How To Install WordPress with LEMP (Nginx, MariaDB, and PHP) on Debian 11 Bullseye

WordPress is the most dominant content management system written in PHP, combined with MySQL or MariaDB database. You can create and maintain a site without any prior knowledge in web development or coding. The first version of WordPress was created in 2003 by Matt Mullenweg and Mike Little and is now used by 70% of the known web market, according to W3Tech. WordPress comes in two versions: the free open source WordPress.org and WordPress.com, a paid service that starts at $5 per month up to $59. Using this content management system is easy and often seen as a stepping stone for making a blog or similar featured site.

In the following tutorial, you will learn how to install self-hosted WordPress using the latest Nginx, MariaDB, and PHP versions available.

Prerequisites

• Recommended OS: Debian 11 Bullseye
• User account: A user account with sudo privilages or root access (su command).
• Required Packages: nginx, mariadb, php, wget, unzip

Updating Operating System

Update your Debian 11 operating system to make sure all existing packages are up to date:

sudo apt update && sudo apt upgrade

Root or Sudo Access

By default, when you create your account at startup with Debian compared to other distributions, it does not automatically receive sudoers status. You must either have access to the root password to use the su command or visit our tutorial on How to Add a User to Sudoers on Debian.

Install CURL & UNZIP Package

The tutorial makes use of the curl and unzip command during certain parts. To make sure this is installed, run the following command in your terminal:

sudo apt install curl unzip -y

Install Latest Nginx – (LEMP Stack)

To kickstart the LEMP stack installation, you will need to install the Nginx web server. A method is to install the latest Nginx mainline or stable from the Ondřej Surý repository to have the most updated software. Many Ubuntu users would know his PPA, and you can do the same pretty much in Debian.

To use the latest version of either Nginx mainline or stable, you will need first to import the repository.

To import mainline repository:

curl -sSL https://packages.sury.org/nginx-mainline/README.txt | sudo bash -x

To import stable repository:

curl -sSL https://packages.sury.org/nginx/README.txt | sudo bash -x

Update your repository to reflect the new change:

sudo apt update

Now that you have installed the Nginx repository and updated the repository list, install Nginx with the following:

sudo apt install nginx-core nginx-common nginx nginx-full

Example output:

Type “Y,” then press the “ENTER KEY” to proceed and complete the installation.

Now check to ensure the latest Nginx from the Ondřej Surý repository was installed using the apt-cache policy command. Note, the tutorial example installed Nginx Mainline:

apt-cache policy nginx

Example output for Nginx Mainline:

Note that you may be prompted to keep or replace your existing /etc/nginx/nginx.conf configuration file during the installation. It is recommended to keep your current configuration file by pressing (n). A copy will be made regardless of the maintainer’s version, and you can also check this in the future.

You will notice additional modules will be available in this version, most notably brotli support. To install brotli, follow the steps below.

Open your nginx.conf configuration file:

nano /etc/nginx/nginx.conf

Now add the additional lines before in the HTTP{} section:

brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/rss+xml
   application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
   application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
   font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
   image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;

The brotli_comp_level can be set between 1 (lowest) and 11 (highest). Typically, most servers sit in the middle, but if your server is a monster, set to 11 and monitor CPU usage levels.

Next, test to make sure the changes are working correctly before making it live:

sudo nginx -t

If the changes are working correctly, you should see the following:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now make the changes live by restarting your server:

sudo systemctl restart nginx

Next, enable Nginx on system boot:

sudo systemctl enable nginx

Lastly, verify Nginx is running correctly; this should be fine to skip if you ran the nginx -t command and got no errors.

systemctl status nginx

Example output:

Install MariaDB (LEMP STACK)

For phpBB to run, you will need to install a database software; given we are using LEMP, the choice will be MariaDB.

You can install the default version of MariaDB from Debian’s repository, and the tutorial will install the latest 10.6 MariaDB.

Install Depedencies

The first step is to install the dependencies needed for the installation. To do this, use the following command in your terminal:

Import GPG Key & Repository

To successfully install MariaDB, you will need to import the GPG key to verify that the packages are from the authentic source and not modified. To do this, use the following command:

sudo curl -LsSO https://mariadb.org/mariadb_release_signing_key.asc
sudo chmod -c 644 mariadb_release_signing_key.asc
sudo mv -vi mariadb_release_signing_key.asc /etc/apt/trusted.gpg.d/
sudo add-apt-repository 'deb [arch=amd64,arm64,ppc64el] https://mirror.realcompute.io/mariadb/repo/10.6/debian bullseye main'

Note, download mirrors can be found on this page from MariaDB foundation to find a location closer to you for the repository.

