WordPress nginx php7 mysql ubuntu 16.04 setup

Step 3: Install NGINX

In order to use a WordPress plugin for purging the NGINX cache that I talk about below, you have to install a custom version of NGINX. From the command line:

This will download and install NGINX and set up the firewall to allow both HTTP (port 80) and HTTPS (port 443) traffic. After you do this, you’ll need to update /etc/nginx/nginx.conf to comment out some lines that conflict with some of the SSL settings we’ll be creating later. Open the file:

Comment out ALL of the lines in the “SSL” section of the file by adding a # before them, then save and close the file.

Step 4: Install and Configure MariaDB

MariaDB is a drop-in replacement for MySQL. You can read about why people think it’s better, but I’m mostly convinced by the performance arguments. The MariaDB website has a convenient tool for configuring the correct repositories in your Ubuntu distro. Using the tool, I came up with the following steps for installing the DB:

When the following screen comes up, make sure you provide a good secure password that is different from the password you used for your user account.

Setting up root password for MariaDB

Setting up root password for MariaDB

Next, lock down your MariaDB instance by running:

Since you’ve already set up a secure password for your root user, you can safely answer “no” to the question asking you to create a new root password. Answer “Yes” to all of the other questions. Now we can set up a separate MariaDB account and database for our WordPress instance. At the command prompt type the following:

Type in your password when prompted. This will open up a MariaDB shell session. Everything you type here is treated as a SQL query, so make sure you end every line with a semicolon! This is very easy to forget. Here are the commands you need to type in to create a new database, user, and assign privileges to that user:

Note that although it’s customary to use ALL CAPS to write SQL statements like this, it is not strictly necessary. Also, where I’ve used “mywpdb” and “mywpdbuser” feel free to use your own database and user names.

Step 5: Install and Configure PHP7-FPM

One of the cool things about Ubuntu 16.04 is that it’s default PHP packages now default to version 7! Installing PHP is as simple as typing the following:

Note that this also installs the MySQL, XML, and GD packages so that WordPress can interact with the database, support XMLRPC (important if you use Jetpack), and also automatically crop and resize images.

Now we need to adjust a php.ini setting that would allow a clever hacker to execute scripts they shouldn’t. Open  /etc/php/7.0/fpm/php.ini using nano as follows:

You can search for the line you want to edit by hitting  CTRL + W and then typing the text of the setting you’re looking for, in this case  cgi.fix_pathinfo . In this case you want to remove the semicolon at the beginning of the line and set this setting to look like cgi.fix_pathinfo=0 . While you’re in this file, you may also want to adjust the post_max_size and  upload_max_filesize settings to something larger than their defaults of 8MB and 2MB, respectively. I frequently find that in my WordPress sites I want to upload larger files. Once you’re done editing, hit  CTRL + X to exit nano, and follow the prompts to save your changes. To get PHP to load the changes you need to restart it by typing:

Step 6: Tell NGINX to use PHP7-FPM

Open up the configuration file for your default site for NGINX:

Edit the file so that it looks exactly like this:

Save and exit this file, and then restart NGINX by typing the following:

In order to test out whether or not your changes worked, you can create a basic PHP file at the root of your web server by typing:

Then you can go to a web browser and type in  http://your-IP-address and you should get the auto-generated PHP Info page which looks something like this:

Default PHP Info page

Default PHP Info page

Woohoo!!! Now we’re getting somewhere. We’re going to be making a bunch of changes to our NGINX config in later steps for security and optimization, but this is the absolute minimum you need to do to get PHP7-FPM and NGINX playing well together.

Step 7: Set up SSL Certificates with LetsEncrypt

In the next step we’re going to add an SSL certificate to our site and then configure NGINX to use it. I recommend that you read DigitalOcean’s entire tutorial on securing NGINX on Ubuntu 16.04 with LetsEncrypt, but I’ll provide just the steps you need here. First, install LetsEncrypt:

During installation, LetsEncrypt has to add some files to your web root in order to confirm that you actually own your domain. In order to do that, we need to update the NGINX configuration for your site. Open up the config in nano using:

And then add this code inside the server block:

Save and exit. Then you can check to make sure you have no typos and restart NGINX with the following:

Now you will switch to the directory where we cloned LetsEncrypt and run the tool to actually create and install our certificate:

Follow the prompts that pop up. Make sure you pick a reliable email address for receiving notifications. To increase security, DigitalOcean’s tutorial recommends setting up a strong Diffie-Hellman Group as follows:

Next we’ll create a configuration snippet for NGINX that will contain all of our SSL parameters. Create and open the file as follows:

And add this code into the file, making sure you add your domain at the top in the file paths for the ssl_certificate and ssl_certificate_key:

Save and exit this file. Next we will update our NGINX configuration for our site again to redirect all traffic through HTTPS. My earlier blog post goes into why this is the desired behavior. Open your config file with:

And modify it to look exactly like this (except of course for using your domain name instead of “yourdomain.com” which needs editing in both server blocks):

If you do still want to allow non-secure HTTP traffic, please consult DigitalOcean’s blog post that I linked to above. Save and close this file. Then check the syntax and restart NGINX:

Finally, it is important to note that SSL certificates from LetsEncrypt expire every 90 days. In order that you don’t have to log into your server every 3 months to renew your certs, we’re going to set up a CRON job to autorenew them. From the command line:

Add the following lines:

This will update the LetsEncrypt client and then attempt to renew and load your certs (if necessary) every Monday.

