Your Nginx Config Is Leaving Performance on the Table — Here’s How to Fix It in One Command

by

I’ve been optimizing WordPress sites for years. And every single time, I find the same thing: the nginx config is either the default that shipped with the server, or a half-done copy from a DigitalOcean tutorial circa 2019.

The PHP side gets all the attention — object caching, query optimization, autoloader tuning. But the web server sitting in front of it? Running HTTP/1.1 with gzip commented out.

That’s why I built nginx-optimizer — a single command that analyzes your nginx setup and applies every optimization that matters, with automatic backup and one-command rollback.

What’s Actually Wrong With Your Nginx Config

Let’s look at a typical WordPress nginx config — the kind you’d find on 90% of WordPress servers:

server {
    listen 80;
    server_name example.com;
    root /var/www/html;
    index index.php;

    location ~ \.php$ {
        fastcgi_pass unix:/run/php/php-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
        expires 30d;
    }
}

This config works. WordPress loads. Pages render. But here’s what it’s missing:

  • No HTTP/3 — Every connection uses the 2012-era HTTP/1.1 protocol. No multiplexing, no 0-RTT resumption, no QUIC.
  • No compression — Every HTML page, CSS file, and API response ships uncompressed. That’s 60-70% wasted bandwidth.
  • No page caching — Every single request hits PHP-FPM, which boots WordPress, runs 50+ database queries, and assembles the page from scratch. For the same content. Every time.
  • No security headers — No HSTS, no CSP, no X-Frame-Options. SecurityHeaders.com gives it an F.
  • No rate limiting — Your wp-login.php is wide open to brute-force attacks.
  • 30-day static asset expiry — Should be 1 year with immutable. Browsers are re-validating assets that never change.

The performance cost? A page that could load in 50ms takes 800ms. Every time.

The Fix: One Command

nginx-optimizer optimize --dry-run

That’s it. The tool:

  1. Detects your nginx setup (system, Docker, wp-test environments)
  2. Analyzes which optimizations are already present (it won’t duplicate what you have)
  3. Creates a timestamped backup of your entire nginx config
  4. Applies HTTP/3, Brotli compression, FastCGI caching, security headers, WordPress hardening, and OpCache tuning
  5. Validates the config with nginx -t before reloading
  6. Auto-rolls back if validation fails

The --dry-run flag shows you exactly what would change without touching anything. When you’re ready:

nginx-optimizer optimize

What Gets Applied

Here’s the full optimization stack, with real numbers:

HTTP/3 (QUIC)

HTTP/3 replaces TCP with QUIC — a UDP-based protocol that eliminates head-of-line blocking and supports 0-RTT connection resumption. Returning visitors skip the TLS handshake entirely.

Impact: 15-25% faster page loads on mobile and high-latency connections. Connection setup goes from 2 round-trips (TCP + TLS) to zero for returning visitors.

FastCGI Full-Page Cache

This is the single biggest performance win. Instead of hitting PHP-FPM on every request, nginx serves a cached HTML file directly from memory. PHP never runs for anonymous visitors.

Impact: TTFB drops from 400ms to under 15ms. Server CPU usage drops 80-90% for anonymous traffic. Your $5/month VPS suddenly handles 10x the traffic.

FastCGI caching alone transforms a WordPress site more than any plugin ever will. It’s the difference between “nginx as a proxy” and “nginx as a static file server that happens to know when to ask PHP.”

The optimizer automatically configures WooCommerce-aware cache bypass rules — cart pages, checkout, and logged-in users always hit PHP. Zero cache poisoning risk.

Brotli + Gzip Compression

Brotli compresses 20-30% better than Gzip for text content, at similar CPU cost. The optimizer enables both — Brotli for modern browsers (95%+ support), Gzip as fallback.

Impact: A typical WordPress page goes from 45KB to ~12KB with Brotli vs ~16KB with Gzip alone. Applied across 30+ MIME types including JSON API responses, SVGs, and web fonts.

Security Headers & Rate Limiting

The full suite: HSTS (forces HTTPS), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (stops MIME sniffing), Content-Security-Policy, Referrer-Policy, and Permissions-Policy.