Now that the key and repository are imported, update the apt package manager list to reflect the new addition.

sudo apt update

Install MariaDB

To install MariaDB, you will need to install the client and the server packages. This can be done as follows:

sudo apt install mariadb-server mariadb-client

Example output:

Type “Y,” then press the “ENTER KEY” to proceed and complete the installation.

Confirm the installation of MariaDB by checking the version and build:

mariadb --version

Example output:

mariadb  Ver 15.1 Distrib 10.6.4-MariaDB, for debian-linux-gnu (x86_64) using readline EditLine wrapper

Next, start your MariaDB service by running the following command to start and enable on boot:

sudo systemctl start mariadb && sudo systemctl enable mariadb

Example output if successful:

Synchronizing state of mariadb.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable mariadb

Check MariaDB server status

Now you have installed MariaDB, and you can verify the status of the database software by using the following systemctl command:

systemctl status mariadb

By default, you will find MariaDB status to be off. To start MariaDB, use the following command:

sudo systemctl start mariadb

Now recheck the status, and you should get the following:

To stop MariaDB:

sudo systemctl stop mariadb

To enable MariaDB on system startup:

sudo systemctl enable mariadb

To disable MariaDB on system startup:

sudo systemctl disable mariadb

To restart the MariaDB service:

sudo systemctl restart mariadb

Secure MariaDB with Security Script

Next, you will be given a prompt asking you to enter your (MariaDB root password). For now, press the (ENTER) key as the root password isn’t’ set yet as below:

Next, type (Y) and press enter to set up the (root) password as below:

The next series of questions you can safely hit (ENTER), which will answer (Y) to all the subsequent questions which ask you to (remove anonymous users, disable remote root login, and remove the test database). Note the (Y) is capitalized, meaning it is the default answer when you press the (ENTER) key.

Example below:

Overview of what should have been done above:

• Setting the password for root accounts.
• Removing root accounts that are accessible from outside the local host.
• Removing anonymous-user accounts.
• Removing the test database, which by default can be accessed by anonymous users.

This step is essential for MariaDB database security and should not be altered or skipped unless you know what you are doing.

Install PHP (LEMP STACK)

WordPress’s main components are created and run using PHP. PHP 7.4 is the current stable version with 8.0 soon to replace it with PHP 8.1 Beta coming along. The issue is WordPress supports PHP 8.0, so you should install this version for performance + security improvements, but some themes and plugins are still not compatible or have bugs, do your research before doing any new buys of plugins/themes to make sure they support PHP 8.0.

And To install the obsolete latest stable PHP versions on Debian, you will install the Ondřej Surý PHP repository, the PHP maintainer, on Debian. In this repository, the latest versions of PHP 7.4 and 8.0 are available at all times, including the extensions. The tutorial will list alternate ways to install both, and you should research which one is best.

Import & Install GPG key:

The first step is to import and install the GPG key before adding the repository. To do this, use the following terminal command:

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg

Note, you may need to install these dependencies if you have trouble:

sudo apt install apt-transport-https lsb-release ca-certificates

Import & Install Repository:

With the GPG key sorted, it is time to add the Ondřej Surý repository as follows:

sudo sh -c 'echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > /etc/apt/sources.list.d/php.list'

Next, update the repository list as the new repository will require some existing packages to be upgraded and is advised to do before installing any versions of PHP.

sudo apt update && sudo apt upgrade

Option 1. Install PHP 7.4

Now you can proceed to install PHP 7.4 for your particular need as follows:

sudo apt install php7.4-fpm php7.4-cli php7.4-common php7.4-mbstring php7.4-xmlrpc php7.4-soap php7.4-gd php7.4-xml php7.4-intl php7.4-mysql php7.4-cli php7.4-ldap php7.4-zip php7.4-mcrypt php7.4-curl php7.4-json php7.4-opcache php7.4-readline php7.4-xml php7.4-gd -y

