WordPress with LEMP + Cloudflare +?


I created a droplet from DigitalOcean. And installed WordPress with LEMP (Ubuntu 18.04, PHP-FPM, Ngix server).

Also Cloudflare’s cache everything rule is activated and working well with brotli, minifying etc.)

My questions are these:

  • All of above options are enough? Or should I use any additional caching way? I mean that CF cache everything rule will be enough or Should I install any WP cache plugin or Fastcgi cache (for caching html and php)?
  • Should I use Autoptimize plugin only instead of any cache plugin? or which caching way do you recommend for me?
  • And last, is there any simple guide for essential nginx security configuration? I want to make my server secure but I don’t know anything…

Thank you so much for your helps! :slight_smile:
Best regards.

There are quite a few posts on Wordpress performance. A search for “Wordpress cache” will turn up some of the better ones.

#Protection of /wp-admin path
RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/wp-admin(.*)$
    RewriteCond %{HTTP:CF-IPCountry} !^(FR)$
    RewriteRule ^(.*)$ – [R=404,L]

How can I add above rule to nginx?

Untested :man_shrugging:

location /wp-admin
    if ($http_cf_ipcountry != "FR")
        return 404;

The Apache rule can be actually shortened to

RewriteCond %{HTTP:CF-IPCountry} !=FR
RewriteRule ^wp-admin – [R=404,L]

Thank you for your help.

I added your code into config file but it doesn’t change anything :thinking:

When I try to access /wp-admin path from different country, it doesn’t block me.

Well, I said it is untested, so you probably will have to tweak it.


I already do this with the new Firewall Rules. Here’s my rule from the Expression Builder. It blocks wp-login and wp-admin if you’re not in the US.

ip.geoip.country ne "US" and (http.request.uri contains "wp-login.php" or http.request.uri contains "wp-admin")


Good point, that could be handled straight at Cloudflare level :+1:. I am still a fan of (additional) server-side validation though :slight_smile:


recommended wp-rocket plugin.
it’s very useful.

1 Like

Cloudflare protects us from all types of Ddos on the domain. But Cloudflare can’t protect ip address attacks.

So adding this conf into /etc/nginx/nginx.conf will be useful for protection ip address?

## Only requests to our Host are allowed i.e. example.com
      if ($host !~ ^(example.com|www.example.com)$ ) {
         return 444;

Thanks for informations. @sandro @sdayman

Thank you liyang i will research it. I have installed W3TC for now. @liyang

Additionally, I have some server-side security rules. But I can’t convert it from Apache to Nginx unfortunately.

For instance:

<IfModule mod_alias.c>
	RedirectMatch 403 (?i)(^#.*#|~)$
	RedirectMatch 403 (?i)/readme\.(html|txt)
	RedirectMatch 403 (?i)\.(ds_store|well-known)
	RedirectMatch 403 (?i)/wp-config-sample\.php
	RedirectMatch 403 (?i)\.(7z|bak|bz2|com|conf|dist|fla|git|inc|ini|log|old|psd|rar|tar|tgz|save|sh|sql|svn|swo|swp)$
  1. If your configuration is virtual host based you wont need that as you can simply configure an access denied rule for the default host which is hit by all requests not matching a configured host.
  2. Unless you have your webserver accessible from outside of Cloudflare (which you shouldnt) you wouldnt need it either, as Cloudflare will only forward requests for your domain.
1 Like

nope it will not protect you, there is simple ways to overcome it

1 Like

Is there any guide for that?

@boynet2 Thank you but I want to protect my ip address. Which Nginx server-side security tips do you recommend?

The webserver manual of your choice :slight_smile:

But again, if your server is behind Cloudflare and has been properly configured for that use case that is not much of an issue.

1 Like

Absolutely, I’m huge fan of CF :slight_smile:

All security settings of CF are done :slight_smile:

Do you need your server to be reachable to parties apart from Cloudflare?

No I want to make my server to be reachable from CF only. and protect my server by blocking requests to my ip address.

Because I found a website which hides CF and displays original ip address of the site illegally unfortunately.

In that case dont bother with the webserver configuration and make sure your firewall configuration is properly set to only allow inbound web connections from Cloudflare addresses listed at https://www.cloudflare.com/ips/


That’s nice I will try it on Nginx. Thank you so much again :slight_smile:

I really appreciate it.

EDIT: * will try it on the Ubuntu 18.04 not nginx sorry

Not Nginx related. Make sure it is not reachable on a system level. On Linux that would be either iptables (or its successor nftables). If you use a different system you’d need to use other applicable tools respectively.

As long as the operating system does not accept non-Cloudflare addresses the webserver configuration is secondary. Not that you should neglect it, a secure webserver is important, but the point is the primary block should happen on an operating system level and not webserver level.