Installing WordPress using best practices

When choosing which platform to build your website with, WordPress is a brilliant choice for most startups and small businesses. In fact over a third of all websites on the internet are built using WordPress.

The main reason for this is that WordPress offers:

Customisable Designs. There are thousands of different templates to choose from and each can be easy to customise for your specific needs.
SEO friendly. WordPress has many tools and features that can help your website rank well.
Huge number of plugins. With over 50,000 different plugins you should be able to find almost anything you need your website to do with a simple few clicks and minimal setup.
Easy to get started with. When starting out a new company it is important to get things up and running quickly. With WordPress you can get a website up and running within a few days.
Good performance and high security. WordPress can handle large traffic loads and if setup correctly have great security too. Like everything though, it depends on who is setting up the website that impacts on these two points significantly.

Install Prerequisites

For the purpose of this tutorial we will assume that this is a brand new Ubuntu 18.04 server that has just completed all the steps in the previous tutorial, Setting up a secure server.

Installing Nginx

Nginx is more lightweight than Apache and often faster as seen in multiple tests. For this reason we will be using the LEMP stack instead of the more known LAMP stack. To get started simply install Nginx.

apt-get -y install nginx

You should have Nginx up and running now. Check by opening a tab in your browser with your server’s IP address. If you don’t know your server’s IP run: curl icanhazip.com to get it. You should see the default, “Welcome to nginx!” page.

Installing MySQL

Next up is to install your database. We will be using MySql for this. Install MySql and then strengthen your database security too.

apt-get -y install mysql-server
mysql_secure_installation

When running the “mysql_secure_installation” be sure to select “Y” for everything and use strong password option. Lastly log into MySql and change the root password which by default is actually not set.

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'your_chosen_password';
FLUSH PRIVILEGES;

Next we must create the actual WordPress database (in this example we will call it wordpress_db). We must also ensure that the database has the correct character encoding so that it can store special characters. Lastly we will create a new mysql user (in this example we will call it wordpress_user) which will only have permissions to access the WordPress database and no other databases that might be on the server.

CREATE DATABASE wordpress_db CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'wordpress_user'@'localhost' IDENTIFIED BY 'strongPassword';
GRANT ALL ON wordpress_db.* TO 'wordpress_user'@'localhost';
FLUSH PRIVILEGES;

Installing PHP and Configuring Nginx

Since Nginx does not contain native PHP processing like Apache we need to install a few extra packages to get Nginx to work with PHP. For WordPress I’d recommend the following:

php-fpm So Nginx can work with PHP
php-mysql So Nginx can work with MySql

apt-get install php-fpm php-mysql php-curl php-dom php-imagick php-mbstring php-zip php-gd php-intl

Create a new file located at /etc/nginx/sites-available/your_website where “your_website” is the name of your website
Find out which version of PHP you’re running via php -v
Add the following content in that file: (the example below is using PHP 8.1

server {
        listen 80;
        server_name your_website.com;
        
        root /var/www/your_website;
        index index.php index.html index.htm;

        location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ .php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
        }

        location ~ /.ht {
                deny all;
        }
}

Then create a new directory to host the php code in. mkdir /var/www/your_website
Then assign correct file and folder permissions:

usermod -aG www-data john
mkdir /var/www/your_website
sudo chown -R john:www-data /var/www/your_website
chmod -R g+w /var/www/your_website
chmod g+s /var/www/your_website

The first command will assign the user “john” to Nginx’s group which is known as “www-data”. Next we will change the group associated with that folder to be www-data and no longer root. Then we will give write access to the folder only for the www-data group. Lastly “g+s” will ensure that any new files or directories created within folder will inherit the group ownership of the parent directory.

Next we need to remove the old “default” website and add the brand new website.

unlink /etc/nginx/sites-enabled/default
ln -snf /etc/nginx/sites-available/your_website /etc/nginx/sites-enabled/

Download WordPress

The final step is to download the latest version of WordPress and get it up and running. First we need to download and extract it, create some needed blank files (the contents will be added later) and then move the code to the required directory.

su john #change to the user that has access to the web folder first.

cd /tmp
curl -O https://wordpress.org/latest.tar.gz
tar xzvf latest.tar.gz
touch /tmp/wordpress/.htaccess
cp /tmp/wordpress/wp-config-sample.php /tmp/wordpress/wp-config.php
cp -a /tmp/wordpress/* /var/www/your_website

Once that is done we need to improve the security a bit more. WordPress provides a secure generator for these values so that you do not have to try to come up with good values on your own. Run curl -s https://api.wordpress.org/secret-key/1.1/salt/ and copy all of that content and replace the same section in /var/www/your_website/wp-config.php file. Basically you need to update those default values.

Lastly update the DB_NAME, DB_USER and DB_PASSWORD in the wp-config.php file with your own values. Also it is recommended to use utf8mb4 as this can handle a wider range of characters, including emoji, special symbols, and less commonly used scripts. This is particularly useful if your website content or user input requires such characters. It is recommended to also place in FS_METHOD, FS_CHMOD_DIR and FS_CHMOD_FILE to avoid entering FTP credentials every time you try and upload a file.

define('DB_CHARSET', 'utf8mb4');
define('DB_COLLATE', 'utf8mb4_unicode_ci');

define('FS_METHOD', 'direct');
define('FS_CHMOD_DIR', 0755);
define('FS_CHMOD_FILE', 0644);

You can then open a web browser and go to http://[server’s ip] and complete the last of the web setup.