In this guide, we’ll focus on the second option and help you understand what kind of effort goes into setting up a VPS for WordPress hosting.<\/p>\n
More specifically, we’ll walk you through all the steps you need to set up your own VPS and then look at the pros and cons of choosing this option.<\/p>\n
For ease of reference, you can jump to any section using the links below or go through the entire step-by-step tutorial:<\/p>\n
- \n
- What Is DIY VPS Hosting for WordPress?<\/a><\/strong><\/li>\n
- Setting Up A WordPress-Optimized VPS:<\/a><\/strong>\n
- \n
- Create a non-root user to SSH to the server<\/a><\/strong><\/li>\n
- Secure the MySQL installation<\/a><\/strong><\/li>\n
- Configure Virtual Hosts for your domain(s)<\/a><\/strong><\/li>\n
- Install PhpMyAdmin to visually access your database (optional)<\/a><\/strong><\/li>\n
- Change the default WordPress database table prefix<\/a><\/strong><\/li>\n
- Configure your new droplet’s domain DNS settings<\/a><\/strong><\/li>\n
- Install a Let’s Encrypt certificate to serve your website over HTTPS<\/a><\/strong><\/li>\n
- Patch common vulnerabilities on your server<\/a><\/strong><\/li>\n
- Increase common PHP limits to help with WordPress performance<\/a><\/strong><\/li>\n<\/ol>\n<\/li>\n
- Pros and Cons of DIY WordPress VPS vs Managed WordPress Hosting<\/a><\/strong><\/li>\n<\/ul>\n
What Is DIY VPS Hosting for WordPress?<\/h2>\n
VPS hosting is web hosting that uses a Virtual Private Server. As we explain here<\/a>, a VPS is a nice compromise between shared and dedicated hosting.<\/p>\n
You can customize the VPS resources to suit your needs in terms of\u00a0disk space, memory, processing power, and bandwidth, and scale it if your site’s traffic increases.<\/p>\n
DIY VPS hosting normally refers to running an unmanaged VPS (whereas with a “managed” VPS, the\u00a0web hosting company handles everything like system setup, control panel installation, and technical support, leaving you free to just manage your web hosting account).<\/p>\n
Although choosing unmanaged or DIY VPS hosting tends to be more affordable than managed VPS hosting, you need to handle everything yourself.<\/p>\n
WordPress has its own server requirements, so if you plan to choose DIY VPS hosting specifically for WordPress, you’ll need to have technical experience with managing servers and running WordPress.<\/p>\n
Setting Up A WordPress-Optimized VPS<\/h2>\n
VPS web hosts are plentiful and many offer great cloud-hosted servers at reasonable costs.<\/p>\n
For this tutorial, we’ll use DigitalOcean<\/a> as our host.<\/p>\n
![\"DigitalOcean\"](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/03\/digital-ocean.png\")
Let’s navigate to DigitalOcean and set up a DIY VPS.<\/figcaption><\/figure>\n Note:<\/em> The tutorial below will take you through DigitalOcean’s WordPress-optimized VPS setup process. Alternatively, you can use a tool like SpinupWP<\/a> to set up, configure, access, and manage your server remotely using NGINX.<\/p>\n
DigitalOcean makes it easy to set up your own WordPress-optimized VPS, as they have a one-click solution that will build a Ubuntu 20.04 VPS with WordPress and all its required software pre-installed.<\/p>\n
That being said, there is still some configuration to be done to finish the installation of WordPress and to harden both WordPress and the server itself.<\/p>\n
Let’s go through each step.<\/p>\n
1. Create a non-root user to SSH to the server<\/h3>\n
First, create a Digital Ocean One-Click WordPress 5.5.1 on Ubuntu 20.04 droplet.<\/p>\n
![\"Set](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/03\/wordpress.png\")
Select WordPress.<\/figcaption><\/figure>\n Note:<\/em> Make sure to use a strong password<\/a> for the root account (e.g. use a 32-character password)<\/p>\n
Keep a copy of this password handy in a notepad on your computer. It will make connecting to the droplet easier. You will create a separate user to connect with in the future, so this is simply setting a strong password for the root user that will no longer be actively used.<\/p>\n
![\"A](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/03\/secure-password-generator.png\")
