WordPress VPS Installation - Complete Setup Guide (2025)

Installing WordPress on a VPS gives you complete control over your website's performance, security, and configuration. Unlike shared hosting with its limitations, a VPS lets you optimize every aspect of your WordPress site.

This guide will walk you through installing WordPress on a fresh Ubuntu VPS from scratch, including security hardening and performance optimization. By the end, you'll have a production-ready WordPress site running on a professionally configured server.

Prerequisites

Before starting, you'll need:

• A VPS with Ubuntu 22.04 or 24.04 LTS (minimum 1GB RAM recommended)
• Root or sudo access to your server
• A domain name pointed to your VPS IP address
• SSH access to your server
• Basic familiarity with command line (we'll explain each command)

Step 1: Initial Server Setup and Security

First, connect to your server via SSH:

ssh root@your-server-ip

Update System Packages

apt update && apt upgrade -y

Create a Non-Root User (Security Best Practice)

# Create new user
adduser wpuser

# Add to sudo group
usermod -aG sudo wpuser

# Switch to new user
su - wpuser

Configure Firewall

sudo ufw allow OpenSSH
sudo ufw allow 'Nginx Full'
sudo ufw enable

# Verify firewall status
sudo ufw status

Step 2: Install LEMP Stack (Linux, Nginx, MySQL, PHP)

Install Nginx Web Server

sudo apt install nginx -y
sudo systemctl start nginx
sudo systemctl enable nginx

# Verify Nginx is running
sudo systemctl status nginx

Visit your server's IP in a browser - you should see the Nginx welcome page.

Install MySQL Database Server

sudo apt install mysql-server -y

# Secure MySQL installation
sudo mysql_secure_installation

During mysql_secure_installation, choose these options:

• Set a strong root password
• Remove anonymous users: Yes
• Disallow root login remotely: Yes
• Remove test database: Yes
• Reload privilege tables: Yes

Install PHP 8.3 and Required Extensions

sudo apt install php8.3-fpm php8.3-mysql php8.3-curl php8.3-gd \
php8.3-mbstring php8.3-xml php8.3-xmlrpc php8.3-soap \
php8.3-intl php8.3-zip php8.3-bcmath php8.3-imagick -y

# Verify PHP installation
php -v

Step 3: Create MySQL Database and User

sudo mysql -u root -p

In the MySQL console, run these commands (replace placeholders with your values):

CREATE DATABASE wordpress_db DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'wordpress_user'@'localhost' IDENTIFIED BY 'strong_password_here';
GRANT ALL PRIVILEGES ON wordpress_db.* TO 'wordpress_user'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Step 4: Download and Configure WordPress

Download WordPress

cd /tmp
wget https://wordpress.org/latest.tar.gz
tar -xzf latest.tar.gz
sudo cp -r wordpress /var/www/yourdomain.com

Set Correct Permissions

sudo chown -R www-data:www-data /var/www/yourdomain.com
sudo find /var/www/yourdomain.com -type d -exec chmod 755 {} \;
sudo find /var/www/yourdomain.com -type f -exec chmod 644 {} \;

Configure WordPress

cd /var/www/yourdomain.com
sudo cp wp-config-sample.php wp-config.php
sudo nano wp-config.php

Update these lines with your database information:

define('DB_NAME', 'wordpress_db');
define('DB_USER', 'wordpress_user');
define('DB_PASSWORD', 'strong_password_here');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8mb4');
define('DB_COLLATE', 'utf8mb4_unicode_ci');

Generate Security Keys

Visit https://api.wordpress.org/secret-key/1.1/salt/ and copy the generated keys. Replace the placeholder keys in wp-config.php:

define('AUTH_KEY',         'paste-your-generated-key-here');
define('SECURE_AUTH_KEY',  'paste-your-generated-key-here');
// ... (replace all 8 keys)

Step 5: Configure Nginx for WordPress

sudo nano /etc/nginx/sites-available/yourdomain.com

Add this optimized Nginx configuration:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    root /var/www/yourdomain.com;
    index index.php index.html;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Logging
    access_log /var/log/nginx/yourdomain.com-access.log;
    error_log /var/log/nginx/yourdomain.com-error.log;

    # Max upload size
    client_max_body_size 64M;

    # WordPress permalink structure
    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    # PHP processing
    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php8.3-fpm.sock;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    # Deny access to sensitive files
    location ~ /\. {
        deny all;
    }

    location = /xmlrpc.php {
        deny all;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        log_not_found off;
    }
}

# Enable the site
sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/

# Test Nginx configuration
sudo nginx -t

# Reload Nginx
sudo systemctl reload nginx

Step 6: Install SSL Certificate (Let's Encrypt)

HTTPS is essential for security and SEO. Let's Encrypt provides free SSL certificates:

# Install Certbot
sudo apt install certbot python3-certbot-nginx -y

# Obtain and install certificate
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Follow the prompts:
# - Enter your email address
# - Agree to Terms of Service
# - Choose whether to redirect HTTP to HTTPS (recommended: Yes)

Certbot automatically configures auto-renewal. Test it with:

sudo certbot renew --dry-run

Step 7: Complete WordPress Installation via Browser

Navigate to https://yourdomain.com in your browser. You'll see the WordPress installation wizard:

1. Select your language
2. Enter site title, admin username (never use "admin"), strong password, and email
3. Click "Install WordPress"
4. Log in with your credentials

Step 8: Essential Security Hardening

1. Disable File Editing in WordPress Dashboard

Add this to your wp-config.php (before "That's all, stop editing!"):

define('DISALLOW_FILE_EDIT', true);

2. Limit Login Attempts

Install the "Limit Login Attempts Reloaded" plugin from WordPress dashboard.

