What permissions should I set on each of wp folders? Users will need
to upload various assets (images, pdfs, office docs, audio, video). I
found this article here that seems helpful, but would like to get some
input from folks having done this?
This will be the same as any other web server. Whatever user happens to be running the web server need permission to access the files its meant to serve. With PHP-FPM backing the PHP portion of things, its user will need access to the PHP files. Generally both PHP-FPM and Nginx will run under the same user, but that’s really up to you.
SO! Let’s say both Nginx and PHP-FPM are running under www-data. Your document root and its file should be readable by that user. If I’m running a server for a client, I’m likely to use a deploy user for scripted/automated deployments, so that probably means that the files will be group readable/writeable. Eg 775 permissions.
What is the/a recommended configuration for nginx? Below is mine, but
as I’m new to nginx I’m not all that confident that I have the best
configuration of if it is even a good one. What can/should be done to
improve it?
There are a few repos on github that you should take a look at:
https://github.com/perusio/wordpress-nginx
https://github.com/pothi/WordPress-Nginx
Both have pretty good example of Nginx config files.
What you have looks like the default Ubuntu install config. A few things to keep in mind:
- Nginx is fast. Like stupid fast. If you’re not doing anything crazy CPU intensive (ala serving SSL) a single worker process should be fine. But you can bump it up to something equal to the number of CPU cores.
worker_connectionshas some good info in the docs that you should take a look at regarding max clients your server can handlelimit_conn_zoneandlimit_zonepresent some interesting things to help mitigate traffic spikes. They are also incredible hard to tweak and get right. Use caution!- Utilize browser caching and set
Expiresheaders. THere are no per-directory config files like.htaccessin nginx where you can control caching headers. Be sure to do it in your server config. - Be sure to look into the gzip module and understand what the directives do and if you need to modify anything. Especially
gzip_types, which only defaults totext/html. - If at all possible, try using a unix socket to pass PHP files off to FPM. I’ve better luck with this than listing on a localhost port.
w3 Total Cache or WP Supercache? What are the better/best caching
options and how are folks managing their cache? As I’m running on an
ummanaged server, perhaps there are other suggestions?
I would suggest not doing this until you are sure you need to. If you’re on a server to which you have complete access, I would be included to do full page caching back by something like a persistent object cache and batcache.
How do you set up a CDN and what should you put up in it? I have an
Amazon S3 account to use, just not sure how it should be used?
S3 is not a CDN. So you want your images to live elsewhere? Then use S3 + CloudFront with S3 as the origin to server files.
If you want a super simple CDN, set up an “origin pull” CDN that fetches file from your server, respects their cache headers and refresh based on that, and servers files for you. This is is incredible easy to set up.
What should I use to perform and manage backups of WordPress sites
(content and database)?
I am a super-nerd, so I use automated scripts (written with fabric Fabric) to just SSH in do a mysqldump and then download the SQL dump. Rsync is speedy to grab static files, but you could also just tarball a snapshot of the media and download it.
Obviously there are other solutions to this issue. Vaultpress, etc. Look around.
What should I install for a robust security infrastructure?
Password-less SSH. And, since you’re in control of the box you can have WordPress use bcrypt to hash passwords to make them slightly more secure.
Other than that, the usual stuff applies: good password and grant permissions appropriately — both in WP and on the server itself.
What should I be using to monitor the performance and potential
problems (whether it be performance or security breaches)?
Take your pick. Look around. See what you need to monitor. There are uptime monitors, system performance monitoring solutions. Too broad of a question.
Generally speaking, in what ways should folks deviate from the Guides?
When the guidelines don’t work for you.
Most of the follow ups to these questions would be better suited to a site like ServerFault, by the way.