How to Redirect URLs Using Nginx

Reading Time: 3 minutes

What is a Redirect?

A redirect is a web server function that will redirect traffic from one URL to another. Redirects are an important feature when the need arises. There are several different types of redirects, but the more common forms are temporary and permanent. In this article, we will provide some examples of redirecting through the vhost file, forcing a secure HTTPS connection, redirection to www and non-www as well as the difference between temporary and permanent redirects.

Note
As this is an Nginx server, any .htaccess rules will not apply. If your using the other popular web server, Apache, you’ll find this article useful.

Common Methods for Redirects

Temporary redirects (response code: 302 Found) are helpful if a URL is temporarily being served from a different location. For example, these are helpful when performing maintenance and can redirect users to a maintenance page.

However, permanent redirects (response code: 301 Moved Permanently) inform the browser there was an old URL that it should forget and not attempt to access anymore. These are helpful when content has moved from one place to another.

 

How to Redirect

When it comes to Nginx, that is handled within a .conf file, typically found in the document root directory of your site(s), /etc/nginx/sites-available/directory_name.conf. The document root directory is where your site’s files live and it can sometimes be in the /html if you have one site on the server. Or if your server has multiple sites it can be at /domain.com.  Either way that will be your .conf file name. In the /etc/nginx/sites-available/ directory you’ll find the default file that you can copy or use to append your redirects. Or you can create a new file name html.conf or domain.com.conf.

Note
If you choose to create a new file be sure to update your symbolic links in the /etc/nginx/sites-enabled. With the command:

ln -s /etc/nginx/sites-available/domain.com.conf /etc/nginx/sites-enabled/domain.com.conf

The first example we’ll cover is redirection of a specific page/directory to the new page/directory.

Temporary Page to Page Redirect

server {
# Temporary redirect to an individual page
rewrite ^/oldpage$ http://www.domain.com/newpage redirect;
}

Permanent Page to Page Redirect

server {
# Permanent redirect to an individual page
rewrite ^/oldpage$ http://www.domain.com/newpage permanent;
}

Permanent www to non-www Redirect

server {
# Permanent redirect to non-www
server_name www.domain.com;
rewrite ^/(.*)$ http://domain.com/$1 permanent;
}

Permanent Redirect to www

server {
# Permanent redirect to www
server_name domain.com;
rewrite ^/(.*)$ http://www.newdomain.com/$1 permanent;
}

Sometimes the need will arise to change the domain name for a website. In this case, a redirect from the old sites URL to the new sites URL will be very helpful in letting users know the domain was moved to a new URL.

The next example we’ll cover is redirecting an old URL to a new URL.

Permanent Redirect to New URL

server {
# Permanent redirect to new URL
server_name olddomain.com;
rewrite ^/(.*)$ http://newdomain.com/$1 permanent;
}

We’ve added the redirect using the rewrite directive we discussed earlier. The ^/(.*)$ regular expression will use everything after the / in the URL. For example, http://olddomain.com/index.html will redirect to http://newdomain.com/index.html. To achieve the permanent redirect, we add permanent after the rewrite directive as you can see in the example code.

When it comes to HTTPS and being fully secure it is ideal for forcing everyone to use https:// instead of http://.

Redirect to HTTPS

server {
# Redirect to HTTPS
listen      80;
server_name domain.com www.domain.com;
return      301 https://example.com$request_uri;
}

After these rewrite rules are in place, testing the configuration prior to running a restart is recommended. Nginx syntax can be checked with the -t flag to ensure there is not a typo present in the file.

Nginx Syntax Check

nginx -t

If nothing is returned the syntax is correct and Nginx has to be reloaded for the redirects to take effect.

Restarting Nginx

service nginx reload

For CentOS 7 which unlike CentOS 6, uses systemd:

systemctl restart nginx

Redirects on Managed WordPress/WooCommerce

If you are on our Managed WordPress/WooCommerce products, redirects can happen through the /home/s#/nginx/redirects.conf file. Each site will have their own s# which is the FTP/SSH user per site. The plugin called ‘Redirection’ can be downloaded to help with a simple page to page redirect, otherwise the redirects.conf file can be utilized in adding more specific redirects as well using the examples explained above.

