Installing WordPress on Nginx requires a different approach than the traditional Apache setup. Nginx
offers superior performance for high-traffic websites, but its configuration differs significantly
from what many WordPress users expect. This comprehensive guide walks you through every step of
setting up WordPress on Nginx, from initial server preparation to final security hardening. By
following this checklist, you will have a clean, optimized, and secure WordPress installation ready
for production.

📋 Key Takeaways
  • Nginx requires explicit configuration for WordPress permalinks and PHP processing
  • PHP-FPM is essential for running PHP applications with Nginx
  • Security headers and proper file permissions prevent common vulnerabilities
  • Testing each step before proceeding prevents cascading configuration errors

I. Server Prerequisites and Initial Setup

Before installing WordPress, your server needs the right foundation. This section covers the
essential components and their configuration. We assume you have SSH access to a fresh VPS running
Ubuntu 22.04 or a similar Debian-based distribution.

A. System Update and Essential Packages

Start with a fully updated system. Running outdated packages introduces security vulnerabilities and
compatibility issues that can cause problems later in the installation process.

  • Update package lists: Run sudo apt update to refresh your package repository
    information. This ensures you install the latest available versions.
  • Upgrade existing packages: Execute sudo apt upgrade -y to update all
    currently installed packages to their newest versions.
  • Install essential tools: Install curl, wget, and unzip with
    sudo apt install curl wget unzip -y as these tools are needed throughout the setup
    process.

B. Installing Nginx

Nginx installation on Ubuntu is straightforward through the default repositories. However, for
production environments, you may want to consider the official Nginx repository for the latest
stable version.

  • Install Nginx: Run sudo apt install nginx -y to install the web server.
  • Enable on boot: Execute sudo systemctl enable nginx to ensure Nginx starts
    automatically after server reboots.
  • Start the service: Run sudo systemctl start nginx and then
    sudo systemctl status nginx to verify it is running.

Visit your server’s IP address in a browser to confirm Nginx is working. You should see the default
Nginx welcome page. If you cannot access it, check your firewall settings with
sudo ufw status and ensure port 80 is open.

C. Installing PHP and PHP-FPM

Unlike Apache with mod_php, Nginx requires PHP-FPM (FastCGI Process Manager) to process PHP files.
This separation actually provides better performance and security, as PHP runs as a separate process
pool.

  • Install PHP 8.3: Run
    sudo apt install php8.3-fpm php8.3-mysql php8.3-curl php8.3-gd php8.3-mbstring php8.3-xml php8.3-zip php8.3-intl php8.3-imagick -y
  • Verify installation: Check the PHP version with php -v and ensure PHP-FPM is
    running with sudo systemctl status php8.3-fpm
  • Note the socket path: PHP-FPM communicates with Nginx through a Unix socket. The default
    path is /run/php/php8.3-fpm.sock

II. Database Setup with MariaDB

WordPress requires a MySQL-compatible database. MariaDB is a popular drop-in replacement that offers
improved performance and is fully compatible with WordPress. This section covers installation,
security hardening, and creating the WordPress database.

A. Installing and Securing MariaDB

A properly secured database is crucial for WordPress security. MariaDB includes a security script
that helps remove default insecure settings.

  • Install MariaDB: Run sudo apt install mariadb-server -y to install the
    database server.
  • Start and enable: Execute
    sudo systemctl enable mariadb && sudo systemctl start mariadb
  • Run security script: Execute sudo mysql_secure_installation and follow the
    prompts. Set a strong root password, remove anonymous users, disable remote root login, and
    remove the test database.

B. Creating the WordPress Database

Create a dedicated database and user for WordPress. Never use the root account for application
database access.

  • Access MariaDB: Run sudo mysql -u root -p and enter your root password.
  • Create database: Execute
    CREATE DATABASE wordpress_db CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
  • Create user: Run
    CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'your_strong_password_here';
  • Grant privileges: Execute
    GRANT ALL PRIVILEGES ON wordpress_db.* TO 'wp_user'@'localhost'; then
    FLUSH PRIVILEGES;

Store these credentials securely as you will need them when configuring WordPress. Use a password
manager to generate and store a strong, unique password.

III. Configuring Nginx for WordPress

Nginx configuration for WordPress requires specific directives that differ from Apache. The most
important aspects are handling PHP processing, enabling pretty permalinks, and securing sensitive
files.

A. Creating the Server Block

Nginx uses server blocks (similar to Apache virtual hosts) to define how requests are handled. Create
a new configuration file for your WordPress site.

  • Create config file: Run sudo nano /etc/nginx/sites-available/wordpress
  • Define server block: Configure the server name, root directory, and basic settings for
    your domain.
  • Enable the site: Create a symbolic link with
    sudo ln -s /etc/nginx/sites-available/wordpress /etc/nginx/sites-enabled/

B. Essential Nginx Directives for WordPress

Several Nginx directives are critical for WordPress functionality. Without proper configuration,
permalinks will not work and PHP files may not be processed correctly.

