Install WordPress with Ubuntu 20.04, NGINX, MariaDB and PHP 8.0

Follow these 3 steps and watch the video. Need help? contact me. 😊

1. Setting up Cloudflare DNS
2. Getting Ubuntu Server
3. Deploying LEMP Stack

Now before you get started, here’s a quick tip. Use Search and Replace Extension to bulk change example.com to your own domain in this web page.

Time-saving tip for Google Chrome users.

Part A: Keep Cloudflare Nameservers active

We will be using Cloudflare DNS for getting Let’s Encrypt Wildcard SSL certificate. Complete this step first to enjoy zero-downtime migration.

Check Current Nameservers

• Find your active Nameservers at https://www.whatsmydns.net/#NS/example.com
• If you see using your previous Hosting or Domain registrar default NS, then you must replace with Cloudflare.
• Learn how to use Cloudflare DNS

Part B: Get a Ubuntu Server 20.04 LTS Server ready

1. Sign up Vultr to grab $100 Free credits (Valid for 30 days)

As someone who have tried so many Cloud server company, my experience says you can’t go wrong with Vultr. These guys are genuine and caring when it comes to support and services.

2. Create a new VPS Server

Simply click on the plus button to get started

3. Choose High Frequency Server

Select High frequency compute for the fastest experience. It uses 3.7 GHz CPU and NVME storage.

4. Choose a Server Location

Choose a server location that is close to your target audience.

Tip: If you are deploying a static WordPress on BunnyCDN Storage, select Germany for the fastest upload experience.

5. Select Ubuntu 20.04 x64 OS

This is a long term supported version. It is compatible with most packages that we are going to install.

6. Choose a Server Size

$6/mo plan would be a great starting point for a new blog. You can upgrade anytime as per requirement.

Tip: If you are migrating, check Total installation size in Site health info.

7. Enable IPV6, Backup

Ignore Startup Script. This is not required. 👇

8. Add a SSH key

This is a recommended, optional step for the enhanced security.

• Click on Add New button to add a new SSH key to submit your 🔒Public key.
• Generate Keys using below method as per your OS.

Select your SSH key

Following these steps will attach your public key to your new Instance. Then, you will be able to login to SSH using Plain Text password and SSH key both.

9. Link Web Firewall rule to Server Instance

1. Click on Manage and create a new Firewall Group.
2. Allow TCP port 22 for SSH. 80 for HTTP and 443 HTTPS for IPV4 and IPV6 rules both.
3. Once done, link the Firewall group to your Instance.

10. Enter Hostname and label click Deploy Now

Now, you will see installing in the progress

15. Go to New Instance page

Copy IP address, username and password. Your default port is 22.

16. Disable Password Login

For security reasons, it’s recommended to disable password authentication and allow only key based authentication.

1. Edit the configuration file nano /etc/ssh/sshd_config
2. Find (CTRL + W) and search PasswordAuthentication
3. Change value from yes to no
4. To save type, CTRL + O
5. Restart the SSH service using command sudo service ssh restart

From the next time, you can use SSH via key only as shown in the video.

For Linux or Mac, use Terminal with command like this

ssh [email protected] -p 22 -i id_rsa

Enough explanation for basic things. Now, I’ll speed up the original process for deploying WordPress on the LEMP stack.

Part C. Deploy WordPress on LEMP Stack

1. Update repositories

Type below command and press enter key

sudo -s

apt update && apt upgrade -y && apt dist-upgrade && apt autoclean && apt autoremove -y && reboot

or

wget -qO update https://www.gulshankumar.net/update && chmod +x update

Next time, always use below shortcut command to update.

./update

2. Install MariaDB with security

Login again and enter following command

sudo apt install mariadb-server -y && sudo mysql_secure_installation

Answer below questions

• Enter current password for root (enter for none): Press Enter key
• Set root password? [Y/n]: Press Enter key.
• New password: Type your password, you can use Dashlane to generate. Right to click paste.
• Re-enter new password: Re-type your password.

After successful password set, you will see

Password updated successfully!
Reloading privilege tables..
... Success!