Due to the nature of a managed platform after you have the rules in place within the redirects.conf file, please reach out to support and ask for Nginx to be reloaded. If you are uncomfortable with performing the outlined steps above, contact our support team via chat, ticket or a phone call.  With Managed WordPress/WooCommerce you get 24/7 support available and ready to help you!

Resolving WooCommerce Plugin and Theme Issues

Reading Time: 2 minutes

What is WooCommerce?

WooCommerce is a plugin with regular updates releases, which means it will add new and existing features, along with resolving any bugs or known security vulnerabilities. WooCommerce is actively installed on over 4 million WordPress sites and is used to drive E-commerce on a pretty high number of those sites.

 

Testing for Plugin and Theme Issues

Continue reading “Resolving WooCommerce Plugin and Theme Issues”

8 WP-CLI Commands to Clean Up and Optimize your Site

Reading Time: 2 minutes

Want to clean up your WordPress site without having to add multiple plugins? By using WP-CLI, you can run many useful commands to helpfully clean up your database and elements related to your site. In this post, many of the most common tasks are covered:

Continue reading “8 WP-CLI Commands to Clean Up and Optimize your Site”

Rollback a Plugin or Theme Using WP-CLI

Reading Time: 2 minutes

WP-CLI makes it very easy to rollback plugins and themes as well as update plugins and themes on sites all from command line. This is useful if you see your site is broken by a newer version of the theme or plugin. In this article, we’ll be running through some valuable commands for rolling back your site.

If you need to rollback a plugin on a site to a previous version, you can find the previous version number from the development tab of the plugins listed on WordPress.org. To find the slug of the plugin, you will need to go to the WordPress.org plugins. In the case of Contact Form 7, the plugin slug is contact-form-7.

Note:
You can also find the plugin or theme slug by going to your WordPress files and typing in:
wp plugin list

wp theme list

Pre-flight

Rollback a Plugin to a Previous Version

If you need to test that the command is correct, you can always use the flag –dry-run at the end of the command:

wp plugin update contact-form-7 --version=5.0.5 --dry-run

In the following example, to rollback Contact Form 7, you can use this command:

wp plugin update contact-form-7 --version=5.0.5

 

Activate A Particular Version of a Plugin

If you need to install and activate a previous version of a plugin, run:

wp plugin install contact-form-7 --version=5.0.5 --activate --force

 

Update All Plugins

If the plugins you updated have been fixed and you now need to update all plugins, the example command is:

wp plugin update --all

Excluding A Plugin

If you want to update all plugins, but need to exclude a specific plugin (in this case WooCommerce), run command:

wp plugin update --all --exclude=woocommerce

 

Rollback a Theme to a Previous Version

If you did need to rollback a parent theme to a previous version, you could use this command example which would rollback the Storefront theme to version 2.4.0:

wp theme update storefront --version=2.4.0

 

Update Theme to Current Version Release

If you know wanted to update the Storefront theme on a site to the most current version, you could use this command example;

wp theme update storefront

 

Using a mix of these WP-CLI commands will enable you to easily rollback a plugin on your site, rollback a theme, or update all plugins. It will also update all plugins, but exclude a specific plugin from being updated.  Our Managed WordPress product comes with WP-CLI installed along with easy, automatic updates.  Check out how our Managed WordPress platform can streamline your work today!

What are Common Commands to Update WordPress Using WP-CLI?

Reading Time: 2 minutes

WP-CLI is a very handy set of commands. You can run anything that you would run in wp-admin on a WordPress site but from the command line. Useful commands which WP-CLI employs to keep WordPress core updated plugins including the default themes which come with WordPress.

Continue reading “What are Common Commands to Update WordPress Using WP-CLI?”

Managed WordPress – Frequently Asked Questions

Reading Time: 3 minutes

We have collected some of the most common questions that customers ask about our Managed WordPress Hosting platform and housed them in one place.

