DigitalOcean’s WordPress One-Click application is designed to make it even easier to start a blog. Using it automatically installs WordPress with its dependences and additional security software. It also automates initial setup for components like the firewall and database, reducing the time it takes to go from provisioning a server to customizing a website.
This image backs WordPress with LAMP, the Linux/Apache/MySQL/PHP web service stack. It also includes Fail2Ban, a daemon that scans log files and bans malicious IP addresses; WP fail2ban, a WordPress plugin that similarly protects against brute force password attacks; Certbot, a tool to automate HTTPS setup and management; and Postfix, which provides a local MTA for PHP’s
Droplets created using this One-Click have the following software components:
|Apache||Latest from APT|
|MySQL server||Latest from APT|
|PHP||Latest from APT|
|Fail2ban||Latest from APT|
|WP fail2ban||WordPress.org’s plugins|
|Certbot||Latest from Certbot’s PPA|
|Postfix||Latest from APT|
In addition to the package installation, the One-Click also:
Enables the UFW firewall to allow only SSH (port
22, rate limited), HTTP (port
80), and HTTPS (port
Sets the MySQL root password, runs
mysql_secure_installation, and creates a
wordpress user with the necessary permissions.
Sets up the
debian-sys-maint user in MySQL so the system’s init scripts for MySQL will work without requiring the MySQL
root user password.
Creates the initial WordPress configuration file to set up salt keys and allow the WordPress instance to connect to the database.
Disables XML-RPC to help prevent DDoS and other brute force attacks.
Modifies some of PHP’s settings to increase the maximum filesize and execution time.
Enables the Apache rewrite module so the WordPress permalink feature will work.
After you create a WordPress One-Click Droplet, you’ll need to log into the Droplet via SSH to finish the WordPress setup. This prevents the setup wizard from being visible to the internet until you’re ready to complete it. If you try to visit the Droplet’s IP address before logging into the Droplet, you’ll see a DigitalOcean landing page.
From a terminal on your local computer, connect to the Droplet as
root. Make sure to substitute the Droplet’s IP address.
You don’t have to run any commands after you log in. The server will automatically set up the default WordPress files. At this point, you should visit the Droplet’s IP address in your browser to finish the WordPress installation through the web interface.
Once the installation is complete, you can use the WordPress administration dashboard to further customize the new site. For reference:
The MySQL root password is in
The web root is
You can get information about the PHP installation by logging into the Droplet and running
In addition, there are a few customized setup steps that we recommend you take.
Creating an Apache virtual hosts file for each site maintains the default configuration as the fallback, as intended, and makes it easier to manage changes when hosting multiple sites.
To do so, you’ll need to create two things for each domain: a new directory in
/var/www for that domain’s content, and a new virtual host file in
/etc/apache2/sites-available for that domain’s configuration. For a detailed walkthrough, you can follow How to Set Up Apache Virtual Hosts.
Setting up an SSL certificate enables HTTPS on the web server, which secures the traffic between the server and the clients connecting to it. Certbot is a free and automated way to set up SSL certificates on a server. It’s included as part of the LAMP One-Click to make securing the Droplet easier.
To use Certbot, you’ll need a registered domain name and two DNS records:
example.com) to the server’s IP address
www.example.com) to the server’s IP address
Additionally, if you’re using a virtual hosts file, you’ll need to make sure the server name directive in the VirtualHost block (e.g.,
ServerName example.com) is correctly set to the domain.
Once the DNS records and, optionally, the virtual hosts files are set up, you can generate the SSL certificate. Make sure to substitute the domain in the command.
certbot --apache -d example.com -d www.example.com
HTTPS traffic on port
443 is already allowed through the firewall. After you set up HTTPS, you can optionally deny HTTP traffic on port
ufw delete allow 80/tcp
You can serve files from the web server by adding them to the web root (
/var/www/html) using SFTP or other tools.