  • try_files directive: The line try_files $uri $uri/ /index.php?$args; enables
    WordPress pretty permalinks by passing requests to index.php when no matching file exists.
  • PHP processing block: A location block for ~ .php$ tells Nginx to pass PHP
    files to PHP-FPM for processing.
  • Security blocks: Block access to sensitive files like .htaccess, wp-config.php from
    direct access, and hidden files starting with a dot.

C. Testing and Applying Configuration

Always test Nginx configuration before reloading to prevent downtime from syntax errors.

  • Test configuration: Run sudo nginx -t to check for syntax errors. Fix any
    issues before proceeding.
  • Reload Nginx: Execute sudo systemctl reload nginx to apply changes without
    dropping connections.

IV. Installing WordPress

With the server environment prepared, you can now download and configure WordPress. This section
covers downloading WordPress, setting correct permissions, and completing the web-based
installation.

A. Downloading and Extracting WordPress

Download WordPress directly from the official source to ensure you have an authentic, unmodified
copy.

  • Navigate to web root: Run cd /var/www
  • Download WordPress: Execute sudo wget https://wordpress.org/latest.tar.gz
  • Extract files: Run sudo tar -xzf latest.tar.gz and then
    sudo mv wordpress your-site-folder
  • Clean up: Remove the archive with sudo rm latest.tar.gz

B. Setting File Permissions

Correct file permissions are essential for security and functionality. WordPress needs write access
to certain directories while restricting access to configuration files.

  • Set ownership: Run sudo chown -R www-data:www-data /var/www/your-site-folder
  • Set directory permissions: Execute
    sudo find /var/www/your-site-folder -type d -exec chmod 755 {} ;
  • Set file permissions: Run
    sudo find /var/www/your-site-folder -type f -exec chmod 644 {} ;
  • Secure wp-config: After installation, tighten permissions with
    sudo chmod 640 /var/www/your-site-folder/wp-config.php

C. Completing the Web Installation

Visit your domain in a browser to complete the WordPress installation wizard. Have your database
credentials ready.

  • Database name: Enter the database name you created earlier (wordpress_db)
  • Database username: Enter the database user (wp_user)
  • Database password: Enter the password you set for the database user
  • Database host: Keep as localhost for local database connections
  • Table prefix: Consider changing from wp_ to something unique for security

V. Post-Installation Security Hardening

A fresh WordPress installation needs additional security measures. This section covers essential
hardening steps that protect against common attacks.

A. Security Headers in Nginx

HTTP security headers provide an additional layer of protection against various attacks including
XSS, clickjacking, and MIME-type sniffing.

  • X-Frame-Options: Add add_header X-Frame-Options "SAMEORIGIN" always; to
    prevent clickjacking attacks.
  • X-Content-Type-Options: Include
    add_header X-Content-Type-Options "nosniff" always; to prevent MIME-type confusion
    attacks.
  • X-XSS-Protection: Add add_header X-XSS-Protection "1; mode=block" always; as
    a fallback XSS protection.
  • Referrer-Policy: Include
    add_header Referrer-Policy "strict-origin-when-cross-origin" always; to control
    referrer information.

B. Blocking Sensitive Files

Prevent direct access to files that could expose sensitive information or allow unauthorized actions.

  • Block hidden files: Add a location block location ~ /. { deny all; } to
    block access to .htaccess and similar files.
  • Block PHP in uploads: Prevent execution of PHP files in the uploads directory to stop
    malicious file uploads from running.
  • Protect wp-includes: Block direct PHP execution in the wp-includes directory.

VI. Verification Checklist

After completing the installation, verify that everything is working correctly. This checklist helps
identify any issues before they become problems.

  • Permalink test: Go to Settings > Permalinks, select “Post name” and save. Create a test
    post and verify the URL works correctly.
  • Media upload test: Upload an image through the Media Library to verify file upload
    permissions are correct.
  • Plugin installation test: Install a plugin from the repository to confirm WordPress can
    write to the plugins directory.
  • PHP info check: Verify PHP is processing correctly and all required extensions are
    loaded.
  • HTTPS verification: If you have SSL configured, ensure all pages load securely without
    mixed content warnings.

VII. Common Installation Issues and Solutions

  • 502 Bad Gateway: This usually indicates PHP-FPM is not running or the socket path in
    Nginx configuration is incorrect. Check PHP-FPM status and socket path.
  • 404 for all pages except homepage: Permalinks are not configured correctly. Verify the
    try_files directive includes /index.php?$args
  • Cannot upload files: Check the ownership and permissions on the wp-content/uploads
    directory. It must be writable by www-data.
  • Database connection error: Verify database credentials in wp-config.php match what you
    created. Test the connection manually with mysql client.

VIII. Conclusion

Installing WordPress on Nginx provides a solid foundation for a high-performance website. The key
differences from Apache installations are the PHP-FPM requirement and explicit permalink
configuration. By following this checklist and verifying each step, you now have a clean, secure
WordPress installation ready for content creation and further optimization.

Have questions about your WordPress Nginx setup? Share your experience or ask for help in the
comments below!