Continue reading “Managed WordPress – Frequently Asked Questions”

An Overview of Managed WordPress

Reading Time: 3 minutes

WordPress is open source software for building unique and powerful websites! It is quickly becoming the easiest and most popular way to create blogs, business sites, portfolios, forums, memberships, and e-commerce websites. Continue reading “An Overview of Managed WordPress”

The Best Ways to Secure WordPress

Reading Time: 5 minutes

On our Managed WordPress hosting platform, we strive to ensure security with regularly scheduled patches and updates. By utilizing our intrusion prevention software, we mitigate malicious activity and block repeated failed logins for your WordPress admin portal. Furthermore, our web-application firewall, restricts unneeded ports along with custom rules to help protect you on the application level. We take care of the administration work so you can spend more time securing your site. Below our Managed WordPress admins share tested (and trusted) implementations to keep your site locked up tight.

WordPress Security Plugins

iThemes Security

The iThemes Security plugin is a fantastic addition to enhance your security, and it is easy to install.  By adding an extra layer of protection, below is a list of security features that iThemes Security Pro provides.

Click To See iThemes Security Features
    • Banned Users – Allows you to completely ban hosts and user agents from your site
    • Network Brute Force Protection – Banning users who have tried to break into other sites from breaking into yours. The network protection will automatically report the IP addresses of failed login attempts to iThemes
    • SSL – This feature redirects all http traffic to https
    • Strong Password Enforcement – Force users to use strong passwords as rated by the WordPress password meter
    • System Tweaks:
      • Disable Directory Browsing
      • Filter Suspicious Query Strings in the URL
      • Remove File Writing Permissions – Prevents scripts and users from being able to write to the wp-config.php file and .htaccess file
      • Disable PHP in Uploads – Disable PHP execution in the uploads directory. This blocks requests to maliciously uploaded PHP files in the uploads directory.
      • Disable PHP in Plugins – Disable PHP execution in the plugins directory. This blocks requests to PHP files inside plugin directories that can be exploited directly.
    • Change WordPress Salts – Use WordPress Salts to encrypt any passwords saved within WordPress, this adds an extra layer in password protection. Check this box and then save settings to change your WordPress Salts.

Salt Encryption Settings

  • WordPress Tweaks:
    • Comment Spam– Reduce Comment Spam
    • XML– RPC feature allows external services to access and modify content on the site. Common example of services that make use of XML-RPC are the Jetpack plugin, the WordPress mobile app, and pingbacks. If the site does not use a service that requires XML-RPC, select the “Disable XML-RPC” setting as “disabling XML-RPC” which prevents attackers from using the feature to attack the site. Disable Pingbacks – This feature only disables pingbacks. Other XML-RPC features will work as normal. Select this setting if you require features such as Jetpack or the WordPress Mobile app.
    • Block XML– RPC requests that contain multiple login attempts.
    • Restricted Access– Restrict access to most REST API data. This means that most requests will require a logged in user or a user with specific privileges, blocking public requests for potentially private data.
    • Force Unique Nickname– This forces users to choose a unique nickname when updating their profile or creating a new account which prevents bots and attackers from easily harvesting user’s login usernames from the code on author pages. Note this does not automatically update existing users; it will affect author feed urls if used.
    • Protect Against Tabnapping– Alter target=”_blank” links to protect against tabnapping. Enabling this feature helps protect visitors to this site (including logged in users) from phishing attacks launched by a linked site.
    • Login with Email Address or Username– By default, WordPress allows users to log in using either an email address or username. This setting allows you to restrict logins to only accept email addresses or usernames.

To install, login to your WordPress dashboard, click on “Plugins” on the left. Click on “Add New” and use the search box to find “iThemes Security (formerly Better WP Security)”. Click on “Install Now”, and then activate the plugin.  On the left bar, click on “Security” and iThemes will start a security check on your site.  Additionally, you can click on Security > Settings on the left to enable any security features that fit your website.

WordFence

Wordfence Security – Firewall & Malware Scan plugin – Wordfence includes an endpoint firewall and malware scanner.  One of the key features is their threat defense feed arms that are supplied with the newest firewall rules, malware signatures and malicious IP addresses to keep your website safe.  Click on the Wordfence subtitle to jump to installation and setup instructions.