Step 8: Install WordPress

Wow. All this work so far and we haven’t even installed WordPress yet! Let’s get to it.

There are a lot of opinions on the best way to download and maintain WordPress. My goals are:

  1. Check out the core files from some sort of version control repository
  2. Update core files from the same repo
  3. Have the ability to take advantage of automatic updates

I haven’t found a way to do this with Git yet, so for this tutorial I’m sticking with Subversion. As such the first step will be to install SVN:

Next, go to the web root directory, remove the index.php file if necessary, and check out the most recent version of WordPress (currently 4.6.1):

Make sure not to forget the “.” at the end of that last command! Otherwise the files will get checked out into a subfolder and you’ll have to move them. Next we have to update the ownership of the files so that our webserver can have full access:

Now you can visit your domain in a web browser and complete the basic WordPress installation as you normally would.

Step 9: Install WP Plugins and Set Up Email

In order to take advantage of nginx caching made available by the custom version of nginx that we installed, you’ll need to install the nginx helper plugin. Once you do that, go to Settings > Nginx Helper from the WP dashboard and check the box to “Enable Purge.” The default settings should be fine. Click “Save All Changes.”

In Step 2 above, I showed the DNS settings you should set up in order to have Mailgunhandle all of your email. The nice thing about doing this is you can avoid having to set up and maintain your own SMTP server on your droplet. Setting up a mail server like postfix, sendmail, or exif can be a real pain as most email providers these days are extremelysensitive about preventing spam. After you’ve set up your domain at Mailgun, you can use the Mailgun for WordPress plugin to have all outgoing emails from your website routed through Mailgun. After you’ve installed it, go to Settings > Mailgun from the WP dashboard, copy and paste in your Mailgun domain name and API key, and then click “Save Changes” to get it set up. Click “Test Configuration” to make sure it is working. You may also want to use the Check Email plugin just to make sure that emails are being sent correctly.

If you want to install Jetpack, the PHP XML package was installed to support that back in Step 6.

Step 10: Securing and Optimizing WordPress

Here are some tips and strategies for securing and optimizing your WordPress install.

Enable and Configure Gzip Compression

Gzip compression shrinks files before sending them across the web, increasing the speed of transfer. Gzip is enabled by default in  /etc/nginx/nginx.conf but you should edit this section of the configuration file to specify the types of files that should be compressed. Here’s the list that I use, and I’ve found that in recent installs they are already there by default. Add the list of  gzip_types into the file:

Deny Access to Certain Files and Folders

Some files and folders that are inside your web root should not be directly accessible via the web. Add the following sections to your  /etc/nginx/sitesavailable/default file in the main server block:

Force File Downloads Through FTPS

Whenever you add or update a theme or plugin, you can require that under the hood WordPress will use an encrypted transport like FTPS. To do so, follow this tutorial at DigitalOcean. It’s a little old, but still works. The only change to it that I had to make was to NOT change the ownership of the files in  /var/www/html . Here is a condensed list of the commands you’ll run:

And then you need to add the following lines to your  /var/www/html/wpconfig.php file:

Add that right about the line:  /* That’s all, stop editing! Happy blogging. */ . And you may want to change the user name from “wp-user” to something else more personalized, just in case someone who’s reading about this technique doesn’t try to find a hole in your setup based on what username you picked.

Setup Caching and Purging

The custom version of NGINX that we installed earlier allows you to use some advanced caching features. First you’ll want to install the NGINX Helper plugin within WordPress. Next you’ll follow the instructions in this blog post to configure caching. At the end of it all the config file for my site looked like this (including all of the edits we’ve made above):

Step 11: Final Server Tweaks

Finally, there are two more things we should do to keep our server up to date and healthy. The first is to make sure unattended upgrades are enabled:

When I finished editing it, my file looked like this:

I also updated the  /etc/apt/apt.conf.d/10periodic file to look like:

Lastly, I ran the following commands to make sure everything was up to date:


There are more plugins and tweaks you can make to improve the performance of your site. For example, you could host your images and other static resources on a CDN, and we didn’t talk about combining and minifying the CSS and JS files on the site. However, with all of the above, you should have made a very good start at having a screaming fast and secure website. Enjoy!

Добавить комментарий

Войти с помощью: 

Ваш e-mail не будет опубликован. Обязательные поля помечены *


Этот сайт использует Akismet для борьбы со спамом. Узнайте как обрабатываются ваши данные комментариев.