Also, you need answer following questions.

Remove anonymous users? [Y/n]: Press Y and enter
Disallow root login remotely? [Y/n]: Press Y and enter
Remove test database and access to it? [Y/n]: Press Y and enter
Reload privilege tables now? [Y/n]: Press Y and enter

3. Create a new Database for WordPress

Login to MySQL, press enter key when it asks for password.

mysql -u root -p

Create a new Database, and Grant Privileges to use its user with password. This is where WordPress store all post, pages, themes, plugin, etc information.

create database wordpress;
grant all on wordpress.* to [email protected] identified by '5pY8CKJxDRJEGQNkX7';
flush privileges;
exit;

Where your …
database is wordpress
username is gulshan
password is 5pY8CKJxDRJEGQNkX7

Tip: Consider using unique login credential

4. Install PHP 8.0, NGINX and set Permission

sudo add-apt-repository ppa:ondrej/php -y && apt update && apt install php8.0-fpm php8.0-common php8.0-mysql php8.0-xml php8.0-xmlrpc php8.0-curl php8.0-gd php8.0-imagick php8.0-cli php8.0-dev php8.0-imap php8.0-mbstring php8.0-soap php8.0-zip php8.0-bcmath -y && sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /etc/php/8.0/fpm/php.ini && service php8.0-fpm restart && apt install nginx -y && chown -R www-data:www-data /var/www/ && chmod -R 755 /var/www

Tweak PHP Configuration

Most fancy theme and plugin requires high-end PHP configuration to run. Therefore, we should make this changes.

sed -i 's/memory_limit = 128M/memory_limit = 512M/g' /etc/php/8.0/fpm/php.ini
sed -i 's/post_max_size = 8M/post_max_size = 128M/g' /etc/php/8.0/fpm/php.ini
sed -i 's/max_file_uploads = 20/max_file_uploads = 30/g' /etc/php/8.0/fpm/php.ini
sed -i 's/max_execution_time = 30/max_execution_time = 900/g' /etc/php/8.0/fpm/php.ini
sed -i 's/max_input_time = 60/max_input_time = 3000/g' /etc/php/8.0/fpm/php.ini
sed -i 's/upload_max_filesize = 2M/upload_max_filesize = 128M/g' /etc/php/8.0/fpm/php.ini
service php8.0-fpm restart

5. Install Wildcard Let’s Encrypt SSL Certificate

Create a cloudflare.ini file inside /root/.secrets/ directory.

mkdir -p /root/.secrets/ && cd /root/.secrets/ && nano cloudflare.ini

Add below code and save using CTRL+O and exit using CTRL+X

dns_cloudflare_email = "[email protected]"
dns_cloudflare_api_key = "XXXXXXXXXXXXXXXXX"

Find your Cloudflare e-mail and Global API key at “My Profile” > API Tokens > Global API Key

chmod 0400 /root/.secrets/cloudflare.ini

Install Certbot and DNS Authenticator according to OS and HTTP web server

snap install --beta --classic certbot
snap set certbot trust-plugin-with-root=ok
snap install --beta certbot-dns-cloudflare
snap connect certbot:plugin certbot-dns-cloudflare

Get Wildcard SSL Certificate

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d example.com,*.example.com --preferred-challenges dns-01

Set Automatic Renewal using Cron Job

• Type crontab -e
• Type 1 for nano editor
• Enter below command and save

0 0 * * *  /etc/init.d/nginx reload >/dev/null 2>&1

Test renewal

certbot renew --dry-run

6. Configure Nginx Server Block

This is important where you need configure your domain, how NGINX should handle your HTTP requests.

