WordPress is the most dominant content management system written in PHP, combined with MySQL or MariaDB database. You can create and maintain a site without prior knowledge in web development or coding. The first version of WordPress was created in 2003 by Matt Mullenweg and Mike Little and is now used by 70% of the known web market, according to W3Tech. WordPress comes in two versions: the free open source WordPress.org and WordPress.com, a paid service that starts at $5 per month up to $59. Using this content management system is easy and often seen as a stepping stone for making a blog or similar featured site.
In the following tutorial, you will learn how to install self-hosted WordPress using the latest Nginx, MariaDB, and PHP versions available.
Table of Contents
Prerequisites
- Recommended OS: Debian 11 Bullseye
- User account: A user account with sudo or root access.
- Required Packages: listed throughout tutorial
Update Operating System
Update your Debian operating system to make sure all existing packages are up to date:
sudo apt update && sudo apt upgrade -y
The tutorial will be using the sudo command and assuming you have sudo status.
To verify sudo status on your account:
sudo whoami
Example output showing sudo status:
[joshua@debian~]$ sudo whoami
root
To set up an existing or new sudo account, visit our tutorial on Adding a User to Sudoers on Debian.
To use the root account, use the following command with the root password to log in.
su
Install CURL & UNZIP Package
The tutorial makes use of the curl and unzip command during certain parts. To make sure this is installed, run the following command in your terminal:
sudo apt install curl unzip -y
Install Latest Nginx – (LEMP Stack)
To kickstart the LEMP stack installation, you will need to install the Nginx web server. A method is to install the latest Nginx mainline or stable from the Ondřej Surý repository to have the most updated software. Many Ubuntu users would know his PPA, and you can do the same in Debian.
To use the latest version of either Nginx mainline or stable, you will need first to import the repository.
To import mainline repository:
curl -sSL https://packages.sury.org/nginx-mainline/README.txt | sudo bash -x
To import stable repository:
curl -sSL https://packages.sury.org/nginx/README.txt | sudo bash -x
Update your repository to reflect the new change:
sudo apt update
Now that you have installed the Nginx repository and updated the repository list, install Nginx with the following:
sudo apt install nginx-core nginx-common nginx nginx-full
Example output:

Type Y, then press the ENTER KEY to proceed and complete the installation.
Now check to ensure the latest Nginx from the Ondřej Surý repository was installed using the apt-cache policy command. Note, the tutorial example installed Nginx Mainline:
apt-cache policy nginx
Example output for Nginx Mainline:

Note that you may be prompted to keep or replace your existing /etc/nginx/nginx.conf configuration file during the installation. It is recommended to keep your current configuration file by pressing (n).
By installing Nginx with the custom, repository comes with additional modules compiled, one of the most sort after and recommended modules to enable is the Brotli module.
To install brotli, open your nginx.conf configuration file:
nano /etc/nginx/nginx.conf
Now add the additional lines before in the HTTP{} section:
brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/rss+xml
application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
The brotli_comp_level can be set between 1 (lowest) and 11 (highest). Typically, most servers sit in the middle, but if your server is a monster, set to 11 and monitor CPU usage levels.
Next, test to make sure the changes are working correctly before making it live:
sudo nginx -t
If the changes are working correctly, you should see the following:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Now make the changes live by restarting your server:
sudo systemctl restart nginx
Next, enable Nginx on system boot:
sudo systemctl enable nginx
Lastly, verify Nginx is running correctly; this should be fine to skip if you ran the nginx -t command and got no errors.
systemctl status nginx
Example output:

Install Latest MariaDB (LEMP STACK)
The tutorial will recommend installing MariaDB constantly over MySQL due to performance more than anything else.
First, import the official MariaDB repository, 10.6 is the current stable, but 10.7 is the new version out but maybe not as stable.
Option 1 – Import MariaDB 10.6:
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.7 --skip-maxscale --skip-tools
Option 2 – Import MariaDB 10.7:
curl -LsS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash -s -- --mariadb-server-version=10.7 --skip-maxscale --skip-tools
Once you have picked a version, update your APT repository.
sudo apt update
Install MariaDB on Debian Desktop or Server
To install MariaDB, you will need to install the client and the server packages. This can be done as follows:
sudo apt install mariadb-server mariadb-client
Example output:

Type Y, then press the ENTER KEY to proceed and complete the installation.
Confirm the installation of MariaDB by checking the version and build:
mariadb --version
Example output:
mariadb Ver 15.1 Distrib 10.6.4-MariaDB, for debian-linux-gnu (x86_64) using readline EditLine wrapper
Next, start your MariaDB service by running the following command to start and enable on boot:
sudo systemctl start mariadb && sudo systemctl enable mariadb
Example output if successful:
Synchronizing state of mariadb.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable mariadb
Check MariaDB server status
Now you have installed MariaDB, and you can verify the status of the database software by using the following systemctl command:
systemctl status mariadb
By default, you will find MariaDB status to be off. To start MariaDB, use the following command:
sudo systemctl start mariadb
Now recheck the status, and you should get the following:

To stop MariaDB:
sudo systemctl stop mariadb
To enable MariaDB on system startup:
sudo systemctl enable mariadb
To disable MariaDB on system startup:
sudo systemctl disable mariadb
To restart the MariaDB service:
sudo systemctl restart mariadb
Secure MariaDB with Security Script
Next, you will be given a prompt asking you to enter your (MariaDB root password). For now, press the (ENTER) key as the root password isn’t’ set yet as below:
sudo mysql_secure_installation
Next, type (Y) and press enter to set up the (root) password as below:
The next series of questions you can safely hit (ENTER), which will answer (Y) to all the subsequent questions which ask you to (remove anonymous users, disable remote root login, and remove the test database). Note the (Y) is capitalized, meaning it is the default answer when you press the (ENTER) key.
Example below:
[joshua@debian-11 ~]$ sudo mariadb-secure-installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.
You already have your root account protected, so you can safely answer 'n'.
Switch to unix_socket authentication [Y/n] Y <---- Type Y then press the ENTER KEY.
Enabled successfully!
Reloading privilege tables..
... Success!
You already have your root account protected, so you can safely answer 'n'.
Change the root password? [Y/n] Y <---- Type Y then press the ENTER KEY.
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y <---- Type Y then press the ENTER KEY.
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y <---- Type Y then press the ENTER KEY.
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y <---- Type Y then press the ENTER KEY.
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y <---- Type Y then press the ENTER KEY.
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
Overview of what should have been done above:
- Setting the password for root accounts.
- Removing root accounts that are accessible from outside the local host.
- Removing anonymous-user accounts.
- Removing the test database, which by default can be accessed by anonymous users.
This step is essential for MariaDB database security and should not be altered or skipped unless you know what you are doing.
Install Latest PHP (LEMP STACK)
The last part of the tutorial will be to install PHP, which is the backend that communicates between Apache and MariaDB, the middle man. PHP 8.0 is becoming relatively stable, and the newer versions of PHP 8.1 are now available.
The tutorial will focus on importing Ondřej Surý’s latest PHP version, the maintainer for Debian PHP. This is always up to date even when new PHP versions are dropped.
Import Ondřej Surý PHP Repository
The first step is to import and install the GPG and repository.
In your terminal, use the following command.
curl -sSL https://packages.sury.org/php/README.txt | sudo bash -x
This command will install the PHP repository and update your APT repository.
Next, update the repository list as the new repository will require some existing packages to be upgraded and is advised to do before installing any versions of PHP.
sudo apt upgrade
Option 1. Install PHP 7.4
Now you can proceed to install PHP 7.4 for your particular need as follows:
sudo apt install php7.4-fpm php7.4-cli php7.4-common php7.4-mbstring php7.4-xmlrpc php7.4-soap php7.4-gd php7.4-xml php7.4-intl php7.4-mysql php7.4-cli php7.4-ldap php7.4-zip php7.4-mcrypt php7.4-curl php7.4-json php7.4-opcache php7.4-readline php7.4-xml php7.4-gd -y
Verify the installation and check the version and build:
php -v
Example output:

Next, start and enable PHP 7.4-FPM to be automatically started on boot.
sudo systemctl start php7.4-fpm && sudo systemctl enable php7.4-fpm
Now, by default, PHP-FPM should be running. To confirm this, use the following systemctl command:
sudo systemctl status php7.4fpm
Example output:

Option 2. Install PHP 8.0
Now you can proceed to install PHP 8.0 for your particular need as follows:
sudo apt install php8.0-fpm php8.0-cli php8.0-common php8.0-mbstring php8.0-xmlrpc php8.0-soap php8.0-gd php8.0-xml php8.0-intl php8.0-mysql php8.0-cli php8.0-ldap php8.0-zip php8.0-mcrypt php8.0-curl php8.0-opcache php8.0-readline php8.0-xml php8.0-gd unzip -y
Verify the installation and check the version and build:
php -v
Example output:

Now, by default, PHP-FPM should be running. To confirm this, use the following systemctl command:
sudo systemctl status php8.0-fpm
Example output:

Install WordPress Backend
Download WordPress
Visit the WordPress.org download page and scroll down to find the “latest.zip“ download link. Then using the wget command, download the file.
wget https://wordpress.org/latest.zip
Create Folder Structure for WordPress
Now you have the archive downloaded, proceed to unzip it and move it to your www directory.
Create the directory for WordPress:
sudo mkdir -p /var/www/html/wordpress
Unzip WordPress to the www directory:
sudo unzip latest.zip -d /var/www/html/
You must set the directory owner permissions to WWW, or else you will have trouble with WordPress write permissions.
Set chown permission (important):
sudo chown -R www-data:www-data /var/www/html/wordpress/
Set chmod permission (important):
sudo find /var/www/html/wordpress -type d -exec chmod 755 {} \;
sudo find /var/www/html/wordpress -type f -exec chmod 644 {} \;
Create Database for WordPress
WordPress requires a database to run hence why you had to install MariaDB. Before continuing further, you need to create a database for WordPress using MariaDB. First, bring up the terminal console and type the following.
Bring up MariaDB shell as root:
sudo mariadb -u root
Second alternative command:
sudo mysql -u root
Next, create the database. This can be any name you want. For the guide, you will name it “WORDPRESSDB.”
Create WordPress database:
CREATE DATABASE WORDPRESSDB;
After the database has been created, you should create a new user for the WordPress new site.
This is done as a security measure, so every database has a different user. If one username is compromised, the attacker doesn’t access all the other website’s databases.
Create the WordPress database user:
CREATE USER 'WPUSER'@localhost IDENTIFIED BY 'PASSWORD';
Replace WPUSER and PASSWORD with whatever username or password you desire. Do not copy and paste the default user/pass above for security purposes.
Now assign the newly created user access to the WordPress website database only below.
Assign database to the created WordPress user account:
GRANT ALL PRIVILEGES ON WORDPRESSDB.* TO WPUSER@localhost IDENTIFIED BY 'PASSWORD';
With all database configuration settings complete, you need to flush the privileges to take effect and exit.
Flush Privileges:
FLUSH PRIVILEGES;
Exit MariaDB:
EXIT;
Set WordPress Configuration Files
You need to set some settings in the “wp-config-sample.php“ file. Below, you will see how to rename the sample file and enter the required information.
First, rename the configuration file.
Go to the WordPress directory:
cd /var/www/html/wordpress/
Rename configuration file:
sudo mv wp-config-sample.php wp-config.php
Using a text editor, bring up the newly renamed wp-config.php file. In our example, we will use nano.
sudo nano wp-config.php
Next, you will enter the database name, user account with a password, host IP address if different than localhost.
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpressdb' );
/* MySQL database username */
define( 'DB_USER', 'wpuser1' );
/* MySQL database password */
define( 'DB_PASSWORD', 'YOUR PASSWORD' );
/* MySQL hostname, change the IP here if external DB set up */
define( 'DB_HOST', 'localhost' );
/* Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8' );
/* The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
While you are in this file, adding extra settings will make your WordPress easier to manage, such as direct file saving instead of using FTP and increased memory size limits.
##Save files direct method##
define( 'FS_METHOD', 'direct' );
##Increase memory limit, 256MB is recommended##
define('WP_MEMORY_LIMIT', '256M');
##change Wordpress database table prefix if wanted##
$table_prefix = 'wp_';
Set WordPress Security Salt Keys
It would be best to visit WordPress secret-key API to generate your own. The address salt key generator can be found at https://api.wordpress.org/secret-key/1.1/salt/. Replace the example lines with the codes from the generator.
DO NOT COPY THE EXAMPLE BELOW, AND IT’S JUST FOR REFERENCE.
define('AUTH_KEY', '<3yfS7/>%m.Tl^8Wx-Y8-|T77WRK[p>(PtH6V]Dl69^<8|K86[_Z},+THZ25+nJG');
define('SECURE_AUTH_KEY', 'bN#Qy#ChBX#Y`PE/_0N42zxgLD|5XpU[mu.n&:t4q~hg<UP/b8+xFTly_b}f]M;!');
define('LOGGED_IN_KEY', 'owpvIO-+WLG|,1)CQl*%gP1uDp}s(jUbYQ[Wm){O(x@sJ#T}tOTP&UOfk|wYsj5$');