CloudFlare

You can create an account with CloudFlare to help protect your websites from various attacks including DDoS mitigation, customer Cloudflare helps mitigate DDoS attacks, prevent customer data breaches, and block malicious bot abuse. Cloudflare DNS is DDoS protection for domain resolution. It sits behind the same 15 Tbps network that protects over 7 million Internet properties from denial-of-service attacks.  Cloudflare DNS also comes with built-in load-balancing, automatic failover, rate-limiting, and filtering. Cloudflare also offers DNSSEC to add a layer of trust on top of DNS by providing authentication.

Web Application Firewall (WAF)

Web application firewall (WAF) rulesets – Available on all of Cloudflare’s paid plans, the WAF has built-in rulesets, including rules that mitigate WordPress specific threats and vulnerabilities. Additional features: automatic cache purge, and header rewrite to prevent a redirect loop when Cloudflare’s Universal SSL is enabled.  You can change Cloudflare’s settings from within the plugin itself without needing to navigate to the cloudflare.com dashboard. The available settings to change are: cache purge, security level, Always Online, and image optimization.

Sucuri

As an auditing, malware scanner, and security hardening plugin, it’s a security suite that works well with your existing website’s  security. This plugin offers a great set of security features such as Security Activity Auditing, File Integrity Monitoring, Remote Malware Scanning, Blacklist Monitoring, Effective Security Hardening, Post-Hack Security Actions, Security Notifications, and Website Firewall (premium).

General Security Recommendations

We are living in an age where security needs to be updated at all times. Passwords is one of those crucial security mechanisms that needs to be updated at least every 30 to 60 days. The recommendation for each password complexity is to be at least 15 characters containing a combination of uppercase letters, lowercase letters, numbers, and symbols. The passwords should not contain dictionary words, usernames, personal information, or letter sequences. The passwords should not be reused in a given year.

Along with having secured passwords, your computer should also be protected.  Attackers can exploit computers that have outdated operating systems using worms, malware, Trojans, and viruses. You will need to make sure your computer has the latest security patches and fixes.  All browsers should be the latest versions. Do not install any software or browser plugins from any untrusted parties.  Install reputable anti-virus software and conduct regularly malware scans on your computer.

The most common source for malicious injections are vulnerabilities in CMS software, plugins, themes and other commonly used third party code. We recommend taking measures to update all CMS software, plugins and themes used to the latest versions available from their respective vendors. This would help limit the chance of future infections occurring.

Registering your website with Google Webmaster Tools will tell you the health of your website. Change the Default “admin” username.  Since usernames make up half of login credentials, having the username “admin” made it easier for hackers to do brute-force attacks.

Final Thoughts

Being at the top of your game on security is worthwhile to avoid paying expensive fees to clean up a hacked site, especially since there are many free security options at your disposal. Take a stroll through our Managed WordPress product page and discover how we can take the guesswork out of security. Along with a 24/7 support team at your fingertips, our Managed WordPress platform automatically updates plugins to reduce your site’s vulnerability to malware.

Configuring NGINX for Managed WordPress

Reading Time: 2 minutes

Running a WordPress site can be incredibly simple and used right out of the box, but you may need to customize or add specific files in order to get the most out of your site. Our Managed WordPress customers can include custom NGINX configurations for individual sites because we know that adding simple redirects or adjusting browser cache settings are actions that many of our Managed WordPress users do on a regular basis. Read on to learn how you can use this functionality for your own site. Continue reading “Configuring NGINX for Managed WordPress”

Featured Video: How to Add a Site to Liquid Web’s Managed WordPress

Reading Time: 1 minute

In this Knowledge Base article we feature a tutorial video provided by AJ Morris, our Managed WordPress product manager. In this video AJ will show us how simple it is to set up a site in your Managed WordPress Portal.

Whether you’re building a site from scratch or migrating one over, this will be a great place to start. Continue reading “Featured Video: How to Add a Site to Liquid Web’s Managed WordPress”