardened server. Have fun, but harden first.
I want to install a CMS
Both guides below produce a fully hardened, production-ready site. Which one you pick depends on what you need from a CMS.
Installing WordPress 7.0 on Nginx
WordPress runs over 40% of the web for a reason: a massive plugin ecosystem, themes for every use case, and a visual admin panel that clients and non-technical users can navigate without training. If you need e-commerce, membership sites, forums, or anything that relies on third-party integrations, WordPress is the pragmatic choice. The guide covers security blocks, static caching, Cloudflare real-IP, rate limiting, and wp-config.php essentials — everything you need to run it without it running you.
Installing Bludit 3.22.0 on Nginx
Bludit is a flat-file CMS — no database, no update fatigue, just markdown or HTML files on disk. It's faster out of the box, has a dramatically smaller attack surface, and backups are as simple as copying a folder. If you're building a personal blog, a documentation site, or anything where you'd rather write content than manage software, Bludit gets out of your way. The guide covers directory protection, static caching, PHP-FPM tuning, and a modular include-based server block you can reuse across sites. Bludit Pro adds premium plugins and themes on top of the same core.
Managing WordPress with WP-CLI on a VPS
The WordPress admin dashboard works, but on a VPS you have a faster option. Plugin updates in under a second, search-replace across 50,000 rows without timing out, and everything scriptable — the wp-cli commands that actually matter.
WordPress Plugins on a VPS: When They Hurt More Than They Help
On a VPS, the server layer already handles most of what optimization plugins do. The cost of letting one run on every request can outweigh anything it claims to save.
I want to serve a static site
Serving Static Sites with Nginx
Hugo, Jekyll, Eleventy, Astro, or plain HTML/CSS — clean URLs, pre-compressed assets, aggressive caching, and security headers you can actually lock down. No PHP. No database. Just Nginx at full speed.
I want secure SSL without Certbot touching my config
Let's Encrypt Without Certbot Touching Your Nginx Config
Issue and renew certificates with certonly — full control of your hand-tuned configuration, shared webroot directory, and a cron job that just works.
I want to put my site behind Cloudflare
Restoring Real Visitor IPs with Cloudflare and Nginx
Without real IP restoration, every request in your logs appears to come from Cloudflare. Rate limiting and fail2ban are blind without it. Start here before configuring anything else.
Cloudflare as a Transparent Proxy: Zero-Interference Edge Configuration
Every Cloudflare toggle you should turn off, and the origin hardening that must be in place first. Full (Strict) SSL, no content modification, no header injection — your VPS owns every security decision, Cloudflare provides the network.
Blocking Direct-to-Origin Access with a Cloud Firewall
Stop port scanners and direct-to-IP attacks before they reach your server. A stateless cloud firewall — free on most providers — drops all traffic on ports 80 and 443 that doesn't originate from Cloudflare. Includes the certificate renewal caveat for unproxied subdomains.
Serving WebP Without a WordPress Plugin
Convert images to WebP on disk, let Nginx serve the right format based on the browser's Accept header, and leave WordPress out of it. The Vary: Accept header is critical for Cloudflare compatibility.
I want to do something with my home server
Reverse Proxying WordPress from a Home Server
Serve a WordPress site from basement hardware through a lightweight VPS proxy — static assets mirrored to the VPS disk, dynamic requests proxied over Tailscale, every database query at local NVMe latency. A playground project with practical architecture.
Access Jellyfin Remotely Using an Nginx Reverse Proxy
Proxy your home Jellyfin media server through a VPS with SSL, security headers, WebSocket support, and dynamic DNS for residential connections.
I want to keep my server safe
→ Full Security Series — Every security article arranged in the order you should tackle them: understand the threats, lock the doors, monitor and respond, layer additional protections.
Common Web Attack Bots and Scanners
A practical overview of what's scanning your server right now, why it matters, and which of your existing defenses catch each category.
SSH Access Through Tailscale Behind a Cloud Firewall
Lock SSH down to a WireGuard mesh — accessible from anywhere without exposing a public port, with direct IP fallbacks for when the mesh is down.
Automated Off-Site Backups with rclone
Backups are the last line of defense. One dump file per database, one target automatic, one independent. rclone to Proton Drive, a home server, or any provider that speaks SFTP.
I want routing tricks
Handling Wildcard Subdomains with Nginx and PHP
Catch any subdomain at the DNS level and route it dynamically — modern wildcard SSL, provider availability notes, and SaaS tenant-routing patterns.
Using GeoIP in Nginx
Country detection without recompiling — modern database sources, country-based routing, access control, and passing location data to PHP.
I'm just browsing everything
→ Back to the full blog feed — All articles in reverse-chronological order.