define('NONCE_KEY', '8=Vh|V{D<>`CLoP0$H!Z3gEqf@])){L+6eGi`GAjV(Mu0YULL@sagx&cgb.QVCbi');
define('AUTH_SALT', '%TX*X$GE-;|?<-^(+K1Un!_Y<hk-Ne2;&{c[-v!{q4&OiJjQon /SHcc/:MB}y#(');
define('SECURE_AUTH_SALT', '=zkDT_%}J4ivjjN+F}:A+s6e64[^uQ<qNO]TfHS>G0elz2B~7Nk.vRcL00cJoo7*');
define('LOGGED_IN_SALT', '{$-o_ull4|qQ?f=8vP>Vvq8~v>g(2w12`h65ztPM(xo!Fr()5xrqy^k[E~TwI!xn');
define('NONCE_SALT', 'a1G(Q|X`eX$p%6>K:Cba!]/5MAqX+L<A4yU_&CI)*w+#ZB+*yK*u-|]X_9V;:++6');
Nginx Server Block Configuration
Now, you are almost ready to install WordPress through the web UI. However, you need to configure your Nginx server block. The settings below are pretty crucial. It should be noted to emphasize the importance of “try_files $uri $uri/ /index.php?$args;” as it is often an issue with other tutorials that leave the ending ?$args left out, giving you major site health issues comes to the REST API of WordPress.
First, create a new server configuration file with the following command replacing the example with your domain name,
sudo nano /etc/nginx/sites-available/example.com.conf
Below is an example; you can choose the parts; however, the “location ~ \.php$” needs to be in the Nginx configuration file.
NOTE: Make sure to change www.example.com and example.com and the root path.
server {
listen 80;
listen [::]:80;
server_name www.example.com example.com;
root /var/www/html/wordpress;
index index.php index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~* /wp-sitemap.*\.xml {
try_files $uri $uri/ /index.php$is_args$args;
}
client_max_body_size 100M;
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
include snippets/fastcgi-php.conf;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 128k;
fastcgi_intercept_errors on;
}
gzip on;
gzip_comp_level 6;
gzip_min_length 1000;
gzip_proxied any;
gzip_disable "msie6";
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
# assets, media
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
expires 90d;
access_log off;
}
# svg, fonts
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
add_header Access-Control-Allow-Origin "*";
expires 90d;
access_log off;
}
location ~ /\.ht {
access_log off;
log_not_found off;
deny all;
}
}
Note, if you are using PHP 8.0 find and replace the above line “fastcgi_pass unix:/run/php/php7.4-fpm.sock;” to “fastcgi_pass unix:/run/php/php8.0-fpm.sock;”.
Next, you will need to enable the Nginx configuration file from “sites-available”. To do this, you will create a symlink to “sites-enabled” as follows.
sudo ln -s /etc/nginx/sites-available/example.conf /etc/nginx/sites-enabled/
Make sure to replace “example.conf” with your configuration file name.
You now can do a dry run then restart your Nginx server if everything is ok.
sudo nginx -t
After checking and everything is ok with your Nginx dry run test, restart the Nginx service.
sudo systemctl restart nginx
PHP.ini Configuration
Before moving onto the web UI installation part, you should adjust your PHP for optimal use for WordPress. These settings are more of a guide, and you can increase, decrease as you see fit.
First, bring up your php.ini. Note that your location may differ depending on your PHP version number.
PHP 7.4:
sudo nano /etc/php/7.4/fpm/php.ini
PHP 8.0:
sudo nano /etc/php/8.0/fpm/php.ini
WordPress media files can be pretty significant, and the default can be too low. You can increase this to roughly what you think your most extensive file size will be. Find the following lines below and adjust to your needs.
##increase upload max size recommend 50 to 100mb##
upload_max_filesize = 100MB
##increase post max size recommend 50 to 100mb##
post_max_size = 100MB
## increase max execution time recommend 150 to 300##
max_execution_time = 300
## increase GET/POST/COOKIE input variables recommend 5000 to 10000##
max_input_vars = 10000
## increase memory limit recommend 256mb or 512mb##
memory_limit = 256M
Now restart your PHP-FPM server.
PHP 7.4:
sudo systemctl restart php7.4-fpm
PHP 8.0:
sudo systemctl restart php8.0-fpm
The PHP settings you adjusted are for the PHP backend. You will also need to change the Nginx server block to allow large body sizes. This is done by re-opening your server block and adding the following line.
Open up your server block.
sudo nano /etc/nginx/sites-available/example.com
Adjust this line to increase body size.
client_max_body_size 100M;
Remember, keep client max size the same as your max size PHP file setting.
Next, test the changes, then restart your Nginx server if everything is ok.
sudo nginx -t
After checking and everything is ok with your Nginx dry run test, restart the Nginx service.
sudo systemctl restart nginx
Install WordPress Frontend
Now that all the backend setup and configuration are complete, you can go to your domain and begin installing.
##go to installation address##
https://www.yoursite.com
##alternative url##
https://www.yoursite.com/wp-admin/install.php
The first page you will see is creating a username and password along with some site details. This will be your future admin login account, and you can change this later on as well.

