Securing a WordPress website with an nginx wrapper.
Three servers Technically, there are three web servers in this configuration. The core WordPress server runs on Apache as usual, but only "listens" to an IP address internal to the server.
The administrative interface at port 8080, while on the public IP address, is configured to only service requests from authenticated locations – usually a small number of IP addresses associated with the organization. This nginx server forwards all requests to the WordPress server on the internal address.
The public web site is served by nginx on port 80. It does not connect to the WordPress server at all, but simply returns cached copies of the web pages from files on the disk. This is accomplished through a caching job scheduled under 'cron', which reads from WordPress to create those files.
A walk through the database The caching system walks through the WordPress website, mimicking web requests and writing the rendered pages to files on the drive volume. These files reside in the "document root" of the nginx server, which responds to requests for content with that flat content from the drive.
Fast, scalable, and immune The resulting nginx-driven website is both immune to probes for WordPress vulnerabilities, and fast enough to be harder to take offline with modest DDoS attacks. In fact, because it takes so little work to produce the requested web pages, it's much lighter on the server and can therefor deal with a higher volume of traffic. And in that regard I believe it's worth looking at as a partial solution for large, dynamic websites that can partially offload content delivery to such an engine. This is by no means a new idea – I was involved in such as a scheme for delivering the official website of the Sydney Olympics back in the stone ages of the Internet in 2000. But for security purposes I think this old idea is worth while in the current age.