
After exploring different WordPress-Nginx configurations lets head over to secure your WordPress.
Steps mentioned in this article are similar for all kind of WordPress-Nginx configuration.
Create a directory to store keys & certifcates for example.com domain. You can use any directory. Following example uses these conventions.
			mkdir /var/www/example.com/cert/
cd /var/www/example.com/cert/
		
		Next, create a 2048-bit private key
			openssl genrsa -out example.com.key 2048
		
		Finally Create a CSR (Certificate signing request)
			openssl req -new -key example.com.key -out example.com.csr
		
		Running this command will ask you some details. For Common Name (eg, YOUR name) []: field use example.com (or *.example.com if you are setting up a wild-card SSL certificate)
Note: www.example.com and example.com are not same. Use exactly same domain your website is using.
example.com.csr in GoDaddy web-interface. You will need to provide some more details, Try to match them to details in Step #1.Promo: You can buy Thwate SSL certificates from us. We are a Thwate reseller but we sell cheaper than them! 😉
The zip file you will get from Godaddy will contain 2 files: example.com.crt and gd_bundle.crt.
One is your certificate and other is bundle i.e intermediate certificates. Nginx doesn’t have a special directive to specify path to certificate bundle/chain file. So we need to append bundle into SSL certificate file itself in a way that SSL certificate remains on top.
You can do it simply by running following command:
			cat gd_bundle.crt >> example.com.crt
		
		Move this example.com.crt file to /var/www/example.com/cert/directory on nginx server.
Make it look like below:
			server {
    listen 443;
    server_name example.com;
    ssl on;
    ssl_certificate /var/www/example.com/cert/example.com.crt;
    ssl_certificate_key /var/www/example.com/cert/example.com.key;
 #... other stuff
}
		
		Add following codes if you want to force SSL on your site.
			server {
    listen 80;
    server_name example.com;
    return 301 https://example.com$request_uri;
}
		
		In file /etc/nginx/nginx.conf, inside http {..} block add following:
			http {
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    #... other stuff
}
		
		Also make sure value of worker_processes directive is greater than 1 (only if your server has multiple cores).
Finally, reload the processes to make the change take effect.
			service nginx reload
		
		Add following to you WordPress’s wp-config.php file.
To force SSL for login form:
			define('FORCE_SSL_LOGIN', true);
		
		To force SSL for wp-admin section:
			define('FORCE_SSL_ADMIN', true);
		
		Last and most important step is to verify if we have installed SSL certificate properly.
Below are some nice online tools to help you with that:
If you face any issues, feel free to use our free support forum.
Links: WordPress-Nginx Series | Buy Thawte SSL Certificates for upto 67% discount
Comments
Hi, I’ve been following along and everything seems to be working (Nginx + WordPress + fastcgi_cache with conditional purging).
However, all the plugins for managing HTTPS I can find in WordPress are giving unexpected behaviour eg. Latching entire site on HTTPS once redirected from HTTP, or not redirecting to HTTPS from HTTP at all. I will say though, The WP-config.php force HTTPS for login and admin are the only things that seem to function as Expected.
I am hoping where I have gone wrong is here, due to having a non-standard setup after I botched this step:
server {listen 443;
server_name example.com;
ssl on;
ssl_certificate /var/www/example.com/cert/example.com.crt;
ssl_certificate_key /var/www/example.com/cert/example.com.key;
#... other stuff
}
Sorry, but make what look like below – our sites config file in sites enabled/available?
If so, does the block in question code go in its own server {…} block before or after the existing server block already configured in past tutorials {}
(this works but may not be right?)
-If not, and it should be simply put above ‘#other stuff’ how should this SSL server block {} be combined with the existing Non-SSL server block {}
already with server name defined as
server_name: example.com www.example.com– from a previous WP/Nginx config tutorial(this doesn’t work I think because of the duplicate of servername:?)
Hope you can help,
KC
Correction:
server_name: example.com http://www.example.com– from a previous WP/Nginx config tutorialWas meant to be:
server_name: example.com www.example.com– from a previous WP/Nginx config tutorialThe configuration options discussed here didn’t work for me because I wanted SSL to be optional. the “ssl on;” directive makes SSL required. I used the following configuration directives and they work great for me:
server {
listen 80;
listen 443 ssl;
server_name example.com;
ssl_certificate /var/www/example.com/cert/example.com.crt;
ssl_certificate_key /var/www/example.com/cert/example.com.com.key;
… other stuff
}
I then set the option in wp-config.php to force SSL for admin pages only.
It is not recommended to have a single page accessible over both – HTTP and HTTPS. Might create duplicate content issue in search engines.
Also, some other issues, like “HTTPS site loading insecure content warning”.
By the way, moving entire site to HTTPS won’t create much CPU overload. You can optimize SSL setup as outlined in – https://rtcamp.com/tutorials/nginx/ssl-pci-compliance-performance/
I tried setting this up but when I go to my https://pagelinescommunity.com page I get a 404 message. Is there something I’m missing?
Please post your configuration in our support forum – https://rtcamp.com/support/forum/wordpress-nginx/