Choose a strong password – at least 32-characters is recommended. Source: passwordsgenerator.net<\/figcaption><\/figure>\n Once you have done this, SSH<\/a> to the server using the IP and root password from your initial setup.<\/p>\n
You will be prompted to enter your domain name. Press
CTRL+C<\/code> to exit this script for now. We’ll come back to this configuration later.<\/p>\nCreate a non-root user (replace
myusername<\/code> with your username):<\/p>\nadduser myusername\r\nusermod -aG sudo myusername\r\nusermod -aG www-data myusername<\/code><\/pre>\nTest to make sure that myusername<\/em> has sudo access:<\/p>\n
su myusername\r\nls -la \/root\r\nsudo ls -la \/root<\/code><\/pre>\nNote:<\/strong> The second command above should give an error for permission denied, but prefixing the command with sudo will allow you to escalate your privilege to that of root.<\/p>\n
2. Secure the MySQL installation<\/h3>\n
Use the following command to view your root mysql account password.<\/p>\n
cat \/root\/.digitalocean_password<\/code><\/p>\nmysql_secure_installation<\/code><\/p>\nAt the prompts for the command above, enter:<\/p>\n
NO > root password > YES > YES > YES > YES<\/em><\/p>\n
Then, delete the file containing your default passwords so that they are not plainly available on your server directory:<\/p>\n
rm -rf \/root\/.digitalocean_password<\/code><\/p>\n3. Configure Virtual Hosts for your Domain(s)<\/h3>\n
This is so that your Apache server can handle serving numerous domains from your droplet.<\/p>\n
Even though you may only be serving one domain from this droplet, it’s best practice to set up Virtual Hosts so that you are ready should the need arise in the future.<\/p>\n
mkdir -p \/var\/www\/mydomainname.com\/html\/\r\nchown -R www-data:www-data \/var\/www\/mydomainname.com\/html\/\r\nrsync -avP \/var\/www\/html\/ \/var\/www\/mydomainname.com\/html\/\r\ncp \/etc\/apache2\/sites-available\/000-default.conf \/etc\/apache2\/sites-available\/mydomainname.com.conf\r\nvi \/etc\/apache2\/sites-available\/mydomainname.com.conf<\/code><\/pre>\nEdit your mydomainname.com.conf file with the following lines, modifying existing content if needed:<\/p>\n
ServerAdmin admin@mydomainname.com\r\nServerName www.mydomainname.com\r\nServerAlias mydomainname.com\r\nDocumentRoot \/var\/www\/mydomainname.com\/html\r\n\r\n<Directory \/var\/www\/mydomainname.com\/html\/><\/code><\/pre>\nSave the changes to your .conf and run the following commands to let the web server know about your new Virtual Host:<\/p>\n
a2ensite mydomainname.com.conf\r\na2dissite 000-default.conf\r\na2enmod expires\r\nservice apache2 reload<\/code><\/pre>\nYour web server is now aware of your custom Virtual Host!<\/p>\n
Archive the pre-built one-click WordPress folder structure<\/p>\n
mv \/var\/www\/html \/var\/www\/html.bak<\/code><\/p>\n4. Install PHPMyAdmin so you can manage your database via a Web GUI\u00a0(optional)<\/h3>\n
apt-get update\r\napt-get install phpmyadmin<\/code><\/pre>\n“After this operation, 51.4 MB of additional disk space will be used.” >> Yes<\/p>\n
“Auto-configure web server” or “Web server to reconfigure automatically” >> No (TAB then OK)<\/p>\n
“Configure database for phpmyadmin with dbconfig-common?” >> No<\/p>\n
echo \"#Include \/etc\/phpmyadmin\/apache.conf\">>\/etc\/apache2\/sites-enabled\/mydomainname.com.conf<\/code><\/p>\nNote:<\/strong> Simply SSH to your droplet and remove the comment delimiter (#) from the line above to quickly disable PHPMyAdmin should you want to keep it disabled until you need it.<\/p>\n
vi \/etc\/phpmyadmin\/apache.conf<\/code><\/p>\nUpdate Alias to:<\/p>\n
\/my_db \/usr\/share\/phpmyadmin<\/code><\/p>\nNote:<\/strong> This last line makes it so that you can access your PHPMyAdmin installation at mydomainname.com\/my_db<\/p>\n
service apache2 reload<\/code><\/p>\n5. Change the default WordPress database table prefix<\/h3>\n
Let’s harden the one-click WordPress database prior to installation.<\/p>\n
We’ll do this by renaming the default wp_ database prefix to something custom so that attempts by hackers to extract your database table data based on the default names will fail:<\/p>\n
sed -i 's\/wp_\/wp_510942_\/g' \/var\/www\/mydomainname.com\/html\/wp-config.php<\/code><\/p>\nNote:<\/strong> This will make your database tables prefixed with
