This blog is running on a tiny Linux VPS with 1GB RAM, 1 CPU Core and a 25GB SSD with Debian 10 installed. Thanks to a proper WordPress setup this VPS will handle itself just fine even with substantial traffic. This article describes my setup.
Moreover, it costs me only $5 per month. That’s like the cheapest WordPress.com plan, but fully featured with root access, and five times cheaper than the basic WPEngine plan.
You can probably find an even cheaper VPS than mine, but I recommend the Nanode from Linode. I’ve been a Linode customer since 2009 (11 years!) and they never failed me. And believe me, I tried many others….
Prepare your server
First, let’s make sure all is up to date and well clocked:
apt-get update; apt-get upgradedpkg-reconfigure tzdata
During date & time reconfiguration I suggest selecting “None of the above” and “UTC”. I always like to have all my servers on the same time, but it depends what you need really.
I also recommend “htop” to monitor & manage running processes:
apt-get install htopThen I recommend setting a hostname to something familiar, so you know what your are connected to via SSH:
echo "example-hostname" > /etc/hostname
hostname -F /etc/hostname
SSH authentication using public key
At the moment, your new server allows access using a password. This is a bad idea, vulnerable to brute-force attacks. If you don’t already have a public key on your local machine, let’s create one:
ssh-keygen -t ed25519 -a 100We use Ed25519, an EdDSA scheme, because it’s least likely to be backdoored. It’s a good practice to set a strong key passphrase as well. The public-private key pair will be saved in a hidden “/.ssh” directory in your home folder.
Now, follow this tutorial to harden your server and SSH configuration. I prefer the following parameters in “/etc/ssh/sshd_config”:
Port 22AddressFamily inetPermitEmptyPasswords noChallengeResponseAuthentication noUsePAM no
Firewall
I prefer UFW therefore I use the following:
apt-get install ufwufw default allow outgoingufw default deny incomingufw allow httpsufw allow http
If you happen to have a static IP at your home or office, I recommend limiting SSH access to that IP using the following command but substituting “0.0.0.0” with you IP:
ufw allow from 0.0.0.0 to any port 22Otherwise just “ufw allow ssh”, but make sure to install Fail2Ban like in the tutorial I linked to earlier.
Install MariaDB
Why not MySQL? It’s a bit slower, it’s less open and when something crashes, it’s harder to recover. Anyway:
apt-get install mariadb-servermysql_secure_installationservice mysqld start
Sometimes after starting the database for the first time you won’t be able to log into it using the root user. Something is wrong with the password. So just change it with this command, where “password” is your new password for database root user:
mysql -u root -p> ALTER USER 'root'@'localhost' IDENTIFIED BY 'password';
If you want to fine-tune MariaDB in terms of memory, here is a good calculator. To manage this database remotely I recommend an app that allows DB connections through SSH, like Sequel Pro for macOS. Never expose your database to the outside world.
Install Nginx
I’ve been using Apache a decade ago, but now I’m an Nginx fan. It makes things so much easier!
apt-get install nginxThere’s plenty of thing to tweak, but as a good practice start by making your server less identifiable.
nano /etc/nginx/nginx.confserver_tokens off;
Install PHP
I’m not a big fan of PHP, but I really like how it gets the job done. And WordPress is built with it, so…
apt-get install php php-fpm imagemagickapt-get install php-mysql php-curl php-gd php-mbstring php-xml php-xmlrpc php-soap php-intl php-zip php-imagick
Install WordPress
Now, the final step begins.
wget https://wordpress.org/latest.tar.gztar xzvf latest.tar.gzcp wordpress/wp-config-sample.php wordpress/wp-config.phpmkdir wordpress/wp-content/upgradechown -R www-data:www-data /var/www/wordpressfind /var/www/wordpress/ -type d -exec chmod 750 {} \;find /var/www/wordpress/ -type f -exec chmod 640 {} \;
Configure WordPress
First, update your installation keys.
curl -s https://api.wordpress.org/secret-key/1.1/salt/nano /var/www/wordpress/wp-config.php
Next, configure WordPress to work with Nginx following this article. If you run into problems, make sure php-fpm.sock (or php7.3-fpm.sock) have a correct path and filename set in your Nginx config.
Setup SSL with Lets Encrypt
Encryption is essential in this day and age. It’s good these days SSL certificates are free thanks to LE. Let’s install them.
apt-get install certbot python-certbot-nginxcertbot --nginx
This will start a step-by-step guide helping you install your cert. Afterwards, configure a cron job to automatically renew your cert when necessary.
crontab -e0 0 * * * certbot renew
Finally, if you want to get an A or A+ on your SSL test, make sure to use strong ciphers in your nginx.conf.
Setup 2FA login
Two-factor authentication using an authenticator app from Google, Microsoft or Authy is a nice way to secure your login. It’s easy and free to set up using this plugin.
Other useful plugins
You could install a ton of plugins for WordPress, but that wouldn’t do you any good. You see, the more plugins you have, the more problems you encounter. Some plugins can slow down your blog, some can slow down each other, and some can just break things. I suggest you use the bare minimum:
- Akismet to filter spam comments
- Jetpack to get the official goodies
- Hummingbird to speed up your blog but stay sane
- Yoast SEO to learn how to write better content
- Health Check to keep your blog in good condition
- Two Factor mentioned above
- AMP and Structured Data
