Nginx powers over 30% of all websites, and its popularity makes it a frequent target for automated attacks, brute force logins, and DDoS attempts. Securing Nginx on your VPS isn’t optional — it’s the minimum baseline for running any production workload. This guide walks through the three most impactful security layers: firewall rules, SSL\/TLS hardening, and rate limiting configurations.<\/p>\n\n\n\n
We assume you have root access to a Linux VPS running Nginx. If you haven’t picked a provider yet, compare options on our VPS comparison table<\/a>.<\/p>\n\n\n\n Start with a default-deny firewall policy. UFW (Uncomplicated Firewall) is the simplest option on Ubuntu:<\/p>\n\n\n\n This allows SSH management and web traffic only. If your application needs additional ports (e.g., 8080 for a Node.js app, 3306 for MySQL from a specific IP), add them individually rather than opening wide ranges.<\/p>\n\n\n\n For tighter control, restrict SSH to your office or home IP:<\/p>\n\n\n\n For high-traffic servers, bypass UFW and write direct iptables rules. Limit connection rates to prevent SYN floods:<\/p>\n\n\n\n These rules drop connections from any single IP that exceeds 100 concurrent connections to ports 80 or 443. Adjust the threshold based on your traffic profile.<\/p>\n\n\n\n Let’s Encrypt provides free, automated certificates, but the default configuration leaves security on the table. Hardening your TLS setup blocks downgrade attacks and ensures modern clients connect with strong ciphers.<\/p>\n\n\n\n Diffie-Hellman key exchange strength depends on the parameter size. Generate a 4096-bit DH group (this takes a few minutes on a VPS):<\/p>\n\n\n\n Replace your This configuration: enforces TLS 1.2 and 1.3 only, uses AEAD ciphers (GCM mode), disables session tickets (prevents ticket-based decryption attacks), and sets a secure ECDH curve. Test your setup at SSL Labs<\/a> — aim for an A+ rating.<\/p>\n\n\n\n Add these headers to your Nginx config to prevent downgrade attacks and content injection:<\/p>\n\n\n\n HSTS tells browsers to always connect via HTTPS for the next two years. Submit your domain to the HSTS preload list<\/a> for baked-in protection in Chrome, Firefox, and Safari.<\/p>\n\n\n\n Nginx has a built-in rate limiting module that tracks requests by IP and throttles clients exceeding a threshold. This stops brute force login attempts, XML-RPC attacks on WordPress, and resource-exhaustion DDoS.<\/p>\n\n\n\n In your Then apply it in your This allows 30 requests per second per IP, with a burst capacity of 50 before queuing or dropping. Adjust the rate based on your site’s typical traffic patterns.<\/p>\n\n\n\n Apply stricter limits to login endpoints. For WordPress, target This limits login attempts to 3 per minute per IP and blocks the notoriously insecure XML-RPC endpoint entirely (unless you specifically need it for the Jetpack app or mobile clients).<\/p>\n\n\n\n Complement rate limiting with connection limits per IP:<\/p>\n\n\n\n This limits each IP to 10 concurrent connections. Combined with rate limiting, it effectively mitigates most layer 7 DDoS attacks targeting your VPS.<\/p>\n\n\n\n A complete Nginx security configuration combines all three layers. Start with the firewall to control access at the network level, then harden SSL\/TLS to protect data in transit, and finish with rate limiting to defend the application layer. Test every change in a staging environment before applying to production.<\/p>\n\n\n\n For a managed VPS that includes pre-configured security, consider Cloudways ($14\/month)<\/a> with built-in firewall and automated SSL. Budget-conscious users can start with InterServer ($3\/month)<\/a> and apply these hardening steps manually. Browse all providers on our VPS comparison table<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Nginx powers over 30% of all websites, and its popularity makes it a frequent target for automated attacks, brute force logins, and DDoS attempts. Securing Nginx on your VPS isn’t…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-420","post","type-post","status-publish","format-standard","hentry","category-vps-guides-tutorials"],"yoast_head":"\n1. Firewall: Lock Down Everything Except Ports 80 and 443<\/h2>\n\n\n\n
sudo ufw default deny incoming\nsudo ufw default allow outgoing\nsudo ufw allow ssh\nsudo ufw allow 80\/tcp\nsudo ufw allow 443\/tcp\nsudo ufw enable<\/code><\/pre>\n\n\n\nsudo ufw allow from 203.0.113.50 to any port 22<\/code><\/pre>\n\n\n\nAdvanced: Nginx-Specific iptables Rules<\/h3>\n\n\n\n
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j DROP\niptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 100 --connlimit-mask 32 -j DROP<\/code><\/pre>\n\n\n\n2. SSL\/TLS: Move Beyond Default Certificates<\/h2>\n\n\n\n
Generate a Strong DH Parameter<\/h3>\n\n\n\n
sudo openssl dhparam -out \/etc\/ssl\/certs\/dhparam.pem 4096<\/code><\/pre>\n\n\n\nHardened Nginx SSL Configuration<\/h3>\n\n\n\n
server<\/code> block SSL settings with these:<\/p>\n\n\n\nssl_protocols TLSv1.2 TLSv1.3;\nssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;\nssl_prefer_server_ciphers off;\nssl_ecdh_curve secp384r1;\nssl_dhparam \/etc\/ssl\/certs\/dhparam.pem;\nssl_session_cache shared:SSL:10m;\nssl_session_timeout 10m;\nssl_session_tickets off;<\/code><\/pre>\n\n\n\nEnable HSTS and Security Headers<\/h3>\n\n\n\n
add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\" always;\nadd_header X-Content-Type-Options \"nosniff\" always;\nadd_header X-Frame-Options \"SAMEORIGIN\" always;\nadd_header X-XSS-Protection \"1; mode=block\" always;\nadd_header Referrer-Policy \"strict-origin-when-cross-origin\" always;<\/code><\/pre>\n\n\n\n3. Rate Limiting: Stop Brute Force and DDoS at the Nginx Layer<\/h2>\n\n\n\n
Basic Rate Limiting for All Requests<\/h3>\n\n\n\n
http<\/code> block, define a limit zone:<\/p>\n\n\n\nlimit_req_zone $binary_remote_addr zone=basic:10m rate=30r\/s;<\/code><\/pre>\n\n\n\nserver<\/code> or location<\/code> blocks:<\/p>\n\n\n\nlimit_req zone=basic burst=50 nodelay;<\/code><\/pre>\n\n\n\nLogin Page Hardening<\/h3>\n\n\n\n
wp-login.php<\/code> and xmlrpc.php<\/code>:<\/p>\n\n\n\nlocation \/wp-login.php {\n limit_req zone=login:10m rate=3r\/m;\n limit_conn login_conn 5;\n # ... rest of config\n}\n\nlocation \/xmlrpc.php {\n deny all;\n}<\/code><\/pre>\n\n\n\nConnection Limiting<\/h3>\n\n\n\n
limit_conn_zone $binary_remote_addr zone=addr:10m;\n\nserver {\n limit_conn addr 10;\n}<\/code><\/pre>\n\n\n\nPutting It All Together<\/h2>\n\n\n\n