After exploring different WordPress-Nginx configurations lets head over to secure your WordPress.
Steps mentioned in this article are similar for all kind of WordPress-Nginx configuration.
Step 1: Create CSR – Certificate Signing Request on Nginx Server
Create a directory to store keys & certifcates for example.com domain. You can use any directory. Following example uses these conventions.
mkdir /var/www/example.com/cert/
cd /var/www/example.com/cert/
Next, create a 2048-bit private key
openssl genrsa -out example.com.key 2048
Finally Create a CSR (Certificate signing request)
openssl req -new -key example.com.key -out example.com.csr -sha256
Running this command will ask you some details. For Common Name (eg, YOUR name) []:
field use example.com
Note: Comodo SSL provide www.example.com and example.com in same certificate.
If you are renewing existing SSL certificate, you can follow step 2 and 3 below. Make sure CSR already generated from server.
Step 2: Get a SSL Certificate
- Buy a SSL certificate from comodo site or dh.rtcamp.com (is our portal).
- Paste CSR i.e. content of
example.com.csr
in comodo account or dh.rtcamp.com portal. You will need to provide some more details, Try to match them to details in Step #1. - Depending on type of certificate, it may take some time for Comodo to approve your certificate.
- Once certificate is approved, you will get a link via emails. Once email to verify your SSL certificate and once it approved, second email with bundle zip file of SSL.
Step 3: Fix Intermediate Certificate Chain
In email’s zip file you will get 4 files:
- Root CA Certificate – AddTrustExternalCARoot.crt
- Intermediate CA Certificate – COMODORSAAddTrustCA.crt
- Intermediate CA Certificate – COMODORSADomainValidationSecureServerCA.crt
- Your PositiveSSL Certificate – example_com.crt
Now we need to append these file into SSL certificate file itself in a way that SSL certificate remains on top.
You can do it simply by running following command:
cat example_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > example.com.crt
No need to use AddTrustExternalCARoot.crt
just to avoid Chain issues – Contains anchor.
Move this example.com.crt
file to /var/www/example.com/cert/
directory on nginx server.
Step 4: Adjusting Nginx Configuration
Enable SSL for example.com
Make it look like below:
server {
listen 443;
server_name example.com;
ssl on;
ssl_certificate /var/www/example.com/cert/example.com.crt;
ssl_certificate_key /var/www/example.com/cert/example.com.key;
#... other stuff
}
Force non SSL site to redirect traffic to SSL
Add following codes if you want to force SSL on your site.
server {
listen 80;
server_name example.com;
return 301 https://example.com$request_uri;
}
Turn on SSL session cache for performance
In file /etc/nginx/nginx.conf
, inside http {..}
block add following:
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#... other stuff
}
Also make sure value of worker_processes
directive is greater than 1 (only if your server has multiple cores).
Finally, reload the processes to make the change take effect.
service nginx reload
Step-4: Ask WordPress to use SSL
Add following to you WordPress’s wp-config.php file.
To force SSL for login form:
define('FORCE_SSL_LOGIN', true);
To force SSL for wp-admin section:
define('FORCE_SSL_ADMIN', true);
Step-5: Verifying SSL Installation
Last and most important step is to verify if we have installed SSL certificate properly.
Below are some nice online tools to help you with that:
If you face any issues, feel free to use our free support forum.