Delete default server blocks.

rm /etc/nginx/sites-available/default && rm /etc/nginx/sites-enabled/default

Create a new server block

cd /etc/nginx/sites-available/
nano example.com

1. Replace example.com with own domain
2. Enter below code and Press ctrl+o to save and ctrl+x to exit.

General

server {
    listen         80;
    return 301 https://$host$request_uri;
}
server {
# Document Root
root /var/www/html;
index index.php index.html index.htm;
server_name .example.com;
client_max_body_size 0;

    listen [::]:443 ssl http2 ipv6only=on;
    listen 443 ssl http2;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_prefer_server_ciphers on;
        ssl_session_cache   shared:SSL:20m;
        ssl_session_timeout 20m;
        ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';


error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;

# Block XMLRPC
location = /xmlrpc.php {
    deny all;
}

location / {
    try_files $uri $uri/ /index.php$is_args$args;
}

location ~* \.php$ {
if ($uri !~ "^/uploads/") {
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
}
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}

location = /robots.txt {
log_not_found off;
access_log off;
allow all;
}

location ~* .(css|gif|svg|ico|woff2|eot|jpeg|webp|jpg|js|png)$ {
expires 1y;
log_not_found off;
}

# Enable Gzip compression.
gzip on;

# Disable Gzip on IE6.
gzip_disable "msie6";

# Allow proxies to cache both compressed and regular version of file.
# Avoids clients that don't support Gzip outputting gibberish.
gzip_vary on;

# Compress data, even when the client connects through a proxy.
gzip_proxied any;

# The level of compression to apply to files. A higher compression level increases
# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression.
gzip_comp_level 5;

# Compress the following MIME types.
gzip_types
 application/atom+xml
 application/javascript
 application/json
 application/ld+json
 application/manifest+json
 application/rss+xml
 application/vnd.geo+json
 application/vnd.ms-fontobject
 application/x-font-ttf
 application/x-web-app-manifest+json
 application/xhtml+xml
 application/xml
 font/opentype
 image/bmp
 image/svg+xml
 image/x-icon
 text/cache-manifest
 text/css
 text/plain
 text/vcard
 text/vnd.rim.location.xloc
 text/vtt
 text/x-component
 text/x-cross-domain-policy;
}

For cache Enabler

server {
    listen         80;
    return 301 https://$host$request_uri;
}
server {
# Document Root
root /var/www/html;
index index.php index.html index.htm;
server_name .example.com;
client_max_body_size 0;

    listen [::]:443 ssl http2 ipv6only=on;
    listen 443 ssl http2;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_prefer_server_ciphers on;
        ssl_session_cache   shared:SSL:20m;
        ssl_session_timeout 20m;
        ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';


error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;


# Block XMLRPC
location = /xmlrpc.php {
    deny all;
}


# Rules for Cache Enabler Plugin - Static File Serving

    set $cache_uri $request_uri;

    # bypass cache if POST requests or URLs with a query string
    if ($request_method = POST) {
    set $cache_uri 'nullcache';
    }

    if ($query_string != '') {
    set $cache_uri 'nullcache';
    }

    # bypass cache if URLs containing the following strings
    if ($request_uri ~* '(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(index)?.xml|[a-z0-9-]+-sitemap([0-9]+)?.xml)') {
    set $cache_uri 'nullcache';
    }

    # bypass cache if cookies contain the following strings
    if ($http_cookie ~* '(wp-postpass|wordpress_logged_in|comment_author)_') {
    set $cache_uri 'nullcache';
    }

    # custom installation subdirectory
    set $custom_subdir '';

    # default HTML file
    set $cache_enabler_uri '${custom_subdir}/wp-content/cache/cache-enabler/${http_host}${cache_uri}${scheme}-index.html';

    # WebP HTML file
    if ($http_accept ~* 'image/webp') {
    set $cache_enabler_uri '${custom_subdir}/wp-content/cache/cache-enabler/${http_host}${cache_uri}${scheme}-index-webp.html';
    }

    location / {
    gzip_static on; # this directive is not required but recommended
    try_files $cache_enabler_uri $uri $uri/ $custom_subdir/index.php?$args;
    }

location ~* \.php$ {
if ($uri !~ "^/uploads/") {
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
}
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}

location = /robots.txt {
log_not_found off;
access_log off;
allow all;
}

location ~* .(css|gif|svg|ico|jpeg|webp|woff2|eot|jpg|js|png)$ {
expires 1y;
log_not_found off;
}