If you are building a website, enabling “strongly discourage search engines from indexing” prevents Google or Bing or any other “good/reputable search engine bot” from indexing a WIP website. Once finished, you will come to the next screen with a login.

Congratulations, you have successfully installed the latest version of WordPress on Nginx with the LEMP stack.
Secure Nginx with Let’s Encrypt SSL Free Certificate
Ideally, you would want to run your Nginx on HTTPS using an SSL certificate. The best way to do this is to use Let’s Encrypt, a free, automated, and open certificate authority run by the nonprofit Internet Security Research Group (ISRG).
First, install the certbot package as follows:
sudo apt install python3-certbot-nginx -y
Once installed, run the following command to start the creation of your certificate:
sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email you@example.com -d www.example.com
This ideal setup includes force HTTPS 301 redirects, a Strict-Transport-Security header, and OCSP Stapling. Just make sure to adjust the e-mail and domain name to your requirements.
Now your URL will be HTTPS://www.example.com instead of HTTP://www.example.com.
If you use the old HTTP URL, it will automatically redirect to HTTPS.
Comments and Conclusion
WordPress offers a fantastic ability to create quick websites with templates and plugins, and the plugin store hosts a tremendous amount of options. However, to unlock the full potential of most themes and add-ons, they are all paywall, but most are affordable.
Self-hosting WordPress is quite a bit of fun. However, making sure you keep up with security and updating is essential. WordPress is the most targetted CMS on earth by attackers, and your site will, in its first day without even being listed will be scanned for exploits, and brute force attempts will begin.