Verify the installation and check the version and build:

php -v

Example output:

Next, start and enable PHP 7.4-FPM to be automatically started on boot.

sudo systemctl start php7.4-fpm && sudo systemctl enable php7.4-fpm

Now, by default, PHP-FPM should be running. To confirm this, use the following systemctl command:

sudo systemctl status php7.4fpm

Example output:

Option 2. Install PHP 8.0

Now you can proceed to install PHP 8.0 for your particular need as follows:

sudo apt install php8.0-fpm php8.0-cli php8.0-common php8.0-mbstring php8.0-xmlrpc php8.0-soap php8.0-gd php8.0-xml php8.0-intl php8.0-mysql php8.0-cli php8.0-ldap php8.0-zip php8.0-mcrypt php8.0-curl php8.0-opcache php8.0-readline php8.0-xml php8.0-gd unzip -y

Verify the installation and check the version and build:

php -v

Example output:

Now, by default, PHP-FPM should be running. To confirm this, use the following systemctl command:

sudo systemctl status php8.0-fpm

Example output:

Part 1. Install WordPress Backend

Download WordPress

Visit the WordPress.org download page and scroll down until you find the “latest.zip” download link. If you are hosting off a desktop, you can manually download this or use the wget command to download your desktop terminal CTRL+ALT+T.

wget https://wordpress.org/latest.zip

Create Folder Structure for WordPress

Now you have the archive downloaded, proceed to unzip it and move it to your www directory.

Create the directory for WordPress:

sudo mkdir -p /var/www/html/wordpress

Unzip WordPress to the www directory:

sudo unzip latest.zip -d /var/www/html/

You must set the directory owner permissions to WWW, or else you will have trouble with WordPress write permissions.

Set chown permission (important):

sudo chown -R www-data:www-data /var/www/html/wordpress/

Set chmod permission (important):

sudo find /var/www/html/wordpress -type d -exec chmod 755 {} \;
sudo find /var/www/html/wordpress -type f -exec chmod 644 {} \;

Create Database for WordPress

WordPress requires a database to run hence why you had to install MariaDB. Before continuing further, you need to create a database for WordPress using MariaDB. First, bring up the terminal console and type the following.

Bring up MariaDB shell as root:

sudo mariadb -u root

Second alternative command:

sudo mysql -u root

Next, create the database. This can be any name you want. For the guide, you will name it “WORDPRESSDB.”

Create WordPress database:

CREATE DATABASE WORDPRESSDB;

After the database has been created, you should create a new user for the WordPress new site.

This is done as a security measure, so every database has a different user. If one username is compromised, the attacker doesn’t access all the other website’s databases.

Create the WordPress database user:

CREATE USER 'WPUSER'@localhost IDENTIFIED BY 'PASSWORD';

Replace WPUSER and PASSWORD with whatever username or password you desire. Do not copy and paste the default user/pass above for security purposes.

Now assign the newly created user access to the WordPress website database only as per below.

Assign database to the created WordPress user account:

GRANT ALL PRIVILEGES ON WORDPRESSDB.* TO [email protected] IDENTIFIED BY 'PASSWORD';

With all database configuration settings complete, you need to flush the privileges to take effect and exit.

Flush Privileges to make live:

FLUSH PRIVILEGES;

Exit MariaDB:

EXIT;

Set WordPress Configuration Files

You need to set some settings in the “wp-config-sample.php” file. Below, you will see how to rename the sample file and enter the required information.

First, rename the configuration file.

Go to the WordPress directory:

cd /var/www/html/wordpress/

Rename configuration file:

sudo mv wp-config-sample.php wp-config.php

Now, using a text editor, bring up the newly renamed wp-config.php file. In our example, we will use nano.

sudo nano wp-config.php

Next, you will enter the database name, user account with a password, host IP address if different than localhost.

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */ 
define( 'DB_NAME', 'wordpressdb' );
/* MySQL database username */ 
define( 'DB_USER', 'wpuser1' );
/* MySQL database password */
define( 'DB_PASSWORD', 'YOUR PASSWORD' );
/* MySQL hostname, change the IP here if external DB set up */ 
define( 'DB_HOST', 'localhost' );
/* Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/* The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

While you are in this file, adding extra settings will make your WordPress easier to manage, such as direct file saving instead of using FTP and increased memory size limits.