3. Set Up Automatic Backups

sudo nano /root/wordpress-backup.sh

#!/bin/bash
BACKUP_DIR="/root/backups"
DATE=$(date +%Y-%m-%d-%H%M)
SITE_PATH="/var/www/yourdomain.com"
DB_NAME="wordpress_db"
DB_USER="wordpress_user"
DB_PASS="strong_password_here"

mkdir -p $BACKUP_DIR

# Backup files
tar -czf $BACKUP_DIR/wordpress-files-$DATE.tar.gz $SITE_PATH

# Backup database
mysqldump -u $DB_USER -p$DB_PASS $DB_NAME > $BACKUP_DIR/wordpress-db-$DATE.sql

# Delete backups older than 14 days
find $BACKUP_DIR -type f -mtime +14 -delete

sudo chmod +x /root/wordpress-backup.sh

# Schedule daily backups at 3 AM
sudo crontab -e
# Add this line:
0 3 * * * /root/wordpress-backup.sh

4. Install Security Plugin

Recommended plugins:

• Wordfence Security: Firewall, malware scanner, and login security
• iThemes Security: Comprehensive security features
• Sucuri Security: Security activity auditing and monitoring

Step 9: Performance Optimization

1. Install Redis Object Cache

sudo apt install redis-server -y
sudo systemctl enable redis-server

# Install PHP Redis extension
sudo apt install php8.3-redis -y
sudo systemctl restart php8.3-fpm

Install the "Redis Object Cache" plugin from WordPress dashboard and enable it.

2. Install and Configure Caching Plugin

Install one of these caching plugins:

• WP Rocket: Premium, easiest to configure ($59/year)
• W3 Total Cache: Free, powerful but complex
• WP Super Cache: Free, simple and effective

3. Enable Nginx FastCGI Cache (Advanced)

For ultimate performance, configure Nginx to cache PHP responses. Add to your Nginx config:

# Inside http block of /etc/nginx/nginx.conf
fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";

4. Optimize PHP Configuration

sudo nano /etc/php/8.3/fpm/php.ini

Update these values:

memory_limit = 256M
upload_max_filesize = 64M
post_max_size = 64M
max_execution_time = 300
max_input_vars = 3000

sudo systemctl restart php8.3-fpm

Step 10: Monitoring and Maintenance

Set Up Uptime Monitoring

Use free services to monitor your site:

• UptimeRobot: Free monitoring, checks every 5 minutes
• Pingdom: Free tier available
• StatusCake: Free unlimited tests

Enable WordPress Automatic Updates

Add to wp-config.php:

define('WP_AUTO_UPDATE_CORE', true);

Check Server Resource Usage

# Install htop for easy monitoring
sudo apt install htop -y

# Run htop to see resource usage
htop

Essential WordPress Plugins to Install

Security

• Wordfence Security or iThemes Security
• Limit Login Attempts Reloaded
• UpdraftPlus (backup plugin with cloud storage)

Performance

• WP Rocket or W3 Total Cache
• Redis Object Cache
• Imagify or ShortPixel (image optimization)

SEO

• Yoast SEO or Rank Math
• XML Sitemap plugin

Troubleshooting Common Issues

Issue 1: "Error establishing database connection"

Solution: Verify database credentials in wp-config.php and ensure MySQL is running:

sudo systemctl status mysql

Issue 2: 413 Request Entity Too Large

Solution: Increase client_max_body_size in Nginx config and upload_max_filesize in PHP config (see Step 9).

Issue 3: White Screen of Death

Solution: Enable WordPress debug mode. Add to wp-config.php:

define('WP_DEBUG', true);
define('WP_DEBUG_LOG', true);
define('WP_DEBUG_DISPLAY', false);

Check /var/www/yourdomain.com/wp-content/debug.log for errors.

Issue 4: Slow Admin Dashboard

Solution: Disable external HTTP requests in wp-config.php:

define('WP_HTTP_BLOCK_EXTERNAL', true);

Performance Benchmarking

After setup, benchmark your site to ensure optimal performance:

• GTmetrix: https://gtmetrix.com
• Google PageSpeed Insights: https://pagespeed.web.dev
• WebPageTest: WebPageTest - Website Performance Testing Tool

Target metrics:

• Load time: Under 2 seconds
• Time to First Byte (TTFB): Under 200ms
• PageSpeed score: Above 90

Maintenance Checklist

Weekly:

• Update WordPress core, themes, and plugins
• Review security logs in Wordfence/iThemes
• Test site functionality

Monthly:

• Update server packages: sudo apt update && sudo apt upgrade
• Review server resource usage (CPU, RAM, disk space)
• Test backup restoration

Quarterly:

• Run full security audit
• Review and optimize database
• Performance testing and optimization

Conclusion

Congratulations! You've successfully installed WordPress on your VPS with professional-grade security and performance optimizations. Your site is now running on a properly configured LEMP stack with SSL, automated backups, and caching.

This setup provides a solid foundation that can handle thousands of visitors per day. As your traffic grows, you can easily scale your VPS resources or add advanced optimizations like a CDN and load balancing.