# Enable Gzip compression.
gzip on;

# Disable Gzip on IE6.
gzip_disable "msie6";

# Allow proxies to cache both compressed and regular version of file.
# Avoids clients that don't support Gzip outputting gibberish.
gzip_vary on;

# Compress data, even when the client connects through a proxy.
gzip_proxied any;

# The level of compression to apply to files. A higher compression level increases
# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression.
gzip_comp_level 5;

# Compress the following MIME types.
gzip_types
 application/atom+xml
 application/javascript
 application/json
 application/ld+json
 application/manifest+json
 application/rss+xml
 application/vnd.geo+json
 application/vnd.ms-fontobject
 application/x-font-ttf
 application/x-web-app-manifest+json
 application/xhtml+xml
 application/xml
 font/opentype
 image/bmp
 image/svg+xml
 image/x-icon
 text/cache-manifest
 text/css
 text/plain
 text/vcard
 text/vnd.rim.location.xloc
 text/vtt
 text/x-component
 text/x-cross-domain-policy;
}

• You need to install Cache Enabler plugin to enjoy cache benefit.

FastCGI

If you want to use FastCGI Cache then implement below Server Block instead.

# NGINX Cache path
fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=6h;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

server {
    listen         80;
    return 301 https://$host$request_uri;
}
server {
root /var/www/html;
index index.php index.html index.htm;
server_name .example.com;
client_max_body_size 0;

    listen [::]:443 ssl http2 ipv6only=on;
    listen 443 ssl http2;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
        ssl_prefer_server_ciphers on;
        ssl_session_cache   shared:SSL:20m;
        ssl_session_timeout 20m;
        ssl_ciphers 'TLS13+AESGCM+AES128:EECDH+AES128';

error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;


set $skip_cache 0;
    if ($request_method = POST) {set $skip_cache 1;}
    if ($request_uri ~* "/wp-admin/|/xmlrpc.php|/wp-.*.php|index.php|sitemap(_index)?.xml") {set $skip_cache 1;}
    if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {set $skip_cache 1;}
    if ($query_string = "unapproved*") {set $skip_cache 1;}
    if ($cookie_woocommerce_items_in_cart = "1" ){ set $skip_cache 1;}
    if ($request_uri ~* "/(cart|checkout|my-account)/*$") {set $skip_cache 1;}

# Block XMLRPC
location = /xmlrpc.php {
    deny all;
}

location / {
try_files $uri $uri/ /index.php$is_args$args;
}

location ~* \.php$ {

 if ($uri !~ "^/uploads/") {
        fastcgi_pass unix:/run/php/php8.0-fpm.sock;
        }

        try_files                       $uri =404;
        include                         /etc/nginx/fastcgi_params;
        fastcgi_param                   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass                    unix:/run/php/php8.0-fpm.sock;
        fastcgi_index                   index.php;
                fastcgi_cache_bypass $skip_cache;
                fastcgi_no_cache $skip_cache;
                fastcgi_cache WORDPRESS;
                fastcgi_cache_valid 200 30d;
                fastcgi_cache_valid 301 302 303 307 308 404 410 451 1m;
                add_header X-Cache $upstream_cache_status;

}

location = /favicon.ico {
log_not_found off;
access_log off;
}

location = /robots.txt {
log_not_found off;
access_log off;
allow all;
}

location ~* .(css|gif|ico|svg|webp|woff2|eot|jpeg|jpg|js|png)$ {
expires 1y;
log_not_found off;
}

# Enable Gzip compression.
gzip on;

# Disable Gzip on IE6.
gzip_disable "msie6";

# Allow proxies to cache both compressed and regular version of file.
# Avoids clients that don't support Gzip outputting gibberish.
gzip_vary on;

# Compress data, even when the client connects through a proxy.
gzip_proxied any;

# The level of compression to apply to files. A higher compression level increases
# CPU usage. Level 5 is a happy medium resulting in roughly 75% compression.
gzip_comp_level 5;

