This will assume the following:
apt update && apt upgradeInstall it:
apt install nginxStart and enable it (i.e. make sure it starts on boot):
systemctl start nginx
systemctl enable nginxNote, this only installs the PHP FastCGI Process Manager (FPM) and the CLI, and does not install Apache.
apt install php-fpm php-cli php-mysqlInstall other PHP extensions:
apt install php-curl php-fpm php-bcmath php-gd php-soap php-zip php-curl php-mbstring php-mysqlnd php-gd php-xml php-intl php-zipapt install mariadb-server mariadb-clientAnd start and enable it:
systemctl start mariadb
systemctl enable mariadbRun the secure script
mysql_secure_installationThe following questions should be answered "Y":
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: YRestart the DB server:
systemctl restart mariadbLog in to the DB server:
mysql -u root -pRun the following commands to create and secure the Wordpress database. Replace new_username and new_password as appropriate. If multiple websites on a host, use something like wpuser_sitename for the user:
CREATE DATABASE wordpress_db;
GRANT ALL PRIVILEGES ON wordpress_db.* TO 'new_username'@'localhost' IDENTIFIED BY 'new_password';
FLUSH PRIVILEGES;
EXITDownload Wordpress and place it in the web root.
wget https://wordpress.org/latest.zip
unzip latest.zip
mv wordpress /var/www/html/newsite.domainnameModify the Wordpress config:
cd /var/www/html/newsite.domainname/
cp wp-config-sample.php wp-config.php
nano wp-config.phpSet the following parameters:
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress_db' );
/** MySQL database username */
define( 'DB_USER', 'new_username' );
/** MySQL database password */
define( 'DB_PASSWORD', 'new_password' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );Press CTRL-O, CTRL-X to save and exit nano.
Change permissions for the Wordpress directory:
chown -R www-data:www-data /var/www/html/newsite.domainname/Create and edit a new config file:
nano /etc/nginx/sites-available/newsite.domainnameThe file should have the following contents:
server {
listen 80;
# server_name can have multiple values.
server_name newsite.domainname www.newsite.domainname;
root /var/www/html/newsite.domainname;
index index.php;
access_log /var/log/nginx/newsite.domainname.access.log;
error_log /var/log/nginx/newsite.domainname.error.log;
client_max_body_size 100M;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
include fastcgi_params;
fastcgi_intercept_errors on;
}
}Add a symlink to sites-enabled and remove the default site:
cd /etc/nginx/sites-enabled/
ln -s /etc/nginx/sites-available/newsite.domainname
rm /etc/nginx/sites-enabled/defaultRestart Nginx
systemctl restart nginxMake sure that any domain names listed in the Nginx configuration point to the Wordpress server (both A records and AAAA records if IPv6 is enabled). Then install certbot:
apt install python3-certbot-nginxRun certbot
certbot --nginx Answer the questions, which are self-explanatory. The renew command command seems to be added into the systemd times. Verify with:
systemctl list-timersThis should show this:
NEXT LEFT LAST PASSED UNIT ACTIVATES
--------------------------------------------------------------------------------------------------------------
[...]
Wed 2025-07-23 05:54:20 UTC 9h left Tue 2025-07-22 15:10:12 UTC 5h 29min ago certbot.timer certbot.service
[...]That should be all. The site should be accessible from https://newsite.domainname