##Save files direct method##
 define( 'FS_METHOD', 'direct' );

##Increase memory limit, 256MB is recommended##
 define('WP_MEMORY_LIMIT', '256M');

##change Wordpress database table prefix if wanted##
 $table_prefix = 'wp_';

##set cache enabled, this if you intend to use Wordpress add-ons##
 define('WP_CACHE', true);

Set WordPress Security Salt Keys

It would be best if you visited WordPress secret-key API to generate your own. The address salt key generator can be found at https://api.wordpress.org/secret-key/1.1/salt/. Replace the example lines with the codes from the generator.

DO NOT COPY THE EXAMPLE BELOW, AND IT’S JUST FOR REFERENCE.

define('AUTH_KEY',         '<3yfS7/>%m.Tl^8Wx-Y8-|T77WRK[p>(PtH6V]Dl69^<8|K86[_Z},+THZ25+nJG');
define('SECURE_AUTH_KEY',  'bN#Qy#ChBX#Y`PE/_0N42zxgLD|5XpU[mu.n&:t4q~hg<UP/b8+xFTly_b}f]M;!');
define('LOGGED_IN_KEY',    'owpvIO-+WLG|,1)CQl*%gP1uDp}s(jUbYQ[Wm){O([email protected]#T}tOTP&UOfk|wYsj5$');
define('NONCE_KEY',        '8=Vh|V{D<>`[email protected]])){L+6eGi`GAjV([email protected]&cgb.QVCbi');
define('AUTH_SALT',        '%TX*X$GE-;|?<-^(+K1Un!_Y<hk-Ne2;&{c[-v!{q4&OiJjQon /SHcc/:MB}y#(');
define('SECURE_AUTH_SALT', '=zkDT_%}J4ivjjN+F}:A+s6e64[^uQ<qNO]TfHS>G0elz2B~7Nk.vRcL00cJoo7*');
define('LOGGED_IN_SALT',   '{$-o_ull4|qQ?f=8vP>Vvq8~v>g(2w12`h65ztPM(xo!Fr()5xrqy^k[E~TwI!xn');
define('NONCE_SALT',       'a1G(Q|X`eX$p%6>K:Cba!]/5MAqX+L<A4yU_&CI)*w+#ZB+*yK*u-|]X_9V;:++6');

Nginx Server Block Configuration

Now, you are almost ready to install WordPress through the web UI. However, you need to configure your Nginx server block. The settings below are pretty crucial. It should be noted to emphasize the importance of “try_files $uri $uri/ /index.php?$args;” as it is often an issue with other tutorials that leave the ending ?$args left out, giving you major site health issues comes to the REST API of WordPress.

Below is an example, you can choose the parts however the “location ~ \.php$” needs to be in the Nginx configuration file.

server {

  listen 80;
  listen [::]:80;
  server_name www.example.com example.com;

  root /var/www/html/wordpress;

  index index.php index.html index.htm index.nginx-debian.html;


  location / {
  try_files $uri $uri/ /index.php?$args;
 }

  location ~* /wp-sitemap.*\.xml {
    try_files $uri $uri/ /index.php$is_args$args;
  }

  client_max_body_size 100M;

  location ~ \.php$ {
    fastcgi_pass unix:/run/php/php7.4-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
    include snippets/fastcgi-php.conf;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 4 128k;
    fastcgi_intercept_errors on;	
  }

 gzip on; 
 gzip_comp_level 6;
 gzip_min_length 1000;
 gzip_proxied any;
 gzip_disable "msie6";
 gzip_types
     application/atom+xml
     application/geo+json
     application/javascript
     application/x-javascript
     application/json
     application/ld+json
     application/manifest+json
     application/rdf+xml
     application/rss+xml
     application/xhtml+xml
     application/xml
     font/eot
     font/otf
     font/ttf
     image/svg+xml
     text/css
     text/javascript
     text/plain
     text/xml;

  # assets, media
  location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
      expires    90d;
      access_log off;
  }
  
  # svg, fonts
  location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
      add_header Access-Control-Allow-Origin "*";
      expires    90d;
      access_log off;
  }

  location ~ /\.ht {
      access_log off;
      log_not_found off;
      deny all;
  }
}

Note, if you are using PHP 8.0 find and replace the above line “fastcgi_pass unix:/run/php/php7.4-fpm.sock;” to “fastcgi_pass unix:/run/php/php8.0-fpm.sock;”.