wp_510942_<\/code> instead of justwp_<\/code>. You can use any random number or word to make it unique.<\/p>\n6. Configure your new droplet’s domain DNS settings<\/h3>\n
Log in to DigitalOcean and go to Networking.<\/p>\n
For the droplet in question, use the following configurations:<\/p>\n
NS ns1.digitalocean.com\r\nNS ns2.digitalocean.com\r\nNS ns3.digitalocean.com\r\nA mydomainname.com\r\nCNAME\u00a0http:\/\/www.mydomainname.com<\/a>\r\nCNAME *.mydomainname.com<\/code><\/pre>\n7. Install Let’s Encrypt certificate<\/h3>\n
sudo certbot --apache -d www.mydomainname.com -d mydomainname.com<\/code><\/p>\n- \n
- Support email: admin@mydomainname.com<\/a><\/li>\n
- Select
YES<\/code> to Terms of Service andNO<\/code> to Share Email Address<\/li>\n- Choose Option 2: SECURE \u2013 MAKE ALL REQUESTS REDIRECT TO SECURE HTTPS<\/li>\n<\/ul>\n
8. Patch Common Vulnerabilities on Your Server<\/h3>\n
Additional hardening #1: Prevent LIBWWW-PERL vulnerabilities:<\/h4>\n
Edit your .htaccess and paste these two lines after RewriteEngine On<\/p>\n
sudo vi \/var\/www\/mydomainname.com\/html\/.htaccess<\/code><\/p>\nRewriteCond %{HTTP_USER_AGENT} libwww-perl.*\r\nRewriteRule .* ? [F,L]<\/code><\/pre>\nAdditional hardening #2: Disable server signature<\/h4>\n
Edit apache2.conf, search for the two strings or append at the end of the file if they are not present, then reload apache2:<\/p>\n
sudo vi \/etc\/apache2\/apache2.conf<\/code><\/p>\nServerSignature Off\r\nServerTokens Prod<\/code><\/pre>\nservice apache2 reload<\/code><\/p>\nAdditional hardening #3: Prevent Apache information disclosure via .htaccess:<\/h4>\n
sudo vi \/var\/www\/mydomainname.com\/html\/.htaccess<\/code><\/p>\n## Prevent information disclosure ##\r\n<FilesMatch \".(txt|md|exe|sh|bak|inc|pot|po|mo|log|sql)$\">\r\nRequire all denied\r\n<\/FilesMatch>\r\n<Files robots.txt>\r\nRequire all granted\r\n<\/Files>\r\n<Files ads.txt>\r\nRequire all granted\r\n<\/Files>\r\n## End ## <\/code><\/pre>\nAdditional hardening #4: Use keys for non-root SSH and disable passwords and root login<\/h4>\n
SSH keys provide an easy, secure way to log into your server and are recommended for all users.<\/p>\n
For this step, we recommend following DigitalOcean’s detailed tutorial on setting up SSH keys for an Ubuntu 20.04 installation<\/a>.<\/p>\n
Note:<\/em> The above is by no means an exhaustive, all-encompassing list of hardening measures (that’s a whole topic on its own), but it’s a really good start if you plan to set up and run your own VPS.<\/p>\n
9. Increase PHP limits for WordPress performance:<\/h3>\n
sudo vi \/etc\/php\/7.0\/apache2\/php.ini<\/code><\/p>\nSearch for these settings, and raise any existing values to the following:<\/p>\n
- \n
- max_execution_time: 60<\/li>\n
- memory_limit: 128M<\/li>\n
- post_max_size: 48M<\/li>\n
- upload_max_filesize: 48M<\/li>\n<\/ul>\n
sudo service apache2 restart<\/code><\/p>\nOnce you have done this, navigate to your domain and step through the WordPress installation wizard.<\/p>\n
DIY WordPress VPS vs Managed WordPress Hosting<\/h2>\n
If this all seems like a lot of work just to have a secure VPS server running WordPress, you’re right!<\/p>\n
Thankfully, many of the above steps could be put into a script to automate the process, but the truth remains that the price to pay to have a self-managed VPS is…well…managing it all yourself!<\/p>\n
This requires not only having the technical experience to set up and run the server but also troubleshoot and fix any problems.<\/p>\n
Alternatively, if you’d prefer to have the equivalent performance and security of a DigitalOcean VPS without having to do it all yourself, then consider hosting with WPMU DEV<\/a>! For just a few more dollars a month over the cost of a self-hosted DigitalOcean droplet, you get world-class VPS performance with world-class 24\/7 technical and hosting support…all done for you!<\/em><\/p>\n
Contributors<\/h3>\n
This article was written in collaboration with:<\/p>\n
![\"Capital](\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2021\/03\/capital-web-design-ottawa.png\")
<\/p>\n
- Select
- Secure the MySQL installation<\/a><\/strong><\/li>\n
- Setting Up A WordPress-Optimized VPS:<\/a><\/strong>\n