Plus zone-based rate limiting:

  • wp-login.php: 5 requests/minute (stops brute-force)
  • wp-json/ API: 30 requests/second
  • General: 10 requests/second with burst handling

Impact: SecurityHeaders.com grade goes from F to A+. Rate limiting blocks 99% of credential stuffing attacks without affecting legitimate users.

WordPress Hardening

Blocks xmlrpc.php (returns 444 — drops the connection without a response), protects wp-config.php, denies PHP execution in wp-includes, and returns 404 for hidden files.

Impact: Closes the most commonly exploited WordPress attack vectors. xmlrpc.php alone accounts for roughly 30% of brute-force attempts on a typical WordPress site.

PHP OpCache Tuning

JIT-enabled OpCache with optimized buffer sizes and interned strings. Most servers run the default OpCache config, which is conservative.

Impact: 20-40% faster PHP execution for uncached requests (admin pages, AJAX, WooCommerce cart operations).

Smart Detection — It Won’t Break What Works

This is the part that took the most engineering. The optimizer doesn’t blindly apply templates. It runs a detection pass first:

nginx-optimizer analyze

For each feature, it checks if the optimization already exists in your config. If you already have Brotli configured, it skips Brotli. If your FastCGI cache is already set up, it leaves it alone.

I tested this against 12 real-world config patterns — from stock nginx defaults to fully-optimized production setups. The “already optimized” test config gets zero changes applied. The detection system correctly identifies every existing optimization.

Safety First: Backup & Rollback

Every optimization creates a timestamped backup. If anything goes wrong:

# See what changed
nginx-optimizer diff

# Roll back to previous state
nginx-optimizer rollback

The optimizer also runs nginx -t after every change. If the config is invalid, it automatically rolls back before nginx even sees the bad config. You can’t break your server.

New in v0.10.0: the verify command compares your running config against what nginx-optimizer applied, detecting configuration drift:

nginx-optimizer verify

Real Numbers: Before and After

Here’s what happens when you run nginx-optimizer against a stock WordPress nginx config (the kind most tutorials produce):

Metric Before After
TTFB (anonymous) ~400ms <15ms
Page load (cached) ~800ms ~50ms
Transfer size (HTML) 45KB 12KB
DB queries per page view 50+ 0 (cached) / 35 (Redis)
Security grade F A+
Protocol HTTP/1.1 HTTP/3 QUIC + TLS 1.3
Server CPU (100 req/s) 80% (PHP on every request) 8% (nginx serves from cache)

For a WooCommerce site that already has FastCGI caching, the gains are smaller but still significant — HTTP/3 for mobile performance, Brotli for bandwidth, and security headers that payment processors audit for.

Installation

One line:

curl -fsSL https://raw.githubusercontent.com/MarcinDudekDev/nginx-optimizer/main/install.sh | bash

Or with Homebrew on macOS:

brew install --HEAD MarcinDudekDev/tap/nginx-optimizer

Or clone it:

git clone https://github.com/MarcinDudekDev/nginx-optimizer.git
cd nginx-optimizer
chmod +x nginx-optimizer.sh

It’s a bash script with zero dependencies beyond what’s already on your server (curl, rsync, jq optional). No Python, no Node, no Ruby. Works on bash 3.2+ (macOS default) through 5.x.

The Recommended Workflow

Here’s how I use it on client sites:

# 1. See what you're working with
nginx-optimizer analyze

# 2. Run pre-flight checks
nginx-optimizer check

# 3. Preview all changes (no modifications)
nginx-optimizer optimize --dry-run

# 4. Apply optimizations
nginx-optimizer optimize

# 5. Verify everything matches
nginx-optimizer verify

# 6. Run a benchmark
nginx-optimizer benchmark example.com

If you only want specific optimizations:

# Just HTTP/3 and compression
nginx-optimizer optimize --feature http3
nginx-optimizer optimize --feature brotli

# Everything except rate limiting
nginx-optimizer optimize --exclude security

Open Source

nginx-optimizer is MIT licensed and available on GitHub. The test suite covers 70 cases across 12 real-world nginx config patterns, validated against actual nginx in Docker.

If you’ve been meaning to optimize your nginx config but kept putting it off because it’s tedious and error-prone — this is why I built this tool. One command, full optimization, automatic rollback if anything goes wrong.

Star the repo if it helps. Open an issue if it doesn’t.