# Compress the following MIME types.
gzip_types
 application/atom+xml
 application/javascript
 application/json
 application/ld+json
 application/manifest+json
 application/rss+xml
 application/vnd.geo+json
 application/vnd.ms-fontobject
 application/x-font-ttf
 application/x-web-app-manifest+json
 application/xhtml+xml
 application/xml
 font/opentype
 image/bmp
 image/svg+xml
 image/x-icon
 text/cache-manifest
 text/css
 text/plain
 text/vcard
 text/vnd.rim.location.xloc
 text/vtt
 text/x-component
 text/x-cross-domain-policy;
}

To save, press CTRL+O and Enter key. Then, exit nano editor using command CTRL+X.

In case of FastCGI, you need to use NGINX Helper plugin. It works with Hindi encoded URL as well. Keep in mind, it won’t support AMP. I personally don’t use AMP. (Recommended)

Alternatively, NGINX cache works for purging AMP URL but it doesn’t support Hindi encoded URL. In settings, you should keep cache path /var/run/nginx-cache/

Caution!

• For example, If you’re using Newspaper theme and serve seperate Mobile theme, please stick without FastCGI method and use a plugin WP Rocket because it can serve seperate mobile cache out of the box.

7. Create Symbolic links between two directories

If you miss this step, you may get ERR_CONNECTION_REFUSED

To activate server block, create a symbolic link of your NGINX Server Block file from directory/etc/nginx/sites-available/ to /etc/nginx/sites-enabled.

Before running below command, please replace example.com to own domain.

ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Test configuration

nginx -t

Restart and update

service nginx restart && service php8.0-fpm restart && service mysql restart && apt-get update && apt upgrade -y

8. Install WordPress

Download WordPress files in /var/www/html directory and set permission.

cd /var/www/html && wget https://wordpress.org/latest.tar.gz && tar -xvzf latest.tar.gz && mv -v wordpress/* /var/www/html && rm -rf index.nginx-debian.html latest.tar.gz wordpress && chown -R www-data:www-data /var/www/ && sudo chmod -R 755 /var/www

To update permission in future, use below command

chown -R www-data:www-data /var/www/ && sudo chmod -R 755 /var/www

9. Override hosts file [Hardcoding]

If you’re hosting WordPress locally, want to bypass proxy or want to perform zero downtime migration, this step is useful. I generally prefer in case of Static WordPress Dev area. 😉

• There are two ways to point DNS. If you are migrating site to Vultr and want to test first locally then edit your hosts file and point there.

For Windows

• Go to properties of ‪C:\Windows\System32\drivers\etc\hosts
• Change “Security” permission to full control for your current Username
• Now you can freely edit the hosts file under your System user and save it.

# For same machine you can have localhost address else public IP
127.0.0.1 example.com
127.0.0.1 www.example.com

An example, this is how it should look

For Mac or Linux

cd && nano /etc/hosts

• If everything is perfect and you want to make your site live, Login to Cloudflare DNS and update new IP

A ---------- @ -----------> Server IPV4 address
AAAA ------- @ -----------> Server IPV6 address
CNAME ------www -----------------> example.com

where @ denotes naked domain example.com

9. Visit your domain name to setup WordPress

If you want to keep non-www version domain for your WordPress then visit non-www version else www.

https://example.com

• Provide Database login credential to begin WordPress Setup
• Run Installation
• Fill up Basic details of your new Site and Install WordPress.
• Login to WordPress
• If you used FastCGI server block then first thing you should do is installing NGINX Cache plugin and configuring /var/www/cache as cache path.

Other neccessary things

Use SMTP plugin Services for sending outgoing email of WordPress otherwise you will not be able to receive password reset link, contact form 7 messages.

Finally, the WordPress installation has been completed. Always keep backup.

External resources

• {bjørn:johansen}: https://www.bjornjohansen.com/wildcard-certificate-letsencrypt-cloudflare
• LinuxBabe: Installing Postfix (You can use it as an alternative of WP SMTP).

I greatly appreciate your valuable time in reading this article. See you in the next tutorial!