Next, you will need to enable the Nginx configuration file from “sites-available”. To do this you will create a symlink to “sites-enabled” as follows.

sudo systemctl ln -s /etc/nginx/sites-available/example.conf /etc/nginx/sites-enabled/

Make sure to replace “example.conf” with your configuration file name.

You now can do a dry run then restart your Nginx server if everything is ok.

sudo nginx -t

After checking and everything is ok with your Nginx dry run test, restart the Nginx service.

sudo systemctl restart nginx

PHP.ini Configuration

Before moving onto the web UI installation part, you should adjust your PHP for optimal use for WordPress. These settings are more of a guide. You can increase, decrease as you see fit.

First, bring up your php.ini. Note your location may be different depending on the PHP version number you have.

PHP 7.4:

sudo nano /etc/php/7.4/fpm/php.ini

PHP 8.0:

sudo nano /etc/php/8.0/fpm/php.ini

Now, WordPress media files can be pretty significant. The default can be too low. You can increase this to roughly what you think your most extensive file size will be. Find the following lines below and adjust to your needs.

##increase upload max size recommend 50 to 100mb## 
 upload_max_filesize = 100MB

##increase post max size recommend 50 to 100mb##
 post_max_size = 100MB

## increase max execution time recommend 150 to 300##
 max_execution_time = 300

## increase GET/POST/COOKIE input variables recommend 5000 to 10000##
max_input_vars = 10000

## increase memory limit recommend 256mb or 512mb##
memory_limit = 512M

Now restart your PHP-FPM server.

PHP 7.4:

sudo systemctl restart php7.4-fpm

PHP 8.0:

sudo systemctl restart php8.0-fpm

The PHP settings you adjusted are for the PHP backend. You will also need to change the Nginx server block to allow for large body sizes. This is done by re-opening your server block and adding the following line.

Open up your server block:

sudo nano /etc/nginx/sites-available/example.com

Adjust this line to increase body size:

client_max_body_size 100M;

Remember, keep client max size the same as your max size PHP file setting.

Next, test the changes, then restart your Nginx server if everything is ok.

sudo nginx -t

After checking and everything is ok with your Nginx dry run test, restart the Nginx service.

sudo systemctl restart nginx

Part 2. Install WordPress Frontend

Now that all the backend setup and configuration are complete, you can go to your domain and begin installing.

##go to installation address##
 https://www.yoursite.com
##alternative url##
 https://www.yoursite.com/wp-admin/install.php

The first page you will see is the create a username and password along with some site details. This will be your future admin login account. You can change this later on as well.

If you are building a website, enabling “strongly discourage search engines from indexing” prevents Google or Bing or any other “good/reputable search engine bot” from indexing a WIP website. Once finished, you will come to the next screen with a login.

Congratulations, you have successfully installed the latest version of WordPress on Nginx with the LEMP stack.

Secure Nginx with Let’s Encrypt SSL Free Certificate

Ideally, you would want to run your Nginx on HTTPS using an SSL certificate. The best way to do this is to use Let’s Encrypt, a free, automated, and open certificate authority run by the nonprofit Internet Security Research Group (ISRG).

First, install the certbot package as follows:

sudo apt install python3-certbot-nginx -y

Once installed, run the following command to start the creation of your certificate:

sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email [email protected] -d www.example.com

This is the ideal setup that includes force HTTPS 301 redirects, Strict-Transport-Security header, and OCSP Stapling. Just make sure to adjust the e-mail and domain name to your requirements.

Now your URL will be HTTPS://www.example.com instead of HTTP://www.example.com.

Note, if you use the old HTTP URL, it will automatically redirect to HTTPS.

Comments and Conclusion

WordPress offers a fantastic ability to create quick websites with templates and plugins. The plugin store hosts a tremendous amount of options. However, to unlock the full potential of most themes and add-ons, they are all paywall, but most are affordable.

Self-hosting WordPress is quite a bit of fun. However, making sure you keep up with security and updating is essential. WordPress is the most targetted CMS on earth by attackers, and your site will, in its first day without even being listed will be scanned for exploits, and brute force attempts will begin.